R: R: R: [jdev] about spim techniques

Tijl Houtbeckers thoutbeckers at splendo.com
Sat Aug 27 14:13:01 CDT 2005 

On Sat, 27 Aug 2005 18:13:38 +0200, Sander Devrieze  
<s.devrieze at pandora.be> wrote:

> Op zaterdag 27 augustus 2005 17:27, schreef Tijl Houtbeckers:
>> On Sat, 27 Aug 2005 16:32:38 +0200, Sander Devrieze
>>
>> <s.devrieze at pandora.be> wrote:
>> > A 'mass spimmer' will probably set up his own server...
>>
>> A spimmer would probably do the same as most spammers these days. Not  
>> set
>> up their own server but use compromised computers all over the internet.
>> These could either act as as mini servers
>
> This will cost money/time and make it not profitable.

So you're saying Spam is currently not profitable? Someone should tell the  
people who keep putting it in my inbox!

And why would it be not profitable? All you have to do is develop some  
software that implements a tiny dailback module, and sends a bunch of  
messages. It actually helps us in this case that a lot of computers have a  
messed up network config, but it's usually PCs with no firewall and no NAT  
that are compromised (for obvious reasons). Once you're written your  
software you rent a bot some russian kid (once it gets popular they will  
already have the software), and you can start sending spims.

You shouldn't underestimate that this is one of the most common form of  
spamming these days, since what applies to email spam will likely apply to  
jabber-spim. The other form is open relays, but even this often still  
orginates from zombies. (The reason open relays are used is you need less  
bandwith because of the cc/bcc mechanism, which could start to be a  
problem for XMPP when servers start implementing JEP-0033). The equivalent  
of an open relay SMTP server is of course a Jabber server with in band  
registration.

This is significant because the defense techniques you mention, are a lot  
less effictive when you're defending against a large group bots all coming  
 from different IP's. Particulary if they use the "mini server" approach.

Anyway.. the point I was trying to make is this: with the current "state"  
the Jabber network is in (or Jabber clients for that matter) we are  
nowhere near to effectivly combatting a spimmer attack. Nor is Google for  
that matter, if they decide to open up their network to everyone. Whether  
they do just by just opening dailback (they'll suffer most from "mini  
servers", I would think) or by requiring a CAcert or a JSFcert from others  
(they'll suffer from our open relays, and we'll suffer with them). So the  
call to them to open their network now, today, is not very realistic, or  
at least not fair, because we have a lot of work to do first.

As I said before, I can see at least one technically feasable method that  
would work today, adding a little field in your gmail account where you  
can put your non-gmail JID so they can let it through on their server. And  
maybe sending a message when they block you telling you about this when  
you are blocked. This might not even be a bad idea for "normal" servers,  
blocking s2s messages (from non-authenticated servers) for a user untill  
he completes some sort of "human intelligence" test (like one of those  
type the number thingies) to get whitelisted. Kinda tricky for bots though  
:)

But the conspiracy zealots would have a field day on that one since it's  
exactly what Google stated they want to prevent (having to have an account  
with them to talk to people on their server)

More information about the JDev mailing list