On Sat, 15 Mar 2003, Alan W. Rateliff, II wrote: > Something else from BugTraq about Qpopper.
> > during development of a pop3 tool I found an issue that makes it possible > > for any user to check the validity of a user on a target system. If a user > > is valid and an invalid password has been supplied, then the system waits > > ~10 seconds until it sends a disconnect message and disconnect. If the > > username was not correct, then it disconnect immediately after the wrong > > password. I thought this atatck was old news on qpopper. Better than a fixed delay, some random sleep would be useful, as it means that the attacker can't infer validity of login/password from remaining slight timing differences. AB
