[Juser] How is XMPP better than SMTP for spam prevention?
stpeter at stpeter.im
Sun Aug 10 22:01:32 CDT 2008
> I've encountered many people saying that XMPP was better than SMTP for
> spam prevention, but I can't figure out how. I tried to find the reason
> why this is by myself, and I've tried to find an explanation through
> several Google searches, but I couldn't find any sufficient explanation,
> so I'm asking here.
I'll have to write a paper about this sometime, but here are some points
1. In XMPP, the sender's address is not asserted by the sender's client
but instead is stamped by the sender's server. So a client can't fake
the "from" address. (Naturally if you run the server you could fake
addresses at your domain, so as the admin of jabber.org I could send
messages from any address at jabber.org -- but I can't fake messages
from other domains, see #2.)
2. In XMPP, servers check each other's identities, either through a
DNS-based "dialback" protocol (RFC 3920 / XEP-0220) or real server
certificates. So if I run a server at jabber.org I can't send messages
putatively "from" microsoft.com or whitehouse.gov or whatever. (Also we
don't have multi-hop routing, so modifications to the addresses can't
happen between the sending server and receiving server.)
3. So far, server dialback has been sufficient to prevent most address
spoofing on the network, but we have a certificate authority in place
(visit https://www.xmpp.net/ for details) and we could fairly easily
upgrade the network to certificate-based authentication between servers
4. XMPP is pure XML, and attackers can't easily attach malware like
scripts and viruses to Jabber messages. This helps us avoid the unholy
alliance between virus writers and spammers that has occurred on the
5. A great deal of email spam (or spam+malware) is directed against a
single platform: Outlook running on Windows. In the XMPP world we have a
much more diverse software ecosystem.
6. In IM systems, people are accustomed to sharing presence / adding
someone to their buddy list. There's less of a culture of "I must be
able to accept messages from anyone in the world" as in email. You can
say this is good or bad, but that's how it is -- so if someone bothers
you, you can delete them from your friend list or block them at the
server side (see RFC 3921 / XEP-0016) or the client side.
7. All XMPP server codebases have rate limiting in place to prevent a
single client from sending a large number of messages (especially a
large number of large messages) in a short period of time.
8. Although we have not seen very much one-to-one spam on the Jabber
network (our biggest problem so far is abusive behavior in groupchat
rooms), we are actively planning for the arrival of spam and have
designed some spam-fighting measures such as challenge-response
(CAPTCHA) forms to join groupchat rooms or add someone to your contact
list -- see XEP-0158.
9. IM systems have traditionally been quite fragmented (and in many ways
still are -- as witness ICQ, AIM, MSN, Yahoo!, Skype, etc.) so there
isn't the expectation that you'll necessarily be able to send a message
to any random person on the Internet. This probably makes IM less
appealing to spammers than email is. (Remember, spam is a matter of
economics, and there may simply not be enough money to be made via IM.)
XMPP is not perfect. Spam is possible on our network, but it's not very
easy. By design, spam is harder on the XMPP network than it is on the
SMTP network, and if spam does start to occur more widely we will design
and deploy even better spam-fighting tools (or, for instance, tighten up
or turn off in-band registration, which is user-friendly but also makes
it possible to create lots of accounts at multiple servers).
However, XMPP does not need to be perfect. You don't need to be the
fastest antelope in the herd to avoid being eaten by the lion, you just
need to be faster than the slow antelope who get caught.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
More information about the JUser