[Operators] server reputation

Peter Saint-Andre stpeter at stpeter.im
Tue Apr 22 23:20:58 CDT 2008

Jesse Thompson wrote:
> Peter Saint-Andre wrote:
>>> One thing to consider is that the reason why spam isn't a big problem
>>> for most Jabber services is because federation isn't widely utilized.
>> Typically at jabber.org we have 2500+ open s2s connections. I would call
>> that widely utilized.
> I didn't phrase that well.  I should have said "isn't widely
> discoverable at the user level".
> XMPP federation isn't being used by the mainstream non-techies because
> they don't know it's available to themselves and to the people they want
> to communicate with.

Good point.

> For example, I see MIT.EDU is on this list... I can pretty much
> guarantee that researchers at WISC.EDU have no idea that they could use
> XMPP to collaborate with researchers at MIT.EDU.  With email, it's a
> different story.
> Why don't they know?
> - people aren't asking each other for their Jabber IDs.
> - registration forms aren't asking for Jabber IDs.
> - LDAP directories aren't being fed Jabber IDs.
> - business cards don't have Jabber IDs.
> - etc...
> So, the solution to the end-user problem of Jabber federation will
> ultimately give the spammers the tools they will need to harvest Jabber
> IDs.

Heh, that's a depressing thought, isn't it?

>>> The spammers might be discouraged from targeting us for the same reason
>>> end-users don't try to chat with their users in another domain.  So, by
>>> that logic, improving federation might introduce a larger spam problem.
>> There are tradeoffs with everything. :)
> Agreed.  You must take the bad with the good.
>>> So, this ties back into Peter's original question: "define some
>>> parameters for measuring server reputation"... some ideas:
>>> - The service supports federation, specify the type defined in
>>> http://www.xmpp.org/extensions/xep-0238.html
>> Well sure that's a given -- we care about your service only if you
>> federate.
>>> - The service has a closed user population
>> Closed, or protected? E.g., a service might have an open-ended user
>> population but protect it via invite-only policies, certificate login,
>> or whatever.
> As in they have an independent identity verification process.  Colleges
> generally know who they give accounts to, but gmail doesn't.
>>> - The service prevents automatic anonymous registration (captcha)
>> I would see that as one form of protection. But not a very good one.
> It's better than nothing.  I think that the fact that some jabber
> servers make it so easy to register for an account on the fly will be a
> big problem in fighting spam.  I worry more about a bot registering a
> fake jabber.org account than I worry about a spammer setting up a new
> jabber domain.  Setting up a new domain is relatively hard for a
> spammer, and the domain will only be effective for a short time
> (assuming server reputation works).  On the other hand, creating fake
> accounts on trustworthy services is easy, effective and immune to any
> server reputation system.

Correct. We need a much higher bar to account registration. CAPTCHAs may
be part (but not all) of that. And I think we'll need that soon.

>>> - The service's JIDs are identical to email addresses (if the email
>>> address/domain has a bad reputation, then the im service should too)
>> True.
>>> Those parameters would help improve use of federation and help define
>>> which services can be considered more trustworthy.
>> I'd add the following considerations as possibilities:
>> - service allows bidirectional communication (i.e. s2s not broken)
>> - service maintains proper DNS records including SRV
>> - service has a certificate from a trusted root
>> - service requires use of TLS for s2s
>> - service responds to email sent to xmpp at domain.tld
>> - service responds to abuse reports via email or phone
> Responds, or accepts?

Both, I suppose.

>> - service supports automated abuse reporting (XEP-0236)
>> Peter
> Jesse

Thanks for the feedback. We have work to do...


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080422/fb1d3169/attachment-0001.bin 

More information about the Operators mailing list