[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [JunkMail] Re: Server side delay for bad passwords?

But I'd like to enforce a server side delay of, for example, 5
User-friendliness aside, have a look at slapo-retcode.

Probably the right points -- but we all know what's more important than the users, let's think about *admin* friendliness. I'd like to believe that my servers are roughly "right-sized", but that means fractional-second response times. If I started putting even a small amount of those connections onto 5 second sleeps, things would get very bad in very short order. This assumes no malice, just the very-very-very regular batch of users with typos; I'd hate to think how bad this could get under the active attack you envision.

I suppose you could make your overlay do something heinous like drop the connection. But never allowing err=49 (or, much worse, disclosing information by *sometimes* err=49) seems like it would produce other forms of pain.