On Mon, Jun 30, Martin Wickman inscribed on the eternal scroll:

> > And 'thanks' to the widespread availability of open proxies on the
> > internet nowadays (the spammers are already making enthusiastic use of
> > them), any attempt to confine the blockout to a particular IP could be
> > easily circumvented.
>
> Blocking of IP was not my main concern.

I wasn't exactly meaning to "block the IP"; I was taking the reasoning
onwards from the observation that "blanket blocking of a user name
means an easy denial of service for that user", but showing that the
initially attractive option of tying the block to a specific IP
wouldn't really solve the problem either, for the reason I gave.

> I was more thinking along the
> lines of blocking a certain user, maybe for a specific time.

Actually if you could slow down the response to bad credentials, you
might make it impractical to brute-force enough different passwords in
a realistic time, while still permitting bona fide access without much
delay. Disclaimer: I haven't tried this in practice myself, though it
sounds at least a plausible principle; I haven't seen it discussed
more than superficially either (this itself surely carries some kind
of message? - but maybe someone who's got a working solution will be
willing to discuss it here, and then I'll happily defer to their
expertise).

> Besides, in a controlled environment such as an intranet/vpn, DOS is
> pretty much a non-issue as well.

Well, this here usenet group has WWW in its name - it isn't really
on-topic to deal with intranet situations. But evidently this
intranet is considered insecure enough to need defending against
password cracking attacks, so just why isn't denial of service an
issue too, riddle me that?

good luck