XMPP Service Operators - 2018-11-14

yes

same for me

draugr.de, unstable.nl...

looks like I'll have to put some more servers on the blacklist

edhelas: did you contact the admins?

:3 natuulijk

edhelas: and the spam continued because they did nothing so off to the ban list? Hmmm

for now I just contacted them

let's see

but if I still have spam

then it's blacklist yes

I've got a spam escalation process of: 1. try to contact server admin (XEP-0157, website), wait up to a week 2. contact the server IP abuse department, wait up to two weeks 3. blacklist the server (not yet implemented)

Also an internal spam tracking tool

it's not perfect yet, but it allows tracking progress of the domain and IP admins.

Also could somebody please report 0nl1ne.cc and blackjabber.cc to leaseweb abuse, because they are only forwarding my reports to the server owners instead of shutting the f***ing spam boxes down.

blackjabber.cc is blacklisted

edhelas: according to the Manifesto, I'd like to maintain a common and public list of blacklisted domains, including at least a reference to the previous escalation process

is this list somewhere ?

the issue about exposing that list is that the spammers can easily know how to circumvent it :)

edhelas: circumvent it by... going to other unmaintained IBR-enabled servers?

edhelas, I meant spammy IBR registrations, not spam from other servers.

Link Mauve: what's the difference?

Even though the former is probably the first step to the latter.

Ge0rG, one happens on my server and I can block it immediately, the other will go on for years.

Link Mauve: just put your own domain on the blocklist. All problems solved.

IBR registration is just not a good idea to me anymore

not without at least a captcha or something like that

edhelas, CAPTCHA doesn’t do anything.

We didn’t have fewer successful account creation before we disabled it.

And as a user it’s painful for no benefit.

(Except to Google.)

I'm wondering if in the process of checking if a server is "spam risky" or not, having IBR enabled would not lower the score automatically

edhelas: I run an IBR server and have got zero spam bot registrations in the last three months or so, because I'm preventing most spam delivery

They don’t seem to know that about my server.

ingress spam stats from last two weeks on yax.im: messages bots domain ---------- ---------- ------------------------------------ 5741 1153 otr.chat 3742 1403 0nl1ne.cc 3661 1738 blackjabber.cc 2974 2268 jabberes.org 2968 917 aquilius.de 1438 555 jabber.ipredator.se 1372 982 legalize.li 1353 523 fin77.info 1282 473 kommandostab.de 1216 605 jabber.sampo.ru

what tool are you using to detect spam ? it's with ejabberd ?

edhelas: it's based on prosody mod_firewall

Error> No Contact Addresses for otr.chat

Let me say it again, force "OMEMO on for the first message"...zero spam until they implement it in all sorts of bot clients ;) then we reap the benefits of free libs :D

Licaon_Kter, zero message from most of my users either then.

You could as well block s2s with me.

Clearer...unless it answers in the first message with captcha or 1+1=2 any messages (not to admin) are blocked.

is there a website on otr.chat? I'm on a limited wifi currently

Yes, but An error occurred during a connection to otr.chat. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Link Mauve: why? No Gajim? No Converse? No ChatSecure? No Dino?

Licaon_Kter: "zero communication until everybody leaves XMPP"

Link Mauve: not s2s...not sure you got my idea

Licaon_Kter, there are some Gajim and some Conversations, the other ones you quoted are insignifiants in my client stats, and most messages are using OTR or plain text.

Link Mauve: I understand your point about IBR being painful for users, but if you're saying it's not painful for today's spammers I think that's just plain wrong.

Heck, there are more messages sent using legacy PGP than with OMEMO.

Holger, CAPTCHA*.

Link Mauve: ok, and it kills them to enable OMEMO for 1 message?

Licaon_Kter: a security question would be a good trade-off between just blocking everything incoming and a proper spam filter

Link Mauve: Indeed :-)

Licaon_Kter, probably yes.

Ge0rG: yes... That..but I upped the hardness by OMEMO...

Holger: IBR is painful for users?

Link Mauve: oh Fffs go back to Watsayp

Ge0rG: CAPTCHA.

Licaon_Kter, see https://stats.jabberfr.org/d/000000002/jabberfr?panelId=36&fullscreen&orgId=1 for live message statistics.

Licaon_Kter, why would I tell that to my users?

Link Mauve: I didn't say that

(You can Ctrl-click on the yellow “message” at the bottom to only see statistics about messages with a body-like element being transferred.)

Link Mauve: but I had my share of captchas and really....I'm fedup with those too.

Link Mauve: ctrl on mobile? Yeah

is there anybody in this room actually doing something against spam? reporting abuse to server admins / hosting companies? making usable plugins or filters?

Ge0rG, I am.

okay, otr.chat has hello@otr.chat as the contact email. Dumped the JID list to them.