[Operators] Strange registrations

Pedro Melo melo at simplicidade.org
Tue Aug 12 04:23:23 CDT 2008


On Aug 12, 2008, at 9:57 AM, Florian Jensen wrote:

> Hello everyone.
>
> On Tue, 12 Aug 2008 10:41:58 +0200, Clemens Lucas Fries <xmpp at xenoworld.de 
> >
> wrote:
>> Hello list,
>>
>> I wanted to confirm that these registrations never completely halted.
>> I got two new in the last 24 hours. And maybe one or two weeks ago I
>> blocked one IP-address because it registered an account, matching the
>> known scheme, every few minutes. It seems to me that there are days
>> with more activity and I gather from the statistics that at least  
>> this
>> apparently hijacked server that was used a while ago isn't used  
>> anymore.
>
> Right. I am also having trouble to track down the source of these
> registrations. But they continue.
>
>> I really wonder if there were any attacks on MUCs (like the last
>> time), or if it is just registering throw-away accounts without using
>> them.
>
> Yes, this would be interesting to find out.
>
> The problem with this is: We are atleast 1 step behind. We cannot  
> fight the
> threat, when you have IBR enabled. And in my oppinion, IBR is one of  
> the
> main features of Jabber. You can create an account with any client.
>
> I think we should have a new IBR standard. Something that adds human
> verification (CAPTCHA ...), or verification of any other sort.  
> Preferrably
> something that is future proof. This then would need to be  
> implemented into
> the servers and clients.
>
> Are there any ideas for this?

As in:

http://www.xmpp.org/extensions/xep-0158.html (CAPTCHA forms: Last Call)

?

Right now, I would rather have a quick feature on servers: allow me to  
announce IBR, but send only the <instructions> tag and deny any SET's.

I could then send <instructions>Please use the form at http://my.jabber.server/registration/ 
</instructions>

As an added bonus, a OOB stanza with the same URL would be great.

This of course, until XEP-0158 is deployed.

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!




More information about the Operators mailing list