Greetings.

I’ve been using groupchats with SASL ANONYMOUS access from web for quite a while now, and the biggest problem there is that anonymous abusers are not bannable without blocking the whole host that gives anonymous access, since JID takes the form

random_numbers@host/random_numbers

I suggest putting the user IP address instead of random numbers as the anonymous username to make abusers bannable and still allow access to other anonymous users from web.

It should take in account IP of the BOSH user of course.

To help protect user privacy his last two IP numbers could be hashed, for example.

Let’s imagine a user is connecting to your ejabberd server from IP 1.2.3.4. Each time he connects, ejabberd gives him a random username. Let’s imagine right now it has username ABCD.

You want ejabberd to set ABCD = 1.2.3.4 to allow you know the user IP.

You can already know the user IP easily with two methods:

1. When the client logins, ejabberd.log shows the IP address:
I(<0.495.0>:ejabberd_c2s:592) : ({socket_state,ejabberd_http_bind,
{http_bind,<0.494.0>,{{1,2,3,4},38717}},ejabberd_http_bind})
Accepted authentication for ABCD by ejabberd_auth_anonymous

2.If you install mod_admin_extra, you can perform calls like this while the user is connected:
$ ejabberdctl user_sessions_info ABCD localhost
http_bind   1.2.3.4     60348   8     ejabberd@localhost     26     xa     work   testingthis

Of course as a server owner I can determine and block users IPs right away, but what if I’m not the owner?
I would have to block the whole domain that provices anonymous access in case of abuse.
It is not a good solution if users inflow depends on that access,
and what is the purpose of randomly generated ID not associated with any data at all?

Even if I’m the server owner, requested feature will make abuse prevention much faster and easier.
Currently I would have to set the room to moderated or members-only, then look up the offending IP in logs,
and with proposed addition I could just block the IP.
Then remember about proxies, knowledgeable abuser would use them to change his IP, and effort of manual looking up and banning those IP in logs is comparable, while banning by IP right from the client interface makes abuser’s life hard.

Grom PE - 17 November 2010 01:25 PM

what is the purpose of randomly generated ID not associated with any data at all?

I don’t know. Ask the protocol authors who wrote Example 9:
http://xmpp.org/extensions/xep-0175.html#example-9

Grom PE - 17 November 2010 01:25 PM

requested feature will make abuse prevention much faster and easier.
with proposed addition I could just block the IP.
...
Then remember about proxies, knowledgeable abuser would use them to change his IP

Blocking by IP is a short-lived solution to fight abusers, because abusers will change the IP, as you already pointed.

Anyway, if you formally report the feature request in the ejabberd bug tracker, then I’ll write a patch for you.
https://support.process-one.net/browse/EJAB

Reported in: https://support.process-one.net/browse/EJAB-1352