View Single Post
Old 06-04-2008, 01:50 PM  
Too much time...
Join Date: May 2005
Posts: 1,194

Flow: The generic "bad password" reply is actually a security feature. If you could try random names and it would reply "bad IP/hostmask" then you know you guessed a valid account name. Deleted/expired accounts are a somewhat special case because they are technically unusable accounts at that point so leaking the name versus informing the user seemed like a good thing to make configurable. I support both options by how you setup the On[Deleted|Expired]Login events. Technically I should probably only show the deleted/expired message if you have it setup to do so AND the hostmask matches. I'll have to think about that one some more...

If people want it to return a "bad host/ip" error I can certainly make it an option you can enable, but like I said it will leak account names if someone was trying to scan the server.
Yil is offline   Reply With Quote