[Operators] Annoying spam

Matthew Wild mwild1 at gmail.com
Tue Nov 10 19:38:52 UTC 2015


On 10 November 2015 at 19:25, Simon Josefsson <simon at josefsson.org> wrote:
> I had the same thought -- is there a way for a remote server to find out
> valid JIDs by talking to my server?  I should put a tcpdump on my server
> to see exactly what these spammers are doing.  I had two connections
> From different IP addresses before the first spam hit me.

There's no way to get a list of JIDs in the core protocol. We aim to
make it impossible to detect the existence of a specific account that
you haven't been authorized to see the presence of.

Some servers used to allow listing their users via the 'VJUD' service,
but finding such services on public servers nowadays is rare.

> In my case, the JID is the same as my email address, which probably is
> common enough for spammers to try it.  I don't recall having published
> any XMPP URIs with my JID, so that web crawlers could find it, but that
> is another possibility.

If they had access to a database of email addresses, they could use
SRV records to discover XMPP servers (at least if I were a spammer,
that's how I'd do it).

> Stepping back a bit, why is it even possible to send messages to
> arbitrary people without prior authorization?  I naïvely thought that
> the anti-spam property in XMPP was based on having to authorize a
> presence subscription for other people before they can send me a
> messages.  Wouldn't that work?  Yes, of course, spammers can spam me
> with request to add them, but that is a low-signal channel and I'm not
> likely to accept by random, and if I accidentally do I can remove them
> later on.  At least then I don't get 25 lines of spam garbage displayed
> on my cell phone.

This is a policy, not protocol, issue. I think probably most servers
can be configured to block messages from JIDs not on your roster. E.g.
in Prosody by loading the mod_block_strangers module.

I've a XEP in my to-write queue (if no-one beats me to it) to define a
way to allow the client the ability to control this policy per-account
however (stemming from the discussion about deprecating the old
privacy lists protocol).

Regards,
Matthew


More information about the Operators mailing list