This is why most public services now use web sites for registration rather than having it in-protocol, and add things like word entry and email address verification.
What public services are you refering to? I can register a Yahoo account and an ICQ account from the clients themselves (for Yahoo I'm sure, I haven't registered any ICQ account *that* recently). I think AIM has a simple webbased registration, but maybe one in the client too? And for MSN you need a passport so you have to fill in 20 pages of information first.
Yahoo also makes you regconize an image file with some text on it that is supposed to be hard for machines to read.
But why would a webbased DDOS attack be harder than an all client based one? It shouldn't be that hard to automate the posting of some forms!
If I had a public server and wanted to keep in-band registration, I would probably require email verification. However, I don't know if iq:register currently has behavior defined for indicating that to a user/client.
Email based verification makes it a bit harder. It would take more work to implement a (D)DOS attack, and many ISPs restrict use of port 25 for their clients, which means you'd have to resolve to more advanced means in the case of a DDOS attack (letting the different "zombies" in the DDOS attack communicate amongst themselves to share which address can receive email and which can't for example). Still not impossible at all, however tricky enough to probably decrease both the risk of attack and the impact of the average attack.
However, as Jabber evolves further, there will soon enough be a point -for some people- that you don't really need an email address anymore (at most an SMTP <-> Jabber gateway). Should you be required to have an email address just so you can register a Jabber account?
_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
