[Operators] Spammy servers

Marco Cirillo maranda at lightwitch.org
Fri Mar 1 23:07:24 UTC 2013

Il 01/03/2013 23:03, Kevin Smith ha scritto:
> On Fri, Mar 1, 2013 at 9:59 PM, Marco Cirillo <maranda at lightwitch.org> wrote:
>> expecially to the "high usage" ones (possibly more,
>> those with unprotected IBR)... Did you actually ever make a census of how
>> many of your concurrent users are actual human beings..?
> It's not immediately clear to me how one would reliably do this - do
> you have any suggestions?
>> Finally, moving forward on the "how to protect account registration",
>> there're several very effective measures one of which is CAPTCHA (and that
>> needs to be done right, implementations like ejabberd's .. just aren't
>> appropriate ..) but alone that doesn't do it obviously, you should put some
>> more verification layers after that. I personally employ a long-strict
>> captcha on the site form, plus an additional e-mail token verification and
>> several timeframe checks (e.g. the user has to verify the account within 5
>> minutes and has to do some copy & pasting...).
> This sounds very thorough (and entirely reasonable). Is your setup for
> doing this generally available so other servers could take advantage
> of similar systems?
> /K

Well Kevin beside "greeting the target" (before or after), they may be 
very clichy... but 2 enough effective ways to profile bots in my opinion 
- They tend being either incredibly idle or incredibly active, and usual 
have sudden activity bursts (idleness is to be treated with care and 
checked with other factors...)
- They tend doing stuff a normal user wouldn't do (e.g. large amount of 
random service discoveries, which could reflect on servers with a high 
amount of non human beings having a way larger s2s connections number 
for instance)
- They could have very large rosters or, very empty ones (as usual treat 
the latter case with care...)

For the 2nd question, tools and instructions not yet (but I may port 
something for Prosody in the future).

Although it could be not hard to replicate as the web form is a very 
simple Drupal form and uses Drupal facilities to create the Captcha. So 
basically while the webstack deals with captcha and sending e-mails to 
the user, the xmpp server has to deal with token generation/verification 
plus timeframe checks, this is the simil-workflow:

:: User submits the CAPTCHA protected form
-> the webapp sends a request to the xmpp server
<- xmpp server performs timeframe/additional checks and replies the 
webapp either with the token or an appropriate error. if successful the 
xmpp server awaits user verification.
:: On success the webapp sends an E-Mail to the user on how to complete 
the registration, else it returns the server error.
:: The E-mail to the user should contain the verification frontend of 
the xmpp server, a web interface's URL usually, the token and specify 
that the token should be manually supplied (e.g. copy & pasted into a 
form) to the xmpp server's verify interface within the admin desired 
timeframe before it becomes invalid (the shorter t the better..). And 
that leads to the final step.
=> User verifies using the xmpp server's interface, supplying the token.
<= Server either report the success or error (wrong token or expired) 
through the said interface.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4512 bytes
Desc: Firma crittografica S/MIME
URL: <http://mail.jabber.org/pipermail/operators/attachments/20130302/001831e0/attachment.bin>

More information about the Operators mailing list