[Standards-JIG] bot-challenge proto-JEP

Sander Devrieze s.devrieze at pandora.be
Tue Sep 6 18:40:50 UTC 2005

Op vrijdag 02 september 2005 01:07, schreef Peter Saint-Andre:
> So the administrator (or a smart server) is going to have to
> depend on user reports to determine if the user is receiving spim.
> Therefore we need a reporting protocol that enables the user to send a
> copy of any offending stanza to the user's server, flagged as spim (the
> user also has to have some trust that the server will do something
> useful with this information;

I even think this such a spim reporting protocol is *not* needed :-) At least 
not for Aunt Tilly (however reporting between servers might be useful)

Today I posted a long email (about Receivy and Sendy) regarding what can 
happen when someone adds a bot challenge (multiple-choice question, problem, 
CAPTCHA,...) to his privacy list and a bot is trying to spim him. So read 
that long post first if you not yet did.

Imagine this:
a. The server of Receivy gets many wrong answers for several different 
registered users with a bot challenge wall in their privacy list. If someone 
is blocked for one user (so a wrong question after the 10^4 long time 
interval of a user), that Jabber ID will get on some kind of internal 
watchlist on that server. If the server detects he blocked this user 
automatically for for example 10 of its users, it will automatically block 
this user for everyone.
b. If the server gets more than 10 users from the same domain that were 
blocked entirely like described in a, it will automatically add that domain 
to a local blacklist. All messages from users (not in anyones roster?) from 
that domain will be dropped automatically (or bounced back with an error 
describing why it was dropped?).
c. A protocol to share blacklisted domains (and users?) between servers that 
support that protocol might be interesting. (The problem with this is that 
spimmers or other malicious people can try to send fake blacklisted domains. 
So you need to be sure if you trust what other servers are saying. For this, 
a certificate can be very useful.)

* All will happen automatically, no reporting from end-users needed and no new 
admin tasks.
* No central blacklist. (Malicious people might be able to crack a server to 
send false blacklisted domains, but it will be hard to to this for several 
* It will combine the IQ of all users registered on your server (a and b), and 
even all users from the public Jabber network when c is used!

Mvg, Sander Devrieze.

xmpp:sander at devrieze.dyndns.org ( http://jabber.tk/ )

More information about the Standards mailing list