R: R: R: [jdev] about spim techniques

Bart van Bragt jabber at vanbragt.com
Sat Aug 27 11:43:03 CDT 2005 

Sander Devrieze wrote:
>> A spimmer would probably do the same as most spammers these days. Not set
>> up their own server but use compromised computers all over the internet.
>> These could either act as as mini servers
> This will cost money/time and make it not profitable.
Is that so? Then why are there lots and lots of worms/viruses/trojans 
out there that turn PCs into zombie machines? Why wouldn't they use that 
to fetch the JID+password of this user and use that to send loads of SPIM?

> It would result that if spimmers discover the open registration, many servers 
> might be blocked for some time. But afterwards we will have at least a better 
> set of public servers left, and maybe a new version of the registration JEP 
> that blocks spimmers.
If you ask me in-band registration should be disabled on public servers 
and it should be replaced by some kind of bot proof web page. This way 
it's also easier to get a (valid) email address of the user in case they 
forget their password etc. In-band registration is spimmers heaven...

IMO blocking people that are not on your roster is a very important way 
to combat SPIM, authorization requests with SPIM can be a hard to combat 
problem though, especially if you want to show a message like 'Hi, this 
is Lisa from the gym. Could you please add me?' with the authorization 
message. Another way to combat SPIM is using trust networks but I'm not 
sure if that can be implemented in a way that's transparent to the user 
and I'm also unsure if it's worth all the trouble.

Having:
- Dialback and related mechanisms (ability to hunt the SPIMmer)
- Karma limits on the server (important to keep zombie PCs relatively quiet)
- Privacy lists (to block domains yourself)
- Blocking of messages from unauthorized users (prevent SPIM from 
reaching you at all).

There is already a fairly complete arsenal of utilities that can be used 
to detriment SPIM. Adding whitelists to that sounds like a (very) bad 
idea, it will reduce the openness of the Jabber network quite a bit. 
Blacklists (RBLs etc) sound like a nice addition to the aforementioned 
measures.

Another (ok, small :D) advantage that we have over SMTP is that XMPP 
servers are very capable of using external lists/services to help 
preventing SPAM. It's almost trivial to setup a server that has a list 
with 'bad' URLs which you can use on your server to block messages with 
SPIM URLs in them, you can do all of that quite trivially over XMPP 
instead of having to create some weird extension to your server that 
fetches a list like that once in a while out of band like you have to do 
with SMTP.

Bart

More information about the JDev mailing list