Preventing spammers from abusing In-Band Registration in ejabberd

The scalable and powerful ejabberd has received a new feature for spam prevention: In-Band Registration CAPTCHA requirement.

ProcessOne
· 1 min read
Send by email

Anti-spam techniques and ease of use are sometimes heading towards different paths. We added an option in ejabberd that will surely prevent some spammers to abuse an ejabberd system, maybe at a little UI cost.

In-Band Registration (IBR)

XMPP/Jabber services sometimes offer “In-Band Registration” (IBR, XEP-0077) support, which authorizes any user to create accounts directly from an XMPP client in only one step. This is a very handy feature, since it simplifies the account creation without having to go through the hassle of filling a web form, confirming via email, and re-typing your information to finally log in. If IBR is handy for legitimate users, it is also easy for spammers, and other abusive users.

As IBR support is optional in XMPP, some administrators have just disabled it in their service. In this case they have possibly installed a web registration form with CAPTCHA support.

CAPTCHA support in IBR

The next ejabberd release will support CAPTCHA in IBR. The server administrator can decide if users need to fill a CAPTCHA to register a new account.

The CAPTCHA image is displayed in the client registration form, if the client is powerful enough. For older clients, a link to a web page is provided where users can see the image.

Unfortunately, some clients don’t show the CAPTCHA image, nor the page link, so users can’t register the account in any way.

Check the client support, please report us any client support change, and report to your client developers: EJAB-1262: Support CAPTCHA in In-Band Registration.

Conclusion

Of course CAPTCHA support will not completely stop the spammers, but it will raise the barrier, and make their life a bit more difficult.

The ejabberd administrators decide whether or not to require CAPTCHA to their new users. It is up to the IM service runners to decide the dichotomy between ease of use and abuse-prevention.