Enumeration of AS/400 users and their status via POP3 Overview ------------ The POP3 service is installed on all modern AS/400 and iSeries servers, and is turned on by default, even in cases when email serving was not set up. To access a POP3 server, you must authenticate and provide a user and a password. Unfortunately, the POP3 users represent real AS/400 user profiles, POP3 will authenticate any valid user profile, and the service provides too much information during authentication. The status messages POP3 displays are: No user found Good user, password not correct for user profile Good user, bur user profile is disabled Good user, but password for user profile has expired Good user, but no password associated with user profile Good password, good user The unsuccessful attempts are logged only in the security audit log, and only if the audit log is turned on. There is no security exit program protecting the POP3 server. A phonebook attack can probably enumerate most of the users, giving the attacker a vector for a social engineering session. For full details please read the article found at http://www.venera.com/downloads.htm
