[Standards] spam (was: Re: pubsub whitelists)

Peter Saint-Andre stpeter at stpeter.im
Mon Aug 27 20:43:32 UTC 2007

Jonathan Chayce Dickinson wrote:
> Peter Saint-Andre wrote:
>> Fabio Forno wrote:
>>> If there is concern about possible spam it's still there,
>>> though I don't feel it (in order to use it you need to know the jids of
>>> the subscribers, and it's easier to send the spam directly them)
>> Probably, yes. :)
> Granted, spammers aren't really on the trail of Jabber yet. And there is
> little to differentiate it 

Except that we use XMPP, not SMTP? :)

> if you don't include the resource because it
> looks exactly like an email, 

Well, there's always that issue of full Unicode support in JabberIDs...

> but by maintaining a list of Jabber servers
> they could probably get at them pretty easily. 

Get at what? Full JIDs with resource, or bare JIDs? How exactly would
someone launch a directory harvest attack?

> There is also the
> guessing model, i.e.
> dickinson.jonathan at gmail.com
> jonathan.dickinson at gmail.com
> dickinson.jonathan at jabber.org (used to exist, but j.o won't work for me
> anymore???)
> jonathan.dickinson at jabber.org
> [...]

Sure, it's easy enough to run through all the possible addresses.

> Even a simple regex like:
> \bjabber\W+(?:\w+\W+){1,6}?([A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4})\b
> Would harvest jabber addresses. 

How so? You could send messages to all those addresses, but you're not
easily going to learn which accounts exist and which don't.

> (e.g. look at my signature). Try this
> link, and you will S**T yourself.
> http://www.google.com/codesearch?q=jabber%5CW%2B%28%5Cw%29%7B1%2C6%7D%3F%28%5BA-Z0-9._%25%2B-%5D%2B%40%28%5BA-Z0-9-%5D%2B%5C.%29%2B%5BA-Z%5D%7B2%2C4%7D%29&btnG=Search&hl=en&lr=

Nothing so scary there, really.

> So it isn't a non-issue. 

We know:




> Is there a server black-listing protocol
> around? 

Not yet. But see XEP-0161 above. This may also be of interest:


> You would have to be rather foolish to send spam off an account
> on j.o for example. 


> Maybe once a server takes action, it could notify
> other servers that the server that is spamming is up to no good, and
> they in turn could notify all the servers that they know...

There are several possible attacks. A rogue server is one, but it would
probably be more effective to launch a distributed attack from accounts
at multiple servers. Though you'd probably run into rate limiting at
legitimate servers.

> And I hate to say it, but people like Peter would probably be hit first:

Probably. I'm still waiting. :)

> if all else fails, use humans to gather the addresses, 

More efficient for now to buy email addresses in bulk.

> and he is jabber
> account is on hundreds of XEPs.

You betcha.

Remember, we don't need to be the fastest antelope, we just need to be
faster than the slow ones so that the cheetahs eat them first. :)


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070827/7f033214/attachment.bin>

More information about the Standards mailing list