On Aug 12, 2008, at 9:57 AM, Florian Jensen wrote:
Hello everyone.
On Tue, 12 Aug 2008 10:41:58 +0200, Clemens Lucas Fries <[EMAIL PROTECTED]
>
wrote:
Hello list,
I wanted to confirm that these registrations never completely halted.
I got two new in the last 24 hours. And maybe one or two weeks ago I
blocked one IP-address because it registered an account, matching the
known scheme, every few minutes. It seems to me that there are days
with more activity and I gather from the statistics that at least
this
apparently hijacked server that was used a while ago isn't used
anymore.
Right. I am also having trouble to track down the source of these
registrations. But they continue.
I really wonder if there were any attacks on MUCs (like the last
time), or if it is just registering throw-away accounts without using
them.
Yes, this would be interesting to find out.
The problem with this is: We are atleast 1 step behind. We cannot
fight the
threat, when you have IBR enabled. And in my oppinion, IBR is one of
the
main features of Jabber. You can create an account with any client.
I think we should have a new IBR standard. Something that adds human
verification (CAPTCHA ...), or verification of any other sort.
Preferrably
something that is future proof. This then would need to be
implemented into
the servers and clients.
Are there any ideas for this?
As in:
http://www.xmpp.org/extensions/xep-0158.html (CAPTCHA forms: Last Call)
?
Right now, I would rather have a quick feature on servers: allow me to
announce IBR, but send only the <instructions> tag and deny any SET's.
I could then send <instructions>Please use the form at http://my.jabber.server/registration/
</instructions>
As an added bonus, a OOB stanza with the same URL would be great.
This of course, until XEP-0158 is deployed.
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: [EMAIL PROTECTED]
Use XMPP!
