|The APOP protocol allows remote attackers to guess the first 3
characters of a password via man-in-the-middle (MITM) attacks that use
crafted message IDs and MD5 collisions. NOTE: this design-level issue
potentially affects all products that use APOP, including (1)
Thunderbird 1.x before 18.104.22.168 and 2.x before 22.214.171.124, (2) Evolution,
(3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9
and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter
before 0.8.2, and possibly other products.