R: R: R: [jdev] about spim techniques

Tijl Houtbeckers thoutbeckers at splendo.com
Sat Aug 27 10:27:01 CDT 2005 

On Sat, 27 Aug 2005 16:32:38 +0200, Sander Devrieze  
<s.devrieze at pandora.be> wrote:

>
> A 'mass spimmer' will probably set up his own server...

A spimmer would probably do the same as most spammers these days. Not set  
up their own server but use compromised computers all over the internet.  
These could either act as as mini servers or could be used to register  
fake accounts on existing jabber servers.

Both are a huge problem on an open s2s network as we have now. Since the  
potential number of IP/hosts that Spim can come from, it's very hard to  
block. Bayesian filtering on IM is a lot harder than on email ("valid"  
messages are often short, which makes it harder to filter out invalid  
short messages), but let's suppose you do manage to do this in a somewhat  
reliable way.

Are you going to block servers cause spam comes from them, or just  
accounts? Another account, on most jabber servers, can be created in a few  
seconds. So you'll end up blocking the server instead.

So while certification would lead to good accountability, right now the  
only consequence of that -if spimmers decide it's worth it to target  
Google Talk (or Jabber in general)- would be that we'll be held  
accountable indeed for our bad network practices of open registration.

Google however, has tackled the problem for now, by keeping their  
registration system closed, coupling it to a form of human<->human  
interaction (invitations) or a cellphone number. Any human being should be  
able to get a GMail account, however for bot it's a different matter.  
While a spammer/spimmer with some effort could probably amass a few  
hunderth gmail accounts, that's still nothing compared to the virtually  
limitless number of account they could create on the Jabber network we  
use. Google (probably) can also backtrace the invitation path on created  
GMail accounts, so if they find one "spimmer" account they could wipe out  
a large part of the spimmers network, or at least flag it as suspect.

If I were Google I would not "federate" without at least accountability of  
some kind. The "usual" CAs and CAcert for a server sounds fine, or even  
something lower level to fall back on perhaps.. eg associating a user at host  
JID with a gmail account (though they genuinenly seem to feel this would  
not be "open" or "fair" enough, it's better than nothing)

More information about the JDev mailing list