On Tue, Sep 04, 2012 at 12:50:26AM +0200, Marco Cirillo wrote: > Il 03/09/2012 22:41, Arsimael Inshan ha scritto: > >I don't think thats a good idea. Every open Jabber-Server can be > >used for this. IF you block all Open Servers, then you might cut > >yourself of the jabber network. And if everyone does this then we > >don't have a jabber network anymore, or it's getting an > >invite-only system. You shouldn't punish the servers (or the > >owners of those). They provide a free service, and I don't think > >everyone has the time to watch about how many users are > >registering accounts on them. > > > >We should ask the server-developers to implement a feature which > >allows us to configure how many messages are going to be sent to > >one muc/JID in an defined amount of time. Maybe 5 Messages/sec? > > > > > Not every "open" xmpp server "can be used for this" just the loosely > watched and unsecure ones and no one forces you to federate a server > which allows users to register but if you want to, at least, employ > reasonably safe practices to prevent automated registration.
Thats a load of crap, and believe me, I wish it weren't. Most JIDs you gave only had one JID per server. No matter how far registration is restricted, you will always get a couple of JIDs on a server, if you want to use it. Even if you have no IBR, only CAPTCHA based web-registration and email confirmation, your server will still see registrations for botnets and/or SPAM. You can sit there all day and watch out for registrations that you consider "suspicious" and delete them right away, if you have no problems with deleting accounts purely based on suspicion. If you are that bored, good for you, but most server admins understandably won't be. > And I also disagree on the: << You shouldn't punish the servers (or > the owners of those). They provide a free service, and I don't think > everyone has the time to watch about how many users are registering > accounts on them. >> > Infact you really _should_ punish the servers and its owners. XMPP > Architecture's for what regards federation puts servers as the > intermediate entity between users, and that means that in the > majority of cases I can't track back directly to the (malicious) > user without inquirying the involved server's administrator and that > raises the actual responsibility of the "owner" by quite a while > since it's their server which, like in this case, is being used as > vehicle for the attack. E-Mail has the same characteristics and way less safe-guards. That doesn't make it a good system, of course. But you won't get a free and open IM-network with blocking every server that has a single SPAM adress. > So as stated above no one forces you to host a public server but if > you do you are, in my opinion, imposed to take an adeguate care of > it, because likewise "no one forces me to deal with your junk" and > that also means "pretty palisades will be built" to prevent "your > junk" passing through. You are partially right on this one. Everyone should care, I at least do care. I actively fight spam registrations. If I see obviously automated registrations, I even remove accounts. I went through my server-software's documentation again and again to find settings that might make my server less usable for SPAM. But I could have never guaranteed you that a JIDs from my server wouldn't have been on that list - you can't, on any system. When it comes to Jabber the situation is however not really glorious. I don't know about Prosody, but Ejabberd has very few settings to actively fight SPAM and DDOS attacks. There are still way to many ways to abuse an Jabber server, at least if its based on Ejabberd. The XSF hasn't helped either (as far as I can tell), since few finalized XEPs help fight spam on the protocol level. There are two points to this mail: 1. Blocking servers (or whole lists of servers) is wrong and not compatible with any open communication network. 2. Neither the XSF nor server software developers take the SPAM/DDOS seriously enough. greetings, Mati -- I only read plain text mail! I prefer pgp|gpg signed & encrypted mails!
