Thanos Chatziathanassiou
2010-Jul-21 11:29 UTC
[Dovecot] Feature request: usernames and passwords
A relatively recent development that spammers got wind of is users that have username==password, with/without the domain. I am tracking numerous 1-off attempts from bots to gain access to mailboxes this way. Situation isn't made any better if you're also using dovecot as SMTP AUTH provider for I am ashamed to admit I've relayed some spam that way. Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:> Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?What passdb do you use?
Thanos Chatziathanassiou wrote:> A relatively recent development that spammers got wind of is users > that have username==password, with/without the domain. I am tracking > numerous 1-off attempts from bots to gain access to mailboxes this > way. Situation isn't made any better if you're also using dovecot as > SMTP AUTH provider for I am ashamed to admit I've relayed some spam > that way. Would it be possible to deny login if username==password > with a (non?)polite/custom message to go change your password to > something less obvious ?Dovecot isn't the place for this... Use cracklib (on linuix - the equivalent for whatever OS you are using if not linux) with your passdb backend, and simply force users to use strong passwords, period. In this day and age any sys admin who isn't doing this is just asking to be hacked.
On Wed, 21 Jul 2010 14:29:10 +0300 Thanos Chatziathanassiou <tchatzi at arx.net> articulated:> A relatively recent development that spammers got wind of is users that > have username==password, with/without the domain. > I am tracking numerous 1-off attempts from bots to gain access to > mailboxes this way. > Situation isn't made any better if you're also using dovecot as SMTP > AUTH provider for I am ashamed to admit I've relayed some spam that way. > Would it be possible to deny login if username==password with a > (non?)polite/custom message to go change your password to something less > obvious ? >Seriously, this reminds me of a saying by Ron White that I have always thought ? propos: "You can't fix stupid." There is no way you can protect a user from their own stupidity. I don't care how many safeguards you put in place. Remember, "Nothing is foolproof to a sufficiently talented fool." Or, as I like to tell others, "Make it idiot proof and someone will make a better idiot." There are reportedly thousands of users who use, "Password" for their actual password. This is not a Dovecot problem. Adding additional checks in Dovecot will only bloat the program and potentially cause other catastrophic problems. -- Jerry ? Dovecot.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ "I kind of want to slay the dragon. Let's go to work." Angel's final words.