why do you think it will become an issue if the user itself is carefulBut that relies on every user knowing what they're doing ;)
enough? It definitely isn't easy to guess the account names on Jabber, as it
is the case with ICQ.
Precisely, which brings us back to the subject of this thread. I guess the conclusion here is that clients should either default to blocking messages from non-buddies, or should when first run ask the user if s/he wants to accept messages from non-buddies, with the default answer being "no".
Also, many users wish to be listed in online directories so that
people can find them.
This is a wider issue. Blocking all non-buddies is pretty severe. It might be enough to also accept messages from people who have you on their buddy list, since you presumably approved their doing so. The loophole I can see here is that you could end up getting spammed with subscription requests like "The user [EMAIL PROTECTED] wants to add you to their buddy list. Do you approve this?"
One big vague architectural solution is to establish some kind of "web of trust" where transitive buddyhood ([EMAIL PROTECTED] is unknown to me but is on one of my buddy's buddy lists) is used as a heuristic to guess that someone is legit and therefore not block their messages. The problem is how to trawl through the directed graph of buddy lists without privacy concerns coming up, since I don't necessarily want all my buddies knowing who else is on my buddy list.
Here's a quick thought: Allow each user to keep a private server-side list that rates other users positively or negatively. Other users can then send special messages to your server to query for your rating of a single other user. By sending such a query to your whole buddy list, you can compute an aggregate ranking that gives you an idea of whether or not to trust or block some unknown user. Should be quite simple to implement...
�Jens
