On Sat, Jun 29, 2013 at 5:24 AM, <Lena@???> wrote:
>
> How to block stolen passwords automatically:
> https://github.com/Exim/exim/wiki/BlockCracking
Lena, one corner case of this is when a legitimate user has one device
with the wrong password. Picture a typical small office where two or
three people using a small NAT router to connect to their business
class DSL. One person changes their password and they fix it on their
iphone because they have to leave to go do something. They leave.
Their outlook is still open on their computer and someone comes by to
check something in the email. Outlook doesn't seem to be working
right so they hit the Send/Receive button multiple times. On the exim
server, the limit for bad user/pass combination gets hit and the ip
gets added to the blacklist. Now the whole office is blocked from
sending email.
I'd like to ponder if there is a way to detect that the same incorrect
password is being sent over and over (indicating a misconfigured
device) as opposed to random passwords (indicating brute forcing). To
my knowledge the actual password nor a hash of it is not made
available anywhere except to the authenticator section. Can you dream
up any sequence that could be used to capture a hash of that password,
store it, and then use it to compare subsequent attempts? I'm
thinking in pseudo-code:
if this_password_hash != last_password_hash
increment brute_force_counter like normal
else
increment misconfigured_device_counter
if misconfigured_device_counter > $LIMIT
do something
I'm not as interested in the storage of the counter (I'm going to be
using memcache instead of a local file/mysql), but I am interested in
the logic used to achieve this. If it can be done...
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
