Where Is All The Jabber Spam?

2008-08-10

Over on the JUser discussion list, someone asked why there's less spam on the Jabber network than there is on the email network. I answered as follows:

I'll have to write a paper about this sometime, but here are some points to consider:

  1. In XMPP, the sender's address is not asserted by the sender's client but instead is stamped by the sender's server. So a client can't fake the "from" address. (Naturally if you run the server you could fake addresses at your domain, so as the admin of jabber.org I could send messages from any address at jabber.org -- but I can't fake messages from other domains, see #2.)

  2. In XMPP, servers check each other's identities, either through a DNS-based "dialback" protocol (RFC 3920 / XEP-0220) or real server certificates. So if I run a server at jabber.org I can't send messages putatively "from" microsoft.com or whitehouse.gov or whatever. (Also we don't have multi-hop routing, so modifications to the addresses can't happen between the sending server and receiving server.)

  3. So far, server dialback has been sufficient to prevent most address spoofing on the network, but we have a certificate authority in place (visit https://www.xmpp.net/ for details) and we could fairly easily upgrade the network to certificate-based authentication between servers if needed.

  4. XMPP is pure XML, and attackers can't easily attach malware like scripts and viruses to Jabber messages. This helps us avoid the unholy alliance between virus writers and spammers that has occurred on the email network.

  5. A great deal of email spam (or spam+malware) is directed against a single platform: Outlook running on Windows. In the XMPP world we have a much more diverse software ecosystem.

  6. In IM systems, people are accustomed to sharing presence / adding someone to their buddy list. There's less of a culture of "I must be able to accept messages from anyone in the world" as in email. You can say this is good or bad, but that's how it is -- so if someone bothers you, you can delete them from your friend list or block them at the server side (see RFC 3921 / XEP-0016) or the client side.

  7. All XMPP server codebases have rate limiting in place to prevent a single client from sending a large number of messages (especially a large number of large messages) in a short period of time.

  8. Although we have not seen very much one-to-one spam on the Jabber network (our biggest problem so far is abusive behavior in groupchat rooms), we are actively planning for the arrival of spam and have designed some spam-fighting measures such as challenge-response (CAPTCHA) forms to join groupchat rooms or add someone to your contact list -- see XEP-0158.

  9. IM systems have traditionally been quite fragmented (and in many ways still are -- as witness ICQ, AIM, MSN, Yahoo!, Skype, etc.) so there isn't the expectation that you'll necessarily be able to send a message to any random person on the Internet. This probably makes IM less appealing to spammers than email is. (Remember, spam is a matter of economics, and there may simply not be enough money to be made via IM.)

XMPP is not perfect. Spam is possible on our network, but it's not very easy. By design, spam is harder on the XMPP network than it is on the SMTP network, and if spam does start to occur more widely we will design and deploy even better spam-fighting tools (or, for instance, tighten up or turn off in-band registration, which is user-friendly but also makes it possible to create lots of accounts at multiple servers).

However, XMPP does not need to be perfect. You don't need to be the fastest antelope in the herd to avoid being eaten by the lion, you just need to be faster than the slow antelope who get caught.

Peter

UPDATE: A lively discussion has ensued on the list -- you can participate even without joining the list by visiting JabberForum.org. I've also received a number of private messages about the topic, so I may post about it again soon. :)


Peter Saint-Andre > Journal