Is pop3 so obsolete that despite all the constant updates to Linux distributions of even obscure things many might imagine to be obsolete such a major security hole as brute-forcing still is not fixed?
That seems outright weird if it extends to whatever the latest thing is if even IMAP is that obsolete already too.
I hope it is at least fixed in the getty/login/telnet/ssh type things?
-MarkM-
An out of the box linux distro will install a rock solid pop3 daemon that has a very low chance of being hacked remotely without
a user/pass.
A pop3 daemon normally contains no brute forcing code. It is up to the user to add that. Often a script that checks a log in
/var/log/whatever and then sees that a single IP has tried a dozen times so it locks it out for 24 hours or how ever you set it up.
Perhaps a pop3 daemon exists that does have that included but over the history of linux most people created tools that do one
thing well and then you add on top of that or chain tools together.
That is why accounts on cpanel hosting, for example, is popular. It contains all those bells and whistles. But if you get a server/virtual server
at a colocation place it is totally up to you to lock it down. This goes for the BSDs and generally all nix(s).
SSL in this case does not help. The attacker simply attacks that port.