Hi, On Thu, 2004-02-12 at 04:40, Jake S wrote: > >> Also, perhaps instead of "you have to wait xx minutes" maybe you can > >> just list 0 messages. > > The idea of listing 0 messages (as new) could lead to some support > > nightmares. A customer consequently using the wrong password, and there > > is no sign that anything is wrong - or worse, some third malicious part > > causing this. > I'm not seeing your logic.... if a user has made it to checking their > inbox then the credentials would have already been checked via vchkpw, > correct or not and the appropriate errors would be listed.
Oh i see - I thought you meant it should return "0 new messages" for bad user/password - but you actually meant "0 new messages" as response to correct user/password, but only after x failed tries? > Also, with a timeout error code your bound to get support calls asking if > you can bend the rules for that user because they have a "very" important > message (usually larger penis ads) verses you simply say no new messages > and no one knows the difference. If you just say no new messages, it can go on for month without the user knowing it. It only takes one malicous attacker x failed authentication attempt every y minutes to effectively suspend mail delivery. And instead you will receive support calls/emails that goes like "I NEED THAT EMAIL NOW!!! MY CLIENT SENT IT LIKE 20 YEARS AGO, AND IT STILL ISN'T HERE!!! SOMETHING IS WACKED WITH YOU PEOPLE!!" (Yep, smile! :-)) /Anders
