Op zaterdag 27 augustus 2005 17:27, schreef Tijl Houtbeckers:
> On Sat, 27 Aug 2005 16:32:38 +0200, Sander Devrieze
>
> <[EMAIL PROTECTED]> wrote:
> > A 'mass spimmer' will probably set up his own server...
>
> A spimmer would probably do the same as most spammers these days. Not set
> up their own server but use compromised computers all over the internet.
> These could either act as as mini servers
This will cost money/time and make it not profitable.
> or could be used to register
> fake accounts on existing jabber servers.
>
> Both are a huge problem on an open s2s network as we have now. Since the
> potential number of IP/hosts that Spim can come from, it's very hard to
> block. Bayesian filtering on IM is a lot harder than on email ("valid"
> messages are often short, which makes it harder to filter out invalid
> short messages), but let's suppose you do manage to do this in a somewhat
> reliable way.
>
> Are you going to block servers cause spam comes from them, or just
> accounts?
Servers (but only in case their is a big spimming problem on that server)
because of:
> Another account, on most jabber servers, can be created in a few
> seconds. So you'll end up blocking the server instead.
If the server admin solves the problem, he can request a new certificate. Of
course this is not so cool for good users on that server, but spimming is
more bad. Also it will result in a server admin (also commercial servers) to
be proactive and invest in technologies to block spimmers before their
actions can result in a blacklisted server. In short: all server admins of
public servers will be responsible for their server; if they aren't, they
need to pay that this lazyness with a blocked server, and so disapointed
users that might move to another server (e.g. spim problem on MSN (when they
support XMPP), MSN gets blocked, users will move to other services like
Google Talk, less revenues from advertisement). This proactiveness can result
in cool actions such as:
* a policy that promisses abusers (spimmers) of their servers a lawsuit
* good anti-bot registration
* filtering outgoing messages to block spim (in this way not the receiving
server needs to spill resources!!)
* block IPs of spimmers for c2s
* only allow family members and friends
* start using an invitations system like Google do (like you explain beneath)
==>So it is like Darwin's survival of the fittest: servers that take care of
spimming survive, others will be blocked and die (until they are fit again).
> So while certification would lead to good accountability, right now the
> only consequence of that -if spimmers decide it's worth it to target
> Google Talk (or Jabber in general)- would be that we'll be held
> accountable indeed for our bad network practices of open registration.
It would result that if spimmers discover the open registration, many servers
might be blocked for some time. But afterwards we will have at least a better
set of public servers left, and maybe a new version of the registration JEP
that blocks spimmers.
> Google however, has tackled the problem for now, by keeping their
> registration system closed, coupling it to a form of human<->human
> interaction (invitations) or a cellphone number. Any human being should be
> able to get a GMail account, however for bot it's a different matter.
> While a spammer/spimmer with some effort could probably amass a few
> hunderth gmail accounts, that's still nothing compared to the virtually
> limitless number of account they could create on the Jabber network we
> use. Google (probably) can also backtrace the invitation path on created
> GMail accounts, so if they find one "spimmer" account they could wipe out
> a large part of the spimmers network, or at least flag it as suspect.
>
> If I were Google I would not "federate" without at least accountability of
> some kind. The "usual" CAs and CAcert for a server sounds fine, or even
> something lower level to fall back on perhaps.. eg associating a [EMAIL
> PROTECTED]
> JID with a gmail account (though they genuinenly seem to feel this would
> not be "open" or "fair" enough, it's better than nothing)
--
Mvg, Sander Devrieze.
xmpp:[EMAIL PROTECTED]
ejabberd, the expandable Jabber daemon. --
http://ejabberd.jabber.ru/
_______________________________________________
jdev mailing list
jdev@jabber.org
http://mail.jabber.org/mailman/listinfo/jdev
