[Standards-JIG] bot-challenge proto-JEP
stpeter at jabber.org
Tue Sep 6 20:22:04 UTC 2005
Sander Devrieze wrote:
> Op dinsdag 06 september 2005 21:48, schreef Peter Saint-Andre:
>>>a. The server of Receivy gets many wrong answers for several different
>>>registered users with a bot challenge wall in their privacy list. If
>>>someone is blocked for one user (so a wrong question after the 10^4 long
>>>time interval of a user), that Jabber ID will get on some kind of
>>>internal watchlist on that server. If the server detects he blocked this
>>>user automatically for for example 10 of its users, it will automatically
>>>block this user for everyone.
>>Yeah, Joe Hildebrand and I were talking about something like that the
>>other day. But we don't even need bot challenges to do that -- the
>>server could simply monitor which specific JIDs are blocked in people's
> I spimmers then can fake the system more easily. By setting up some accounts
> manually, and then add much blocked JIDs in all these privacy lists. In the
> above way Aunt Tilly only can help blacklisting users and even domains by
> setting a good question or using another good bot challenge type such as
> CAPTCHA. She can not block things easily for fun. So it is more
Hmm, I hadn't thought of the threat of privacy list poisoning.
IMHO it would be awfully helpful to work out a complete threat model here...
> 5. Servers might need a valid certificate.
Sure, I think we need to start using valid certificates anyway. Get
yours today at CAcert.org (though their certs don't include all the
correct XMPP stuff yet as described in Section 5.1.1. of RFC 3920).
6. No in-band registration -- or support for a. redirects to website and
b. x-data form per Sections 4 and 5 of JEP-0077.
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards