The problem is that an application that accepts a username/password and
attempts to validate using $HASH_PASSWORD and $GETUAI *must* also make
explicit calls to $SCAN_INTRUSION, otherwise it provides a back door
around the intrusion detection mechanism.  I have seen this on many
applications, including POP servers and web scripts to change your
password.  With the benefit of hindsight, it might have been a better
idea to provide a $VERIFY_PASSWORD service which combines the three
functions above, because it is so easy for a developer to overlook it.

Another place to check is if the UCX SMTP server supports SASL (this is
the "my-server-requires-authentication" checkbox in the POP client).
SASL allows the client to pass a username/password in the ESMTP dialog
so that you can allow authenticated clients to relay through your server
irrespective of what IP address they are coming from .  Even PMDF
overlooked putting this through $SCAN_INTRUSION when it first came out
(it was fixed pretty quickly).  Only slightly more difficult to script
an attack on this one.

To check if your SMTP server supports SASL, telnet to port 25 and issue
an EHLO command.  Look for the AUTH extension.  It is harder to test
using telnet because the username/password pair need to be BASE64 encoded.

---------------------------------------------------------
Tom Wade                 | EMail: tee dot wade at eurokom dot ie
EuroKom                  | Tel:   +353 (1) 296-9696
A2, Nutgrove Office Park | Fax:   +353 (1) 296-9697
Rathfarnham              | Disclaimer:  This is not a disclaimer
Dublin 14                | Tip:   "Friends don't let friends do Unix !"
Ireland