I suspect vjud-search is also a problem in this context. > but sometimes you want to say something to someone once without giving them > all your presence. And spammers will likely turn to spamming with > subscription requests instead, as reported by Google a > couple of years ago.
I think this will not be possible in the long term. All modern messengers are doing it differently. Requiring proof-of-work for a subscription would certainly be a good idea, but break the current protocol. casper // systemli.org On 30.12.2015 22:19, Jan Pinkas wrote: > Hi Kim, > its not look like we are only one source of data... From Jabbim leaked > users table from ejabberd database... Not rosters of our users. And spam > was received too to newest accounts and my testing accounts. > > 1. Maybe more servers was hacked (and hack was not reported) > 2. Some web pages crawler check not only for emails but maybe too for > SRV records crawled "e-mail addresses" > > Example: [email protected] <mailto:[email protected]> > > zash.se <http://zash.se/> dns info: > > IP address(es) - 85.11.25.66 > > XMPP server - sphyrna.zash.se:5269 <http://sphyrna.zash.se:5269/> > > XMPP client - sphyrna.zash.se:5222 <http://sphyrna.zash.se:5222/> > > Hey, this is JID. > > > 3. Generating JIDs from dictionaries, servers not reporting error, if > address exist and server supports offline messages. > > Problem is one: Bad guys from Russia are using XMPP. And this type of > (actual) spam wave have good CTR. > > Best regards, > Pinky, Jabbim > > 2015-12-23 18:10 GMT+01:00 Kim Alvefur <[email protected] <mailto:[email protected]>>: > > On 2014-12-19 15:24, Peter Viskup wrote: > > Hi all, > > thought it would be interesting to the audience of this mailinglist. > > > > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html > > > > Best regards, > > > > Someone suggested that JIDs leaked in this incident might be what fueled > the recent directed spam wave. I had actually forgotten this thread, but > found it again after some searching. > > The original thread went on to discuss SCRAM for password security, but > gave no thought to what else of value might have leaked. Since everyone > seems to have been hit by spam, even people who don't have their JIDs > posted on wiki.xmpp.org <http://wiki.xmpp.org>, some kind of > compromise seems very likely, and > the jabbim one might be it (or at least one possible source). > > So what can we do? I suspect anything that has any effect will come at > a price. > > We could start requiring presence subscriptions for sending messages, > which would decrease the value of just having a large list of JIDs, but > sometimes you want to say something to someone once without giving them > all your presence. And spammers will likely turn to spamming with > subscription requests instead, as reported by Google a couple of > years ago. > > -- > Kim "Zash" Alvefur > >
