[Standards-JIG] bot-challenge proto-JEP

Sander Devrieze s.devrieze at pandora.be
Tue Sep 6 15:14:43 CDT 2005


Op dinsdag 06 september 2005 21:48, schreef Peter Saint-Andre:
<snip>
> > a. The server of Receivy gets many wrong answers for several different
> > registered users with a bot challenge wall in their privacy list. If
> > someone is blocked for one user (so a wrong question after the 10^4 long
> > time interval of a user), that Jabber ID will get on some kind of
> > internal watchlist on that server. If the server detects he blocked this
> > user automatically for for example 10 of its users, it will automatically
> > block this user for everyone.
>
> Yeah, Joe Hildebrand and I were talking about something like that the
> other day. But we don't even need bot challenges to do that -- the
> server could simply monitor which specific JIDs are blocked in people's
> privacy lists.

I spimmers then can fake the system more easily. By setting up some accounts 
manually, and then add much blocked JIDs in all these privacy lists. In the 
above way Aunt Tilly only can help blacklisting users and even domains by 
setting a good question or using another good bot challenge type such as 
CAPTCHA. She can not block things easily for fun. So it is more 
vandalism-proof.

<snip>
> > c. A protocol to share blacklisted domains (and users?) between servers
> > that support that protocol might be interesting. (The problem with this
> > is that spimmers or other malicious people can try to send fake
> > blacklisted domains. So you need to be sure if you trust what other
> > servers are saying. For this, a certificate can be very useful.)
>
> Yes, some server-to-server trust would be necessary. However, wouldn't
> it be a pull mechanism (my server periodically requests the spimmer list
> from servers it trusts) rather than a push mechanism (your server
> periodically sends its spimmer list to my server)? Alternatively, a
> server could set up a pubsub node for its spimmer list (domains and
> users) and anyone could subscribe to that (subject to subscription
> approval). That would provide another way for admins to determine that
> their servers are being blocked. Convert the pubsub feed into RSS/Atom
> and we also have a good public shaming mechanism. :-)

Yes.

> > Advantages:
> > * All will happen automatically, no reporting from end-users needed and
> > no new admin tasks.
>
> Yes, other than installing the latest version of the relevant server
> software. :-)

portsup or " && apt getapt-get up

<snip>
> So to deploye something like this, the following are required:
>
> 1. Servers and clients need to implement jabber:iq:privacy

See comments above.

> 2. Servers need to monitor privacy lists for blocked entities

See comments above.

> 3. Potentially we need to define a blacklist sharing protocol
> 4. Servers need to implement the blacklist sharing protocol
5. Servers might need a valid certificate.

-- 
Mvg, Sander Devrieze.

xmpp:sander at devrieze.dyndns.org ( http://jabber.tk/ )



More information about the Standards-JIG mailing list