<abstract>This document specifies an XMPP protocol extension that entities may use to discover whether the sender of an XML stanza is a human user or a robot.</abstract>
<remark><p>Moved media element definition to XEP-0221; consistently used the terms sender and challenger rather than client and entity; modified provisional namespaces to adhere to XMPP Registrar policies; completed editorial review.</p></remark>
<p>The appearance of large public IM services based on &rfc3920; and &rfc3921; makes it desirable to implement protocols that <em>discourage</em> the sending of large quantities of instant messaging spam (a.k.a. "spim"). Spim could be generated by XMPP clients connected to legitimate servers or by XMPP servers with virtual clients, where the malicious entities are hosted on networks of "zombie" machines. Spim is defined here as any type of unsolicited XMPP stanza sent by a "robot" and delivered to a human, including messages and subscription requests. Spim has the potential to disrupt people even more than spam, because each message interrupts the receiver (humans typically filter SPAM in batch mode).</p>
<p>Several of the most effective techniques developed to combat SPAM require humans to be differentiated from bots using a "Completely Automated Public Turing Test to Tell Computers and Humans Apart" or CAPTCHA (see <<linkurl='http://www.captcha.net/'>http://www.captcha.net/</link>>). These challenge techniques are easily adapted to discourage spim. The very occasional inconvenience of responding to a CAPTCHA (e.g., when creating an IM account or sending a message to a new correspondent) is small and perfectly acceptable -- especially when compared to the countless robot-generated interruptions people might otherwise have to filter every day.</p>
<p>An alternative technique to CAPTCHAs requires Desktop PC clients to undertake a <spanclass='ref'>Hashcash</span><note>Hashcash <<linkurl='http://hashcash.org/'>http://hashcash.org/</link>>.</note> challenge. These are completely transparent to PC users. They require clients to perform specified CPU-intensive work, making it difficult to send large amounts of spim.</p>
<p>The generic challenge protocol described in this document is designed for incorporation into protocols such as &xep0077; and &xep0159;.</p>
<p>The CAPTCHAs in most common use today are Optical Character Recognition (OCR) challenges where an image containing deformed text is presented and the human enters the characters they can read. However, if OCR software advances more rapidly than the techniques used to disguise text from Artificial Intelligence (AI) then very different CAPTCHAs will need to be deployed. This protocol must be extensible enough to allow the incorporation of CAPTCHA techniques that may not have been envisaged.</p>
<p>Several common CAPTCHA techniques present major problems to users with disabilities (see &w3turingtest;). Clients running in constrained environments may not be able to perform some challenges (e.g., due to the absence of audio output or a lack of CPU performance). This protocol must allow clients to be offered a choice from a variety of challenges.</p>
<p>An entity (client or server) MAY send a challenge immediately after receiving a stanza from another entitiy. An entity MUST NOT send challenges under any other circumstances. Hereafter, the entity that generates the stanza that triggers the challenge is called the "sender" and the entity that sends the challenge is called the "challenger".</p>
<p>The challange consists of a message containing a form for the sender to fill out, formatted according to &xep0004;. Each of the challenge form's <field/> elements that are not hidden MAY contain a different challenge and any media required for the challenge (see &xep0221;). The hidden 'from' field MUST contain the value of the 'to' attribute of the sender's triggering stanza. If the stanza from the sender included an 'id' attribute then the hidden 'sid' field MUST be set to that value. The 'xml:lang' attribute of the challenge stanza SHOULD be the same as the one received from the sender. In accordance with &xep0068;, the hidden 'FORM_TYPE' field MUST have a value of "http://www.xmpp.org/extensions/xep-0158.html#ns" &NSNOTE;.</p>
<p>The challenger SHOULD include an explanation (in the &BODY; element) for clients that do not support this protocol. The challenger MAY also include a URL (typically a Web page with instructions) using &xep0066; as an alternative for clients that do not support the challenge form. Note: Even if it provides a URL, a challenger MUST always provide a challenge form. <note>A constrained client, like a mobile phone, cannot present a Web page to its user.</note></p>
<examplecaption='Challenge Offers a Choice of Challenges to Sender'><![CDATA[
<li>If it has not recently sent (e.g., in the last two minutes) a stanza to the JID specified in the 'from' field of the form with the 'id' specified in the 'sid' field (or with no 'id' if no 'sid' field is included). <note>Otherwise the user's presence would be disclosed, or a spim robot might dupe the user into providing answers to other people's challenges!</note></li>
<li>If the 'from' attribute of the challenge stanza does not match the 'from' field of the form. (If the values are different, then they still match if the bare JIDs are the same, or if the 'from' attribute is the domain of the other JID.)</li>
<p>Otherwise, if the challenger provided a URL using <cite>Out-of-Band Data</cite>, then the sender's client MAY present the URL to the sender, instead of responding to the challenge form, in any of the following cases:</p>
<li>The challenger did not send the specified challenge. <note>If the challenger is a client then it SHOULD be careful not to leak information about the presence of the sender and reply to potentially bogus challenge responses with exactly the same XML that its server would send if the sender were offline.</note></li>
<li>The sender already submitted its response to this challenge.</li>
<li>The sender took too long to submit its response.</li>
<p>However, if the sender submits an incorrect response the challenger SHOULD send it a ¬acceptable; error with type "cancel": <note>If a large proportion of the responses a server is receiving from another IP are incorrect then it SHOULD inform the administrator of the other server using the protocol specified in &xep0161;. It SHOULD also automatically block all stanzas from the abusive user, users, server or IP.</note></p>
<examplecaption='Challenger Tells Sender it Failed'><![CDATA[
<p>The challenger may demand responses to more than one of the challenges it is offering by including an 'answers' <field/> element in the form. It may require responses to particular challenges by including <required/> elements in the compulsory fields.</p>
<p>If the sender finds the request acceptable, it MUST answer all challenges that include a <required/> element. If the total number of answers was specified and it is greater than the number of <required/> elements then the sender MUST also answer one or more of the challenges without a <required/> element. In the example above, the sender should respond to the 'qa' challenge <em>and</em> one of the other challenges ('ocr', 'audio_recog' or 'SHA-256').</p>
<examplecaption='Sender Sends Multiple Responses to the Challenger'><![CDATA[
<p>This section shows how challenges SHOULD be combined with the existing registration protocol according to the rules defined in the Extensibility section of <cite>In-Band Registration</cite>. Note: The <challenge/> wrapper element is not required.</p>
<examplecaption='Entity Requests Registration Fields from Host'><![CDATA[
<iqtype='get'xml:lang='en'id='reg1'>
<queryxmlns='jabber:iq:register'/>
</iq>
]]></example>
<p>Note that the challenge form MUST be inside the &QUERY; element, and the server's challenge ID is specified within the form:</p>
<examplecaption='Host Returns Registration and Challenge Fields to Entity'><![CDATA[
To register, visit http://www.victim.com/register.html
</instructions>
<xxmlns='jabber:x:oob'>
<url>http://www.victim.com/register.html</url>
</x>
</query>
</iq>
]]></example>
<p>The server MAY include an <instructions/> element and a URL using <cite>Out-of-Band Data</cite> (e.g., a web page) in the &QUERY; element (see example above). <cite>In-Band Registration</cite> recommends that the challenger SHOULD submit the completed x:data form, however if it does not understand the form, then it MAY present the instructions and the included URL to the user instead of providing the required information in-band.</p>
<examplecaption='Entity Provides Required Information In-Band'><