[Standards-JIG] SPAM Filtering JEP

Richard Dobson richard at dobson-i.net
Wed Apr 14 11:52:57 UTC 2004


> I think your both right, and I agree that Jabber spam is easier to trace
> than email.  But I think the biggest problem with spam is likely to come
> from spam zombies.  When Jabber becomes popular, it will have many
thousands
> of clients running on insecure machines.

I would think it would be unlikely that this scenario would happen, as the
trojan that gets onto the users pc would have to discover the users jabber
server and username and password from the computer to be able to disguse the
spam traffic as legitimate, and if clients use encryption to protect the
users jabber login details then it will be very hard to trojans to get hold
of this info.

> That's going to be hard to stop because of message volume that legitimate
> jabber accounts can have.  A small business might have a Jabber account
that
> sends out payment notifications, etc.  It wouldn't be hard to sneak out
spam
> with all of that traffic.

I expect if a trojan did manage to login as the user that the user could
notice it as either they would keep getting logged off when the trojan
logged in as them or an unfamiliar resource will appear as logged in at the
same time, overall a very unlikely scenario IMO.

> Having a Baysian filter that tagged spam might be quite useful as a check
on
> rogue or zombie clients.  Each message could be run through a set of
> filters, the filters would append a spam flag.
>
> Something like ...
> < spam namespace="jabber:x:spam:flag" probability=0.5 / >
>
> The number of flagged messages for each account could be added-up.  The
> admins could then deal with potential problem accounts.  The RBL could act
> as a check on servers where the admins had failed to deal with clients
> sending spam.

Yup spam content processing is an option, but another way of determining
automatically if an account is likely being used for spamming is monitoring
how often a user is reaching the karma limit set on a public server, if they
reach it lots then they should get automatically blocked from connecting for
a certain period of time or simply completely blocked until an admin
re-enables their account.

> Server blacklisting can't work on its own if we have clients going bad.
> Some public server have thousands of legitimate accounts, and it would be
a
> very blunt instrument to just blacklist the whole server.

True but it will give the admins a good kick up the behind to get them to
sort out their server, there are ways of limiting the amount of spam
accounts that get created on public servers, also spam shouldnt be too much
of a problem as karma can slow it right down on client connections. I would
think server blacklisting would be mainly used for blacklisting rogue
servers that have been setup specifically to send out spam, and for servers
where there is massive amounts of spam originating from it compared to
legitimate traffic.

Richard




More information about the Standards mailing list