For c.):It seems that every client happily answers to IQ requests when they are sent from a JID only containing a host, e.g. <iq from='attacker.com' type='get'> will always be answered.
As you already said, IQ requests are a problem in general. That's why I think that the *SERVER* should reply with an error if there's no subscription or a privacy list blocking presence-out.
What's also very easy: Send a message with XEP-0184 attached, if you get a reply, the user is only. This even reveals the resource. In Gajim, we have some basic checks to prevent that. They are subscription-based, but currently ignore privacy lists. Now as one of the goals of XMPP is to have simple clients, I'd suggest a way for the client to determine if there's a privacy list that would block presence-out to that user, so you have something like:
<message to='[EMAIL PROTECTED]' type='chat'> <body>foo!</body> <received xmlns='…'/> <only-route-if-presence-out-allowed/> </message>Sure, only-route-if-presence-out-allowed could be shorted, but I chose that name here to make clear what it does.
-- Jonathan
PGP.sig
Description: This is a digitally signed message part
