[Operators] Spammy servers

Marco Cirillo maranda at lightwitch.org
Fri Mar 1 21:59:16 UTC 2013


Frankly as usual when there's a convo going on about spamming, public 
services and IBR I tend getting puzzled/amused several times in a row...

But what caught my eye in a special manner was Peter's statement: <<I 
think that was important in 1999 when we were trying to get end users to 
adopt Jabber. These days I think it is much less valuable, and maybe 
even harmful.>>;

good, that was a noble initiative, but yet 13 / 14 years "in the future" 
whenever I say something like << I tend working a lot with xmpp... >> 
the frequent _ritual_ answer I get back is << What's xmpp? >> even into 
mid IT professional environments. Granted... that situation doesn't get 
_any better_ when we get to the real end-users.

So maybe that "list" still could have a *practical* use... Now on the 
second point spamming and public services...
I'll re-propose a question I did already somewhere in the past to public 
services' holders... expecially to the "high usage" ones (possibly more, 
those with unprotected IBR)... Did you actually ever make a census of 
how many of your concurrent users are actual human beings..?

...
*Will wait for replies on this, out of curiousity*
...

Finally, moving forward on the "how to protect account registration", 
there're several very effective measures one of which is CAPTCHA (and 
that needs to be done right, implementations like ejabberd's .. just 
aren't appropriate ..) but alone that doesn't do it obviously, you 
should put some more verification layers after that. I personally employ 
a long-strict captcha on the site form, plus an additional e-mail token 
verification and several timeframe checks (e.g. the user has to verify 
the account within 5 minutes and has to do some copy & pasting...).

Of course, this is not flawless (nothing is in computing after all) and 
it's potentially possible to craft adhoc tools to counter the challenges 
but still that takes time, and timeframe checks should give admins 
enough to still "shut the door on someone's face".

This for what regards my service has cut down automated submissions to a 
value very near to 0% (... and also some non-automated ones but "c'est 
la vie") and it's not terribly complex to achieve.

Best regards,
Marco.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4512 bytes
Desc: Firma crittografica S/MIME
URL: <http://mail.jabber.org/pipermail/operators/attachments/20130301/7beab744/attachment-0001.bin>


More information about the Operators mailing list