[jdev] Jabber Spoofing on unique server

Peter Saint-Andre stpeter at jabber.org
Fri Apr 1 10:03:34 CST 2005

On Fri, Apr 01, 2005 at 09:51:29AM +0200, micky501 at free.fr wrote:
> > Dialback prevents hostname spoofing. Servers are also required to
> > enforce the from address to make sure that it matches the username
> > with which the client authenticated.
> >
> > > Does someone know how to spoof a JID ?
> >
> > Um, we deliberately made that hard to do.
> Great !! Another reason for users to prefer Jabber to MSN !!
> But I'm working on a subject where I have to proove that we need tokens to
> authenticate the users who want to chat with our IM client (based on Jabber).
> For this reason, I'm looking for a way to spoof a client ID. Even if it's hard
> to do, I would like to know where I can find the description (or the source
> code) of the mechanism employed by a Jabber server.

It is difficult for *clients* to spoof from addresses. If you write a
component, it is trusted by the server and therefore has permission to
write from addresses without server enforcement.


More information about the JDev mailing list