[Juser] How is XMPP better than SMTP for spam prevention?

Peter Saint-Andre stpeter at stpeter.im
Sun Aug 10 22:01:32 CDT 2008 

vetetix wrote:

> I've encountered many people saying that XMPP was better than SMTP for
> spam prevention, but I can't figure out how. I tried to find the reason 
> why this is by myself, and I've tried to find an explanation through
> several Google searches, but I couldn't find any sufficient explanation,
> so I'm asking here.

I'll have to write a paper about this sometime, but here are some points 
to consider:

1. In XMPP, the sender's address is not asserted by the sender's client 
but instead is stamped by the sender's server. So a client can't fake 
the "from" address. (Naturally if you run the server you could fake 
addresses at your domain, so as the admin of jabber.org I could send 
messages from any address at jabber.org -- but I can't fake messages 
from other domains, see #2.)

2. In XMPP, servers check each other's identities, either through a 
DNS-based "dialback" protocol (RFC 3920 / XEP-0220) or real server 
certificates. So if I run a server at jabber.org I can't send messages 
putatively "from" microsoft.com or whitehouse.gov or whatever. (Also we 
don't have multi-hop routing, so modifications to the addresses can't 
happen between the sending server and receiving server.)

3. So far, server dialback has been sufficient to prevent most address 
spoofing on the network, but we have a certificate authority in place 
(visit https://www.xmpp.net/ for details) and we could fairly easily 
upgrade the network to certificate-based authentication between servers 
if needed.

4. XMPP is pure XML, and attackers can't easily attach malware like 
scripts and viruses to Jabber messages. This helps us avoid the unholy 
alliance between virus writers and spammers that has occurred on the 
email network.

5. A great deal of email spam (or spam+malware) is directed against a 
single platform: Outlook running on Windows. In the XMPP world we have a 
much more diverse software ecosystem.

6. In IM systems, people are accustomed to sharing presence / adding 
someone to their buddy list. There's less of a culture of "I must be 
able to accept messages from anyone in the world" as in email. You can 
say this is good or bad, but that's how it is -- so if someone bothers 
you, you can delete them from your friend list or block them at the 
server side (see RFC 3921 / XEP-0016) or the client side.

7. All XMPP server codebases have rate limiting in place to prevent a 
single client from sending a large number of messages (especially a 
large number of large messages) in a short period of time.

8. Although we have not seen very much one-to-one spam on the Jabber 
network (our biggest problem so far is abusive behavior in groupchat 
rooms), we are actively planning for the arrival of spam and have 
designed some spam-fighting measures such as challenge-response 
(CAPTCHA) forms to join groupchat rooms or add someone to your contact 
list -- see XEP-0158.

9. IM systems have traditionally been quite fragmented (and in many ways 
still are -- as witness ICQ, AIM, MSN, Yahoo!, Skype, etc.) so there 
isn't the expectation that you'll necessarily be able to send a message 
to any random person on the Internet. This probably makes IM less 
appealing to spammers than email is. (Remember, spam is a matter of 
economics, and there may simply not be enough money to be made via IM.)

XMPP is not perfect. Spam is possible on our network, but it's not very 
easy. By design, spam is harder on the XMPP network than it is on the 
SMTP network, and if spam does start to occur more widely we will design 
and deploy even better spam-fighting tools (or, for instance, tighten up 
or turn off in-band registration, which is user-friendly but also makes 
it possible to create lots of accounts at multiple servers).

However, XMPP does not need to be perfect. You don't need to be the 
fastest antelope in the herd to avoid being eaten by the lion, you just 
need to be faster than the slow antelope who get caught.

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/juser/attachments/20080810/457c8709/attachment.bin

More information about the JUser mailing list