R: R: R: [jdev] about spim techniques

Peter Saint-Andre stpeter at jabber.org
Sun Aug 28 13:06:05 CDT 2005 

Sander Devrieze wrote:

> Well, this is maybe also a good (complementary) system you are talking about: 
> create a JEP so that end users can add a question. When people not in their 
> roster send them a message, the message will be blocked until the sender has 
> answered the question right. This question can be localized by the user with 
> xml:lang, also his Jabber client might help him with questions. Example 
> questions:

Privacy lists (RFC 3921) enable me to allow messages only from people in 
my roster, and to help fight spim more (all?) clients and servers need 
to implement that functionality! (I should be able to specify the error 
message that's returned to you when your message to me is blocked 
because you're not in my roster -- at this point we have something like 
a challenge-response system, and much as I know some people don't like 
those, personally Active Spam Killer has made my email experience at 
least bearable now.)

So then the key moment becomes this: when someone sends me a 
subscription request. We know it is possible for some person (or bot) to 
barrage me with multiple subscription requests, but my client should 
block all but the first of those (in fact my server shouldn't send me 
anything but the first one until I log in again, since the subscription 
state hasn't changed at all). So now I am faced with a momentous 
decision: should I add this "person" (could be a nasty bot) to my 
roster? From what I've seen, most IM client's don't do a good job of 
helping me make this decision. Several things would help:

1. Automatic vCard lookup (who *is* this person?)
2. Google the JID (perhaps it is on some nice person's blog etc.)
3. Enable me to exchange some messages with the person -- "who are 
you?", "do I know you?", "do we know someone in common?", etc.

These are all pretty much social mechanisms that we use today, and in 
general it's good to re-use those since they've been working fairly well 
for thousands of years.

Other possibilities:

4. Look the JID up in key servers or other repositories
5. Look the JID up in some yet-to-be-defined reputation system
6. Ask people in my roster whether they know this person (could be 
automated)
7. You ask someone whom we both know to send me a roster item exchange 
message (JEP-0144) and that person vouches for your identity to some 
extent (like an old-fashioned "letter of introduction")
8. You get someone whom we both know to sign your subscription request 
with his key (not very different from #5)

I'm sure there are more mechanisms I haven't thought of.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

More information about the JDev mailing list