On Wed, 21 Jul 2010 14:29:10 +0300 Thanos Chatziathanassiou <[email protected]> articulated:
> A relatively recent development that spammers got wind of is users that > have username==password, with/without the domain. > I am tracking numerous 1-off attempts from bots to gain access to > mailboxes this way. > Situation isn't made any better if you're also using dovecot as SMTP > AUTH provider for I am ashamed to admit I've relayed some spam that way. > Would it be possible to deny login if username==password with a > (non?)polite/custom message to go change your password to something less > obvious ? > Seriously, this reminds me of a saying by Ron White that I have always thought à propos: "You can't fix stupid." There is no way you can protect a user from their own stupidity. I don't care how many safeguards you put in place. Remember, "Nothing is foolproof to a sufficiently talented fool." Or, as I like to tell others, "Make it idiot proof and someone will make a better idiot." There are reportedly thousands of users who use, "Password" for their actual password. This is not a Dovecot problem. Adding additional checks in Dovecot will only bloat the program and potentially cause other catastrophic problems. -- Jerry ✌ [email protected] Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ "I kind of want to slay the dragon. Let's go to work." Angel's final words.
