[Slugnet] IMAP and Directory Harvest Attacks
desire at gmail.com
desire at gmail.com
Fri Jul 25 17:37:33 SGT 2008
On Sun, Jul 13, 2008 at 4:17 PM, Kokhong Cheng <cohawk at yahoo.com> wrote:
> I've been confused by a conversation I've had with an old I.T. veteran. I
> asked him why he did not enable IMAP on his company's email server (instead,
> allowing POP3/SMTP). His reply was that IMAP has security concerns (but he
> did not specify what), and that IMAP was susceptible to Directory Harvest
> Attacks.
>
> I did some checking on the web, and found out that DHA is associated with
> SMTP. Nowhere did IMAP come into the picture. Since I am not an IMAP expert,
> I also did not want to challenge this IT pro who has at least a good ten
> years more experience than me.
>
Theoretically, as long as there is any detectable difference (response code,
response text, time taken to respond, etc) between a valid user and a
non-valid user, you could probe for valid user accounts. How does IMAP
become more susceptible than, say, POP3? No idea - I haven't looked at
IMAP. Maybe if there is a bizarre requirement in IMAP that wrong
credentials must be responded differently from non-existent user?
Otherwise, it would just be that specific implementation that is susceptible
to harvesting.
I'd think that harvesting attacks, in general, are not limited to SMTP. You
can potentially harvest from login fields, password reminder fields, etc.
Again, depending on the implementation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.lugs.org.sg/pipermail/slugnet/attachments/20080725/c5ecb6be/attachment.html
More information about the Slugnet
mailing list