[Operators] Update on spammy invites

Jesse Thompson jesse.thompson at doit.wisc.edu
Thu Mar 21 17:41:36 UTC 2013

On 3/21/2013 9:54 AM, Mathias Ertl wrote:
> On Thu, Mar 21, 2013 at 07:36:47AM -0700, Peter Saint-Andre wrote:
>> We know that jabber.org had many spammy invite accounts, and we have
>> IBR disabled with CAPTCHA-"protected" web registration. As Maxim noted
>> about his server (jabber.kiev.ua), web registration doesn't stop
>> someone from registering enough accounts to cause trouble.
> Of course, for most of the attacks discussed here its enough to register
> one account.
> And the fact that some here seem to run blacklists of servers opens very
> easy attack vectors: Just register one account (I can do that manually, no
> problem with captcha) on your server and start spamming. Voila, your server
> is blacklisted on those servers.

Well, yeah, that's the idea.

It causes the offending service operator to

a) disable the bad account(s)

b) request to be delisted from the blacklist(s) by reaffirming their 

c) do whatever is possible to prevent the problem from happening again

That's how it's always worked with SMTP servers.

Which is exactly what should happen with XMPP servers.

I'm not saying it's convenient for the XMPP operator.  It's just the 
cost of running a service.


More information about the Operators mailing list