Receiving MSN Messenger spam despite privacy setting "Only Allow Contacts On My Contact List"

[chaosrob]

Receiving occasional (2x/day) MSN Messenger spam despite privacy setting "Only Allow Contacts On My Contact List." Seems to be ignoring the privacy setting for my MSN Messenger account. Running Adium 1.3.2b2 on Mac OS X 10.5.5, on a MacBook Pro dual core.

[felipec]

Not related to msn-pecan.

[Dimmuxx]

Search your debug log and tell me what number you get after "privacyOptions are" for your msn account. Adium Menu -> Debug Window -> Log to file

[iamtheari]

I have a similar problem. I get a number of people who must think I am someone I am not, constantly sending me messages in unknown foreign languages and buzzing me for my attention. They are not on my contact list and I have my MSN privacy set to only allow people on my list. This behavior is consistent from 1.3.0 through 1.3.2.

[Robby]

Hello iamtheari, we need the information Dimmuxx asked for to do anything about the problem. Could you provide it?

[iamtheari]

Do you want me to grab a beta with debugging enabled or would it be better for me to grab the svn and build it? Either one works for me and I'd be glad to help squash this one - believe me, I'd be glad to help!

[Dimmuxx]

The CurrentAdiumDebug should do fine.

[Robby]

Cool, great to hear to that!
Everything you need to you about debugging Adium you will probably find at the CurrentAdiumDebug wiki entry. It also contains a link to a debug version of 1.3.2. :)
Thanks in advance for your help!

Edit: Oh, Dimmuxx got here first, heh.

[iamtheari]

I forgot that you guys switched to Xcode 3. I'm a poor Tiger user, so I grabbed the debug 1.3.2. privacyOptions are 5.

And I've debugged Adium before - even hacked at the code a bit a year or two ago. But it's not enough reason to upgrade to Leopard. ;)

[Robby]

Heh, I'm on Tiger as well. Checking out the 1.3 branch works fine.
Oh, you're Ari Johnson, I thought I had seen your nick somewhere, I just verified it was on the mailing list. ;)

[iamtheari]

Checking out, sure, but I think you need Xcode 3 and Leopard to build the thing. And yeah, I was on the mailing list at some point but I cut down on my mailing list subscriptions.

[Robby]

Building works, too, sorry for the Tracspam. :P

[Dimmuxx]

I have 5 too so that doesn't seem to be a problem then. I thought it might have been an issue with the gui->libpurple interaction, but guess not then.

I think that libpurple let messages sent as offline message through for blocked contacts(maybe everyone?) though so maybe the spam is being sent as offline messages. It seems that the client has to filter these since the server doesn't from the information I have been gathering.

[iamtheari]

I don't know about spam, but I do know that this privacy status does not work for me to block some legitimate users. There are a number of users from whom I receive messages and they are not spam, just misguided attempts to contact people who must have similar MSN account names to mine. I will keep running the debug build until I receive another message like that so I can see if anything new comes up in the debug log.

One thought I've had is that these could be people who contacted me before I switched to this privacy method instead of "block specific contacts" and that somehow their accounts got marked in such a way that MSN or Adium thinks they are on my contact list. I do not know how I can test that, though.

[Dimmuxx]

iamtheari: Do you get BLP * BL in your log or BLP * AL? (* = some number)

[iamtheari]

My debug log has zero hits for BLP, with an immediately recent MSN login.

[Dimmuxx]

Hmm, that doesn't make sense since you should always send that to the server when you login.

[iamtheari]

Okay, I tried again and did spot a BLP item. "BLP 8 BL". Following that, I get quite a few "Passport: xxxxxx@…, type: Y" with Y either 0 or 1, interspersed with mostly list_op lines. There is one for the person who most recently was able to contact me despite not being on my list. Searching my list with Adium does not find that address, though. This person is also apparently in the SOAP exchanges on login. Perhaps my bug is unrelated and has to do with contact list management?

[Dimmuxx]

If the server responds with the same message S: instead of C: then it should only allow users on your allow/contact list.

When you recieve a message from somebody that's not in your contact list do you see anything about oim(offline message) in the debug log?

[iamtheari]

This time, I get the following exchange:

11:02:44: (Libpurple: msn) C: NS 000: BLP 8 BL 11:02:44: (Libpurple: msn) S: NS 000: BLP 8 BL 11:02:45: (Libpurple: msn) C: NS 000: BLP 14 BL 11:02:45: (Libpurple: msn) S: NS 000: BLP 14 BL

I do not have a second MSN account to test with but will watch for anyone getting through again.

[iamtheari]

I am attaching a log from 13 seconds before I got some spam through the end of entries possibly related to the spam. I replaced my address with MYADDRESS@… and his address with SPAMMERADDRESS@…. Maybe someone can glean some insight.

[Dimmuxx]

iamtheari: Did you see the BLP * BL when you logged in on the session that you got spam and are you 100% sure that the contact is not on your contact or allow list?

[iamtheari]

Yes to BLP * BL and yes to 100% certain that this contact does not appear in my Adium buddy list. I have no allow list because I have my privacy setting for MSN set to only allow people on my buddy list.

[Dimmuxx]

Okay, but the setting only allow people on my buddy list adds everyone on your contact list to your allow list so you must have plenty of people on that list.

[iamtheari]

These contacts have never been on my contact list and have never been on my allow list.

[Dimmuxx]

I wonder why the server is still sending you the messages then since BLP * BL means that the server should block them but for some reason it doesn't do it.

[iamtheari]

Is it possible that Adium has somehow added contacts to my allow list even though they are not on my buddy list? I mentioned this possibility earlier, see my 10/12/2008 11:45:15 AM message. I do not know if the contact who was able to send me the message that I uploaded the log from is in those parts of the log, nor do I know what those various log messages indicate.

[Dimmuxx]

Well check your allow list and see if the contact is in it. Privacy Options... -> Allow only certain contacts will show you your allow list.

[iamtheari]

Some (I do not have time to check for all) of the contacts who have contacted me despite not being on my buddy list are in fact in the allow list as reported by Adium. However, I absolutely would not have explicitly added any of them to that list. I have never used that privacy method in any MSN client since I opened my account. I have also not used any other MSN clients apart from Adium since before first communication from some of these contacts. I am left believing that only Adium could have added them and that it did so without my knowledge or direction.

Regardless, though, I feel it is intensely confusing why that list would be respected when the privacy options are set to only allow contacts on my buddy list. These are mutually exclusive privacy options in the user interface of every MSN client I've seen, Adium included, but evidently they do not actually perform as the UI indicates they do. Does that make sense?

[Dimmuxx]

MSN the protocol doesn't have any option that only allows people in your contact list to contact you. It uses a block list and an allow list.

If you select "allow anyone" you will still get messages from people in your block list. (I'm not 100% certain if you will get messages from blocked contacts but I think so. The blocked contacts won't see your status though)

If you select "block certain contacts" then you won't recieve messages from people in your block list.

If you select "only allow certain contacts" you will only get messages from those in your allow list.

If you select "allow only contact on my contact list", Adium will add all your contacts to the allow list and then use the privacy level explained above. It will never remove contacts though so that is why you still can get messages from people who are not in your contact list.

I close this ticket now and until someone can prove that they indeed got a message from someone who is not in the allow list when using "Only allow Contacts On My Contact List" it will remain closed.

If Adium is indeed adding people to the allow list then that's another bug but I don't think that it does. You might have logged in on a friend's computer who had a trojan or something that added spambots to your allow list.

[felipec]

libpurple sucks regarding to privacy stuff. It has been a to-do thing for years.

Only 'block certain contacts' and 'allow certain contacts' really apply to MSN.

And those only apply to online visibility, and of course you can't send a message to someone you can't see.

Offline messaging is another thing.

[iamtheari]

As I indicated, these are all contacts whose first attempt to communicate me occurred more recently than when I switched to only use Adium. I never sign on from a friend's computer or using any other client. I can absolutely guarantee that Adium added these contacts to my allow list.

One thought is that, perhaps, they were blocked when I was using "block certain contacts" and then, when I switched to "allow only contacts on my list", I engaged in the OCD behavior of removing them from the block list. Does Adium or MSN perhaps automatically add people to the allow list when you remove them from the block list?

At any rate, that would be a separate bug and I can test it separately and file it if it indeed is the case. I just wanted to clarify these issues for anyone reading this bug report later on so that, if they are in my situation, they don't re-open it.