Re: Some security-related suggestions

Michael D'Errico <> Wed, 08 June 1994 22:04 UTC

Received: from by IETF.CNRI.Reston.VA.US id aa07876; 8 Jun 94 18:04 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa07872; 8 Jun 94 18:04 EDT
Received: from PO2.ANDREW.CMU.EDU by CNRI.Reston.VA.US id aa15994; 8 Jun 94 18:04 EDT
Received: (from postman@localhost) by (8.6.7/8.6.6) id SAA22880; Wed, 8 Jun 1994 18:01:18 -0400
Received: via switchmail for; Wed, 8 Jun 1994 18:01:16 -0400 (EDT)
Received: from via qmail ID </afs/>; Wed, 8 Jun 1994 18:00:00 -0400 (EDT)
Received: from ( []) by (8.6.7/8.6.6) with ESMTP id RAA05010 for <>; Wed, 8 Jun 1994 17:59:50 -0400
Received: from rome ( []) by with ESMTP id AAA8960 for <>; Wed, 8 Jun 1994 14:59:47 -0700
To: POP3 IETF Mailing List <>
Subject: Re: Some security-related suggestions
Date: Wed, 08 Jun 1994 14:59:46 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Michael D'Errico <>
Message-ID: <>

John Gardiner Myers <jgm+@CMU.EDU> writes:
>Ned Freed <NED@SIGURD.INNOSOFT.COM> writes:
>>    "Providing an indication of the existence of an account in the absence of
>>    a proper password lets attackers narrow the search to known accounts, and
>>    thus represents an increased security risk." 
>There are people who still believe this?  Attackers can narrow the
>search to known accounts by examining the local-parts of addresses in
>messages sent from the site.

Actually with my POP server, you can have a USER login name that is not
related to any of your addresses/aliases.  All of my mail goes out as
"mike" but I can set up a POP account for me as "2Yhd%0_" if I want....

Michael D'Errico