On Sat, 27 Aug 2005 18:13:38 +0200, Sander Devrieze
<[EMAIL PROTECTED]> wrote:
Op zaterdag 27 augustus 2005 17:27, schreef Tijl Houtbeckers:
On Sat, 27 Aug 2005 16:32:38 +0200, Sander Devrieze
<[EMAIL PROTECTED]> wrote:
> A 'mass spimmer' will probably set up his own server...
A spimmer would probably do the same as most spammers these days. Not
set
up their own server but use compromised computers all over the internet.
These could either act as as mini servers
This will cost money/time and make it not profitable.
So you're saying Spam is currently not profitable? Someone should tell the
people who keep putting it in my inbox!
And why would it be not profitable? All you have to do is develop some
software that implements a tiny dailback module, and sends a bunch of
messages. It actually helps us in this case that a lot of computers have a
messed up network config, but it's usually PCs with no firewall and no NAT
that are compromised (for obvious reasons). Once you're written your
software you rent a bot some russian kid (once it gets popular they will
already have the software), and you can start sending spims.
You shouldn't underestimate that this is one of the most common form of
spamming these days, since what applies to email spam will likely apply to
jabber-spim. The other form is open relays, but even this often still
orginates from zombies. (The reason open relays are used is you need less
bandwith because of the cc/bcc mechanism, which could start to be a
problem for XMPP when servers start implementing JEP-0033). The equivalent
of an open relay SMTP server is of course a Jabber server with in band
registration.
This is significant because the defense techniques you mention, are a lot
less effictive when you're defending against a large group bots all coming
from different IP's. Particulary if they use the "mini server" approach.
Anyway.. the point I was trying to make is this: with the current "state"
the Jabber network is in (or Jabber clients for that matter) we are
nowhere near to effectivly combatting a spimmer attack. Nor is Google for
that matter, if they decide to open up their network to everyone. Whether
they do just by just opening dailback (they'll suffer most from "mini
servers", I would think) or by requiring a CAcert or a JSFcert from others
(they'll suffer from our open relays, and we'll suffer with them). So the
call to them to open their network now, today, is not very realistic, or
at least not fair, because we have a lot of work to do first.
As I said before, I can see at least one technically feasable method that
would work today, adding a little field in your gmail account where you
can put your non-gmail JID so they can let it through on their server. And
maybe sending a message when they block you telling you about this when
you are blocked. This might not even be a bad idea for "normal" servers,
blocking s2s messages (from non-authenticated servers) for a user untill
he completes some sort of "human intelligence" test (like one of those
type the number thingies) to get whitelisted. Kinda tricky for bots though
:)
But the conspiracy zealots would have a field day on that one since it's
exactly what Google stated they want to prevent (having to have an account
with them to talk to people on their server)
_______________________________________________
jdev mailing list
[email protected]
http://mail.jabber.org/mailman/listinfo/jdev
