[Standards-JIG] privacy2 anti-SPIM proto-JEP

Bart van Bragt jabber at vanbragt.com
Tue Aug 30 20:06:46 UTC 2005


Peter Saint-Andre wrote:
> Thinking about this some more, I realize that it is possible to define 
> the challenge stuff without changing RFC 3921 except to modify the MUST 
 > [...]

I think the challenge concept is going to be very effective but I also 
see some drawbacks.

For one is that we're bothering the user with a problem of the system, 
the (sending) users has to do more effort so we can detriment spammers.

Another reason is the fact that this measure isn't going to make the 
Jabber network more spammer resilient, we're only blocking spam on 
servers that implement this system. Google (which has spurred the sudden 
development of anti-spam proposals) isn't really helped with a 
challenge/response system. They don't need the JSF for that, they can 
implement this on their own if they want. They'll need no help 
whatsoever from the rest of the Jabber network if they want to reduce 
spam in this way.

Systems like this already exist in the email world and aren't exactly 
popular (try a Google search on 'challenge response email spam', I have 
to admit that quite a few of the problems with these systems are not 
valid if the system is implemented on XMPP).

It's annoying when you want to add some kind of bot.

It doesn't work (well) with blind people and not all clients can show 
images.

Text challenges can be confusing and they have severe l18n issues.

Most of this comes down to the fact that these systems are just not 
userfriendly (unrelated: 
http://www.userfriendly.org/cartoons/archives/05aug/uf008228.gif).


The proposal does have some strong advantages. It's fairly simple to 
implement (working out the little implementation details will be quite a 
task though). It could work with clients that don't support the JEP and 
it's probably fairly effective against SPIM (about as effective as the 
used CAPTCHA is).

All in all I like the idea but only as a last resort. IMO we don't have 
to use this kind of heavyweight tactics on an XMPP network. I can 
understand that people are using it as a last resort on SMTP but IMO we 
have other (better) options available. Besides that I don't have the 
idea that we need to design and implement an anti-SPIM system in 2 weeks 
time to please Google. Please, let's think this through properly and see 
what other options we have available before closing down the XMPP 
network in such a rigorous way.

Bart



More information about the Standards mailing list