[JDEV] Kid-safe messaging: [was buddy icons]

David Waite dwaite at jabber.com
Wed Apr 11 12:14:06 CDT 2001 

Actually, I like the thought of rate-limiting. If they can only send two subscription requests per minute, they would be discouraged from trying to bulk-subscribe. Also, if they could only resolve two search matches per minute, they would be discouraged from walking the list and bulk-messaging. Have the ability to implement rules like 'ten unique invalid user requests in a minute bans s2s communication with that server for ten minutes', and it just won't be
practical.

I believe the spam response rate is well under 1%, if they were only able to spam a hundred users a day or some such number, it would be unlikely they would consider this to a viable advertising method.

-David Waite

Jens Alfke wrote:

> On Wednesday, April 11, 2001, at 09:02 AM, Thomas Parslow (PatRat) wrote:
>
>           why do you think it will become an issue if the user itself is careful
>           enough? It definitely isn't easy to guess the account names on Jabber, as it
>           is the case with ICQ.
>
>      But that relies on every user knowing what they're doing ;)
>
> Precisely, which brings us back to the subject of this thread. I guess the conclusion here is that clients should either default to blocking messages from non-buddies, or should when first run ask the user if s/he wants to accept messages from non-buddies, with the default answer being "no".
>
>      Also, many users wish to be listed in online directories so that
>      people can find them.
>
> This is a wider issue. Blocking all non-buddies is pretty severe. It might be enough to also accept messages from people who have you on their buddy list, since you presumably approved their doing so. The loophole I can see here is that you could end up getting spammed with subscription requests like "The user hotbabe at sexxx.com wants to add you to their buddy list. Do you approve this?"
>
> One big vague architectural solution is to establish some kind of "web of trust" where transitive buddyhood (foo at bar.com is unknown to me but is on one of my buddy's buddy lists) is used as a heuristic to guess that someone is legit and therefore not block their messages. The problem is how to trawl through the directed graph of buddy lists without privacy concerns coming up, since I don't necessarily want all my buddies knowing who else is on my buddy list.
>
> Here's a quick thought: Allow each user to keep a private server-side list that rates other users positively or negatively. Other users can then send special messages to your server to query for your rating of a single other user. By sending such a query to your whole buddy list, you can compute an aggregate ranking that gives you an idea of whether or not to trust or block some unknown user. Should be quite simple to implement...
>
> -Jens

More information about the JDev mailing list