[Standards] Expected behavior when blocking all unknown JIDs

Florian Schmaus flo at geekplace.eu
Thu Jan 12 07:41:31 UTC 2017


On 11.01.2017 22:13, Daniel Gultsch wrote:
> The entire 'block messages from strangers' thing is a poor mans
> workaround for the spam problem. I don't think there is a use case for
> this outside of fighting spam. And it's not even very effective in
> fighting spam as spammers could just move over to subscription spam.

It would also block subscription spam.

Also I don't see subscription-state based server-side blocking as a
primary means against SPAM.

How do you counter an attacker with thousands of socket puppet XMPP
accounts, registered at hundreds of open services, which constantly send
you messages, with and without a body and of different sizes, and
presence subscription requests in order to drain your mobile devices
battery?

The only solution I came up with so far is to give mobile clients the
ability to (temporary) block all stanzas from contacts which are not
subscribed to their presence. And while privacy lists suck, because they
are lists, it is currently the only XEP that does provide such a mechanism.

And regarding Sam's UX question: Mobile clients come often in the
situation where they could probably change/relaxen the server-side
blocking rules, e.g. when charging/AC connected. It is possible to
deliver the presence subscription request(s) which where blocked until
then when that happens.

Happy to discuss and develop an XEP which provides the strengths of
privacy lists and blocking commands. I am thinking of an approach which
requires the server only to check 3-6 conditions (subscription state,
from has domainpart X, from is part of bare address Y, from is in roster
group Z, …) on a stanza, with at most one lookup in a set to determine
if the condition is meet in order to decide if the stanza should be locked.

- Florian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 610 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170112/6cbd70d0/attachment.sig>


More information about the Standards mailing list