[Operators] How-to fight with SPAM accounts

Peter Saint-Andre stpeter at stpeter.im
Thu Nov 19 13:31:54 CST 2009

On 11/18/09 5:22 PM, Peter Viskup wrote:
> Hi all,
> I just went trough the discussions 'How is XMPP better than SMTP for
> spam prevention?' [1] and fresh 'DNSBLs' [2] and was little bit thinking
> about the fighting against SPAM accounts.
> I have one - probably not bad/well - opinion:
>    - define XEP in this way (sorry for any not well formed sentences ;-) ):
> 1) each XMPP account have SPAM-ratio and each server is administering
> SPAM ratio's for it's accounts

That works for benevolent servers.

> 2) every XMPP messsage user received can user mark as SPAM and this will
> send the 'SPAM-hit' to the XMPP server of sender JID

Will any user ever flag messages as spam?

What about attacks on this process? You can be sure that any reputation
system like this will be subject to attacks (I flag all your messages as
spam because I don't like you).

> 3) every XMPP server is calculating the number of messages sent by the
> XMPP account for last session/week/month/any-other-timeframe and
> 'SPAM-hit' and the account will be blocked/removed if the threshold of
> SPAM-limit will be reached
> 4) it is needed to find way how to gain with not polite XMPP servers
> (servers which have not well defined this 'anti-SPAM' XEP)
> This (in more sophisticated design) could be the right fighting tool
> against SPAM.

We had a proposal like this -- probably the early versions of XEP-0161.

> It will be:
> - decentralised
> - not based on bloking DNSs/IPs (the worst way to deal with SPAM on XMPP)
> - all XMPP users will be involved in anti-SPAM fight (much powerful like
> any SpamAssassin)
> - not using too much server resources
> - not based on the list of DNSs/IPs which will be growing in time
> Something similar is probably already in discussion within XMPP Working
> Group or somewhere else - I really do not know.
> This was just very quick thought about anti-SPAM solution for XMPP. This
> is not final Draft of XMPP WG :-).
> I do not like CAPTCHA and W/BLs - if there is any other way how to
> implement anti-SPAM and improve security of XMPP network - then do that
> in way when comfort of polite users will not be affected.

CAPTCHAs are good for account registration. They might also be good for
joining chatrooms. They might in the future also be good for adding
someone to your Buddy List[tm]. We'll see.

> I think that the key for the 'right/best' anti-SPAM XMPP solution is to
> involve regular/polite XMPP users in any way.

I have my doubts that normal users will bother to flag messages as spam.
However, given that I have only ever received a few spam messages over
XMPP (and even those I wasn't 100% sure about), perhaps it would not be
such a huge burden.


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20091119/275f03fd/attachment-0001.bin>

More information about the Operators mailing list