R: R: [jdev] about spim techniques
Sander Devrieze
s.devrieze at pandora.be
Sat Aug 27 09:19:40 CDT 2005
Op zaterdag 27 augustus 2005 12:20, schreef Ian Paterson:
> Trejkaz wrote:
> > The problem with blacklisting is that it
> > assumes all new servers are innocent.
> > A spammer gets to run amok until they're
> > caught, and then change hostnames.
> >
> > A combination of whitelisting and
> > blacklisting would be more effective.
> > Server admins apply to a central
> > authority (e.g. the JSF) to get on the
> > whitelist.
>
> The power of a single central authority would be open to abuse in the
> future.
There can be a policy so that JSF Members e.g. can vote on new authorities. If
an authority gets enough votes, people can add the public keys of these
authorities to a list downloadable by Jabber server. Remark that this list
can be located on multiple websites, blogs, etc!
Examples of possible authorities:
* JSF.
* CACert.
* An individual member (or group of members) within the Jabber community
* An open source Jabber server project that also provides certificates for
deployers of their server if they want.
* A commercial entitity that asks money for the certificate.
The first four in the list will cost time and efforts from a new server admin,
the last one requires (much) money but not the same amount of time. And as
time is money, it will need always money for spammers :-)
> If we really have to maintain server whitelists (I hope we don't),
The whitelisted server can also be a server which has a certificate or just a
signature, signed by one of the authoirties the JSF allows. If a new server
wants to sends an incoming connection request to another server, the other
server will retrieve (over XMPP) the signed certificate/signature from the
requesting server and verify it with the public key of the right authority.
If the certificates of an authority gets abused very much, the JSF can contact
them to oblige them to solve this problem. They can do this by increasing the
fee, using new anti-bot technologies in forms, asking more "human-testing
questions" (e.g. 'What is the colour of the air? black, red, blue or
brown?'),...
<snip>
> What stops a spimer registering more servers before the first one is
> blacklisted?
It will cost him money (time is also money)! :-)
--
Mvg, Sander Devrieze.
xmpp:sander at devrieze.dyndns.org
ejabberd, the expandable Jabber daemon. --
http://ejabberd.jabber.ru/
More information about the JDev
mailing list