[Standards] pubsub whitelists

Jonathan Chayce Dickinson chayce.za at gmail.com
Mon Aug 27 20:22:15 UTC 2007


Peter Saint-Andre wrote:
> Fabio Forno wrote:
>> Peter Saint-Andre wrote:
>>
>>> What Joe and Matt pointed out is that the whitelist is a list of people
>>> who are *allowed* to subscribe (or retrieve items), not a list of people
>>> who *are* subscribed.
>> Yep I agree, but that's only a better qualification of the configuration
>> options. 
> 
> I think it is proper definition of the whitelist access model, which we
> didn't really have before.
> 
>> If there is concern about possible spam it's still there,
>> though I don't feel it (in order to use it you need to know the jids of
>> the subscribers, and it's easier to send the spam directly them)
> 
> Probably, yes. :)

Granted, spammers aren't really on the trail of Jabber yet. And there is 
little to differentiate it if you don't include the resource because it 
looks exactly like an email, but by maintaining a list of Jabber servers 
they could probably get at them pretty easily. There is also the 
guessing model, i.e.

dickinson.jonathan at gmail.com
jonathan.dickinson at gmail.com
dickinson.jonathan at jabber.org (used to exist, but j.o won't work for me 
anymore???)
jonathan.dickinson at jabber.org
[...]

Even a simple regex like:

\bjabber\W+(?:\w+\W+){1,6}?([A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4})\b


Would harvest jabber addresses. (e.g. look at my signature). Try this 
link, and you will S**T yourself.

http://www.google.com/codesearch?q=jabber%5CW%2B%28%5Cw%29%7B1%2C6%7D%3F%28%5BA-Z0-9._%25%2B-%5D%2B%40%28%5BA-Z0-9-%5D%2B%5C.%29%2B%5BA-Z%5D%7B2%2C4%7D%29&btnG=Search&hl=en&lr=

So it isn't a non-issue. Is there a server black-listing protocol 
around? You would have to be rather foolish to send spam off an account 
on j.o for example. Maybe once a server takes action, it could notify 
other servers that the server that is spamming is up to no good, and 
they in turn could notify all the servers that they know...

And I hate to say it, but people like Peter would probably be hit first: 
if all else fails, use humans to gather the addresses, and he is jabber 
account is on hundreds of XEPs.

> 
> Peter
> 

Jonathan

-- 
jonathan chayce dickinson
ruby/c# developer

email:  chayce.za at gmail.com
jabber: moitoi at inflecto.org

<some profound piece of wisdom>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6974 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070827/2cea4939/attachment.bin>


More information about the Standards mailing list