[Standards-JIG] bot-challenge proto-JEP
s.devrieze at pandora.be
Tue Sep 6 13:40:50 CDT 2005
Op vrijdag 02 september 2005 01:07, schreef Peter Saint-Andre:
> So the administrator (or a smart server) is going to have to
> depend on user reports to determine if the user is receiving spim.
> Therefore we need a reporting protocol that enables the user to send a
> copy of any offending stanza to the user's server, flagged as spim (the
> user also has to have some trust that the server will do something
> useful with this information;
I even think this such a spim reporting protocol is *not* needed :-) At least
not for Aunt Tilly (however reporting between servers might be useful)
Today I posted a long email (about Receivy and Sendy) regarding what can
happen when someone adds a bot challenge (multiple-choice question, problem,
CAPTCHA,...) to his privacy list and a bot is trying to spim him. So read
that long post first if you not yet did.
a. The server of Receivy gets many wrong answers for several different
registered users with a bot challenge wall in their privacy list. If someone
is blocked for one user (so a wrong question after the 10^4 long time
interval of a user), that Jabber ID will get on some kind of internal
watchlist on that server. If the server detects he blocked this user
automatically for for example 10 of its users, it will automatically block
this user for everyone.
b. If the server gets more than 10 users from the same domain that were
blocked entirely like described in a, it will automatically add that domain
to a local blacklist. All messages from users (not in anyones roster?) from
that domain will be dropped automatically (or bounced back with an error
describing why it was dropped?).
c. A protocol to share blacklisted domains (and users?) between servers that
support that protocol might be interesting. (The problem with this is that
spimmers or other malicious people can try to send fake blacklisted domains.
So you need to be sure if you trust what other servers are saying. For this,
a certificate can be very useful.)
* All will happen automatically, no reporting from end-users needed and no new
* No central blacklist. (Malicious people might be able to crack a server to
send false blacklisted domains, but it will be hard to to this for several
* It will combine the IQ of all users registered on your server (a and b), and
even all users from the public Jabber network when c is used!
Mvg, Sander Devrieze.
xmpp:sander at devrieze.dyndns.org ( http://jabber.tk/ )
More information about the Standards-JIG