[Standards-JIG] bot-challenge proto-JEP

Peter Saint-Andre stpeter at jabber.org
Tue Sep 6 20:22:04 UTC 2005

Sander Devrieze wrote:
> Op dinsdag 06 september 2005 21:48, schreef Peter Saint-Andre:
> <snip>
>>>a. The server of Receivy gets many wrong answers for several different
>>>registered users with a bot challenge wall in their privacy list. If
>>>someone is blocked for one user (so a wrong question after the 10^4 long
>>>time interval of a user), that Jabber ID will get on some kind of
>>>internal watchlist on that server. If the server detects he blocked this
>>>user automatically for for example 10 of its users, it will automatically
>>>block this user for everyone.
>>Yeah, Joe Hildebrand and I were talking about something like that the
>>other day. But we don't even need bot challenges to do that -- the
>>server could simply monitor which specific JIDs are blocked in people's
>>privacy lists.
> I spimmers then can fake the system more easily. By setting up some accounts 
> manually, and then add much blocked JIDs in all these privacy lists. In the 
> above way Aunt Tilly only can help blacklisting users and even domains by 
> setting a good question or using another good bot challenge type such as 
> CAPTCHA. She can not block things easily for fun. So it is more 
> vandalism-proof.

Hmm, I hadn't thought of the threat of privacy list poisoning.

IMHO it would be awfully helpful to work out a complete threat model here...

> 5. Servers might need a valid certificate.

Sure, I think we need to start using valid certificates anyway. Get 
yours today at CAcert.org (though their certs don't include all the 
correct XMPP stuff yet as described in Section 5.1.1. of RFC 3920).


6. No in-band registration -- or support for a. redirects to website and 
b. x-data form per Sections 4 and 5 of JEP-0077.


Peter Saint-Andre
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20050906/da5fbac9/attachment.bin>

More information about the Standards mailing list