R: R: R: [jdev] about spim techniques

Sander Devrieze s.devrieze at pandora.be
Sat Aug 27 16:01:15 CDT 2005 

Op zaterdag 27 augustus 2005 21:13, schreef Tijl Houtbeckers:
> On Sat, 27 Aug 2005 18:13:38 +0200, Sander Devrieze
>
> <s.devrieze at pandora.be> wrote:
> > Op zaterdag 27 augustus 2005 17:27, schreef Tijl Houtbeckers:
> >> On Sat, 27 Aug 2005 16:32:38 +0200, Sander Devrieze
> >>
> >> <s.devrieze at pandora.be> wrote:
> >> > A 'mass spimmer' will probably set up his own server...
> >>
> >> A spimmer would probably do the same as most spammers these days. Not
> >> set
> >> up their own server but use compromised computers all over the internet.
> >> These could either act as as mini servers
> >
> > This will cost money/time and make it not profitable.
>
> So you're saying Spam is currently not profitable? Someone should tell the
> people who keep putting it in my inbox!

No: I am telling we should make it cost just enough money (time is also 
money!) to make it unprofitable. To big reason why SMTP is much more plagued 
be spammers than good old mail, is that for mail, you need to buy a stamp 
first... Remark that people living in a city with many apartments will also 
get more unsolicated mail than people living in the country where the houses 
are much further away from each other (and so the second scenario is more 
expensive for companies). I even did not talked about international prices 
for the good old mail system!

> And why would it be not profitable? All you have to do is develop some
> software that implements a tiny dailback module,

What I am telling is that we also need a new component especially to protect 
against spim. Dialback solves spoofing, something else (what also can help 
against spimmers). So before an incomming connection is allowed by a server:
* Dialback should be used to verify the domain.
* It should be verified (read also my other mails in this thread) that the 
server has a good certificate issued by a non-blocked authority.

The important things in the above scenario that makes it cost money for 
spimmers are:
* They need to set up every time a new domain when they were blocked.
* They need to pay every time for a certificate for the domain: dependant on 
how the authority they choose, it will cost money and/or time (delay, 
anti-bot features in the web form to request the certificate,...)
* Every time == when they get blacklisted.
* It is easier to find the root of the spim because of dialback and take legal 
actions for example.
* The commercial authority will loose customers and can take legal actions 
because of this against the spimmer (the authority will know the contact 
information of the spimmer and there will be a contract of course).

> and sends a bunch of 
> messages.

Some of the things that can happen then:
The authority's (it can be multiple authorities too) public key to verify its 
servers will be blacklisted then.
The spimmer will be automatically blocked because of its certificate is signed 
by the blacklisted authority.
The authority will get complaints.
The authority will contact the spimmer and say he did not liked that.
The spimmer needs to get a new domain name and a new certificate if he wants 
to spam again.

> It actually helps us in this case that a lot of computers have a 
> messed up network config, but it's usually PCs with no firewall and no NAT
> that are compromised (for obvious reasons). Once you're written your
> software you rent a bot some russian kid (once it gets popular they will
> already have the software), and you can start sending spims.
>
> You shouldn't underestimate that this is one of the most common form of
> spamming these days, since what applies to email spam will likely apply to
> jabber-spim. The other form is open relays, but even this often still
> orginates from zombies. (The reason open relays are used is you need less
> bandwith because of the cc/bcc mechanism, which could start to be a
> problem for XMPP when servers start implementing JEP-0033). The equivalent
> of an open relay SMTP server is of course a Jabber server with in band
> registration.

If the spimmers start to use that in my scenario, a lot of servers will be 
blocked automatically and others will disable in band registration for always 
or temporary until the protocol evolved with new anti-spimbot things in it 
(see other post in this thread about not throwing away the child with the 
badwater).

> This is significant because the defense techniques you mention, are a lot
> less effictive when you're defending against a large group bots all coming
>  from different IP's. Particulary if they use the "mini server" approach.

All these servers will need:
* different real domain names
* different certificates for *each* server that will cost money and/or time as 
a bot will not be able to get such a certificate

If the total costs of the above are higher than the total earning (from the 
few people that reply to the spim), I guess there will be no spimmer that 
wants to loose e.g. twice the amount of what he earns from the spim ;-)

<snip>
> As I said before, I can see at least one technically feasable method that
> would work today, adding a little field in your gmail account where you
> can put your non-gmail JID so they can let it through on their server.

So, people need to first get an account on Google to get their Jabber ID 
allowed? :-s This seems to be no solution...

> And 
> maybe sending a message when they block you telling you about this when
> you are blocked. This might not even be a bad idea for "normal" servers,
> blocking s2s messages (from non-authenticated servers) for a user untill
> he completes some sort of "human intelligence" test (like one of those
> type the number thingies) to get whitelisted. Kinda tricky for bots though

Well, this is maybe also a good (complementary) system you are talking about: 
create a JEP so that end users can add a question. When people not in their 
roster send them a message, the message will be blocked until the sender has 
answered the question right. This question can be localized by the user with 
xml:lang, also his Jabber client might help him with questions. Example 
questions:
* "What is my email address (see vCard)?"
* "What is the URL of my website (see vCard)?"
* "What is my Birthdate (see vCard)? Only give me the two last numbers of the 
year."
* "Calculate the sum of the first two numbers in my phone number (see vCard)."
* "I added the name of my pets in my vCard. The name of the third pet, you 
need to enter here."
* "At the bottom of http://www.jabber.org/jeps/jep-0155.html you can find the 
date of the first version. Duplicate that date (without brackets) here."

<snip>

-- 
Mvg, Sander Devrieze.

xmpp:sander at devrieze.dyndns.org ( http://jabber.tk/ )

More information about the JDev mailing list