Fighting groupchat SPAM with CAPTCHA in ejabberd

Wouldn’t it be useful to add some sort of longer lasting I’m-not-a-spammer authentication to a MUC server or room? So the room or server stores me in a “it’s cool” list, meaning the next time I log on to the server I don’t need to enter a CAPTCHA.

Jonas,

A spimmer may compromise that server list:

1. A spimmer proceeds with CAPTCHA.
2. A spimmer then starts a bot on the same JID.
3. A bot floods MUCs.

This is not a good solution.

A better solution would be to pressure jabber.org to not blindly allow any random user to register—something they should have done a LONG time ago.

Allowing any user to quickly and without verification create a new account is asking for trouble.

Perhaps this could be a part of the requirements to get a server certificate from xmpp.net. In order to receive a cert, you must verify your new users somehow… As well as check your client connections against a blackhole list.

We must be proactive about protecting the public federated jabber network. Implementing room captchas is not the right solution, IMHO.

My solution:

* Have some minimal requirements for your server for you to be offered a certificate from xmpp.org. Those requirements would be to not allow any random user to register without verification and to always check the IP of clients against a black hole list.
* Have servers check the IP addresses of other servers against blackhole lists.
* Have MUC rooms check the IP addresses of URLs posted in a room against blackhole lists
* Start migrating the network to require certs for S2S connections.