Actually, I like the thought of rate-limiting. If they can only send two subscription
requests per minute, they would be discouraged from trying to bulk-subscribe. Also, if
they could only resolve two search matches per minute, they would be discouraged from
walking the list and bulk-messaging. Have the ability to implement rules like 'ten
unique invalid user requests in a minute bans s2s communication with that server for
ten minutes', and it just won't be
practical.
I believe the spam response rate is well under 1%, if they were only able to spam a
hundred users a day or some such number, it would be unlikely they would consider this
to a viable advertising method.
-David Waite
Jens Alfke wrote:
> On Wednesday, April 11, 2001, at 09:02 AM, Thomas Parslow (PatRat) wrote:
>
> why do you think it will become an issue if the user itself is careful
> enough? It definitely isn't easy to guess the account names on Jabber, as
>it
> is the case with ICQ.
>
> But that relies on every user knowing what they're doing ;)
>
> Precisely, which brings us back to the subject of this thread. I guess the
>conclusion here is that clients should either default to blocking messages from
>non-buddies, or should when first run ask the user if s/he wants to accept messages
>from non-buddies, with the default answer being "no".
>
> Also, many users wish to be listed in online directories so that
> people can find them.
>
> This is a wider issue. Blocking all non-buddies is pretty severe. It might be enough
>to also accept messages from people who have you on their buddy list, since you
>presumably approved their doing so. The loophole I can see here is that you could end
>up getting spammed with subscription requests like "The user [EMAIL PROTECTED] wants
>to add you to their buddy list. Do you approve this?"
>
> One big vague architectural solution is to establish some kind of "web of trust"
>where transitive buddyhood ([EMAIL PROTECTED] is unknown to me but is on one of my buddy's
>buddy lists) is used as a heuristic to guess that someone is legit and therefore not
>block their messages. The problem is how to trawl through the directed graph of buddy
>lists without privacy concerns coming up, since I don't necessarily want all my
>buddies knowing who else is on my buddy list.
>
> Here's a quick thought: Allow each user to keep a private server-side list that
>rates other users positively or negatively. Other users can then send special
>messages to your server to query for your rating of a single other user. By sending
>such a query to your whole buddy list, you can compute an aggregate ranking that
>gives you an idea of whether or not to trust or block some unknown user. Should be
>quite simple to implement...
>
> -Jens
_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
