Hi people ! Look here :-) You have UNIX server www.yourserver.com You have dozen of usual users at your UNIX server. You have Apache HTTP daemon configured for standard user's homepage location at /home/<username>/public_html. When someone from the Internet tries to see URL like http://www.yourserver.com/~anna he gets one of: 1. HTTP result code 200, and Anna's homepage, when user "anna" exists at your UNIX, and she has her homepage. 2. HTTP result code 403, and message from Apache: "You don't have permission to access /~anna on this server.", when user "anna" exists at your UNIX, and she has no homepage or access to her homepage is denied. 3. HTTP result code 404, and message from Apache: "The requested URL /~anna was not found on this server." when user anna doesn't exist at your UNIX. So, he can easy discover if user "anna" exists at your UNIX, and try to play with her password, or send her spam etc. This approach allows him get nesessary info instead of disabled VRFY feature in your Sendmail ! Apache works quickly and IMHO doesnt provide any responce delays for any kind of result code. So bad boy can check 1000 different names for very short time ! Sorry if I'm wrong, or this is something trivial. A. Kelner
