[Standards] Source of the JIDs being spammed? -- Re: Suspicion of Jabbim services being hacked

Kim Alvefur zash at zash.se
Wed Dec 23 17:10:40 UTC 2015


On 2014-12-19 15:24, Peter Viskup wrote:
> Hi all,
> thought it would be interesting to the audience of this mailinglist.
> 
> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> 
> Best regards,
> 

Someone suggested that JIDs leaked in this incident might be what fueled
the recent directed spam wave. I had actually forgotten this thread, but
found it again after some searching.

The original thread went on to discuss SCRAM for password security, but
gave no thought to what else of value might have leaked. Since everyone
seems to have been hit by spam, even people who don't have their JIDs
posted on wiki.xmpp.org, some kind of compromise seems very likely, and
the jabbim one might be it (or at least one possible source).

So what can we do?  I suspect anything that has any effect will come at
a price.

We could start requiring presence subscriptions for sending messages,
which would decrease the value of just having a large list of JIDs, but
sometimes you want to say something to someone once without giving them
all your presence.  And spammers will likely turn to spamming with
subscription requests instead, as reported by Google a couple of years ago.

-- 
Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20151223/e7c462e6/attachment.sig>


More information about the Standards mailing list