On 3/21/2013 9:54 AM, Mathias Ertl wrote:
On Thu, Mar 21, 2013 at 07:36:47AM -0700, Peter Saint-Andre wrote:
We know that jabber.org had many spammy invite accounts, and we have
IBR disabled with CAPTCHA-"protected" web registration. As Maxim noted
about his server (jabber.kiev.ua), web registration doesn't stop
someone from registering enough accounts to cause trouble.
Of course, for most of the attacks discussed here its enough to register
one account.
And the fact that some here seem to run blacklists of servers opens very
easy attack vectors: Just register one account (I can do that manually, no
problem with captcha) on your server and start spamming. Voila, your server
is blacklisted on those servers.
Well, yeah, that's the idea.
It causes the offending service operator to
a) disable the bad account(s)
b) request to be delisted from the blacklist(s) by reaffirming their
reputation
c) do whatever is possible to prevent the problem from happening again
That's how it's always worked with SMTP servers.
Which is exactly what should happen with XMPP servers.
I'm not saying it's convenient for the XMPP operator. It's just the
cost of running a service.
Jesse
