[Operators] Prosody vs. spammers - security measures?

Mathias Ertl mati at fsinf.at
Tue Feb 4 13:27:31 UTC 2014


Hi,


On 02/03/2014 02:29 PM, Moonchild wrote:
> I've been running prosody for a little while now, and although I'm happy with
> the c2s/s2s security of the connections it makes, I'm running into a different
> security issue which is potentially a much larger problem.
> 
> The problem is: spammers and otherwise abusive users.

We at jabber.at had similar problems. I might add that I personally
think that operators claiming they "don't have this problem" despite
thousands of users really mean "I didn't realize so far I had this problem".

> There is no easy way to
> monitor or restrict abusive behavior in prosody, and manually checking logs
> really isn't a "this millennium" way of going about user security.

As some operators have already mentioned, open registration is the main
issue. Simple Anti-Spam measures are often circumvented easily: We had a
simple ReCAPTCHA protected form and that was completely broken.

We mostly solved the issue with a small Django WebApp[1] that allows
registration and (as a bonus) allows setting your password and deleting
your account. It doesn't support Prosody yet, but if you're willing to
code (a little) Python, you can write a plugin[2].

greetings, Mati

[1] https://account.jabber.at/
[2] https://account.jabber.at/doc/backends.html#custom-backends

-- 
twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140204/1aec92ff/attachment.bin>


More information about the Operators mailing list