|The APOP protocol allows remote attackers to guess the first 3
characters of a password via man-in-the-middle (MITM) attacks that use
crafted message IDs and MD5 collisions. NOTE: this design-level issue
potentially affects all products that use APOP, including (1)
Thunderbird 1.x before 184.108.40.206 and 2.x before 220.127.116.11, (2) Evolution,
(3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9
and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter
before 0.8.2, and possibly other products.