On Sat, Mar 2, 2013 at 6:55 AM, LongLine <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Am 01.03.2013 18:42, schrieb Kevin Smith: >> The ongoing discussions about Google having had to (temporarily?) >> impose a blanket block on sub requests has reminded me that I meant >> to post. >> >> A few weeks ago a service I admin was attacked over S2S by >> flooders (MUC room attacks). >> >> As far as I can tell, the flooders had produced scripts to >> autoregister accounts on servers that have unprotected >> registrations, use them to spam a few messages each and presumably >> then throw the accounts away. I've had to block all of the >> following servers for having unprotected signups - other admins can >> use or ignore this information as they wish, but if any admins of >> these servers are following the list, please effect some protection >> against this abuse - i.e. disable unprotected IBR. As well as >> knowing when it's safe to start unblocking these servers, I'd be >> interested to hear what steps people are generally taking to >> prevent abuse from their accounts, especially if they run services >> that allow public signup. >> >> 12jabber.com abber.linux.it brauchen.info deshalbfrei.org >> headcounter.org im.apinc.org jabber.ccc.de jabber.com.ua jabber.fr >> jabber.justlan.ru jabber.linux.it jabber.murom.net >> jabber.ozerki.net jabber.rdtc.ru jabber.sk jabber.snc.ru >> jabber.tcweb.org jabber.wiretrip.org jabbernet.dk jid.pl >> jwchat.org kofeina.net myjid.eu silper.cz skyjabber.ru >> swissjabber.eu swissjabber.li syriastars.com xmpp.us >> >> /K >> >> > what do u mean with unprotected registrations ? > Which protection need the server list ? i used openfire
What protection is needed is really up to admins (indeed, if everyone did the same it'd probably reduce the effectiveness as a whole), but the thing that mustn't be done is allowing signup without any verification that the entity performing the signup is a human. Some ways this can be done (none of them entirely reliable) are captchas, text captchas (asking some general knowledge question or similar), email verifications and what have you. /K
