XMPP Service Operators - 2019-12-11

Ge0rG: https://github.com/JabberSPAM/jabber-spam-fighting-manifesto/pull/23

atom: TEN we have TENNNNN

Licaon_Kter: 10 out of 10 is >80%

~80% let's be honest here

Licaon_Kter: statistics show a clear misunderstanding of the purpose of the manifest.

_"10 out of 10 agree with atom"_

Licaon_Kter: you are witty, but your jokes do not solve the problem.

> Licaon_Kter: statistics show a clear misunderstanding of the purpose of the manifest. Why don't you help to clarify it?

What is the point they get wrong?

atom: what is the problem? As Martin said, effing add a PR and clarify it instead of "omg delete github" reaction that 404 has

Licaon_Kter: the problem is that the manifest is bad. it does not include a list of all manifest compliant servers. the list of servers subscribing by manifest becomes scapegoats.

atom: are you the new 404city support? ✏

atom: you know there's *another* list with the actual blocked servers, right?

This is just a page with "I agree spam is bad"....and nothing else

> scapegoats Scapegoats for what?

Licaon_Kter: Communities of servers such as blabber and disroot use the manifesto to criticize that all signatories want to enter registration by phone number and for block competitors' servers.

The manifest is bad because it allows such interpretations.

i am quite sure muppeth never said that

perflyst: ask him to sign the manifesto, he will refuse.

yes, for good reasons

but i will put my hand for him in fire that he never said that all servers on the list will block any servers which not on the list nor forcing phone number

> This is just a page with "I agree spam is bad"....and nothing else I understand this, others do not understand.

> but i will put my hand for him in fire that he never said that all servers on the list will block any servers which not on the list nor forcing phone number This is what users of his server and his community say.he does not sign the manifesto for this reason.

the manifest in the form in which it exists is unnecessary and harmful. Did the manifest win spam? - not. Did he create a bunch of criticism? - Yes

atom: > Communities of servers such as blabber and disroot use the manifesto to criticize that all signatories want to enter registration by phone number and for block competitors' servers. Links? Pics? Provide some effing evidence...e

Competitors? Wtf?

Licaon_Kter: I have no purpose to convince you. If you are looking for evidence, you will find it yourself by creating a discussion.

> the manifest in the form in which it exists is unnecessary and harmful. Did the manifest win spam? - not. Did he create a bunch of criticism? - Yes People following the manifesto got spamming servers operators improve their spammer detection, countless spammers were deleted and some abandoned servers even shut down. It's progress. What did you expect? Spam instantly stopping from one day to another? It's a continuous process.

Martin: spammers create accounts not on shabby servers, but on active servers. how will the manifest help from spam if the spammer creates an 100 000 account on yax.im?

yax.im is good at detecting spammy behavior so they go for easier victims.

Martin: I got spam from yax.im

can happen, nothing is perfect but that is why contact addresses exist

spammers receive $ 50-100 for spam mailings. New domain price $ 1

I haven't had outgoing spam on yax.im in over a year. And before that, I was really fast at finding the accounts and deleting them.

the price for 1000 captcha is also 1 dollar

atom: you've created the discussion. You don't have any evidence. I know there was controversy about the manifesto, but not in the ways you argue

Ge0rG: I do not have s2s for about a year. therefore, I have not received spam from yax.im for about a year.

atom: so you tell me you received a spam message from yax.im once, and now it's your proof of the manifesto not working?

> I have no purpose to convince you. If you are looking for evidence, you will find it yourself by creating a discussion. Why not put theis evidence there on Github instead of coming down the mountain with *"TEN"* in your hands?

> atom: are you the new 404city support or PR or socket puppet or?

Ge0rG: I do not argue about the manifesto.I suggest to execute pull request.

Ge0rG: https://github.com/JabberSPAM/jabber-spam-fighting-manifesto/pull/23

Licaon_Kter: yes

> Ge0rG: I do not have s2s for about a year. therefore, I have not received spam from yax.im for about a year. so 404city users and the other way cannot chat with yax.im users?

Nice anti spam

perflyst: yes, sadly

rather i would get spam than not being able to chat with someone

Ge0rG: wait...so he bans server willynilly then comes to github to take the manifesto down? Hypocrisy much?

Licaon_Kter: it's not a ban, we just have different opinions on which ciphers are secure

perflyst, 404 (support ECC & RSA) <=> yax.im (support RSA)

so 404 to yaxim works as you support "old" RSA and new ecc?

or what do you wanna say

404 use ECC

even if the receiving server extremly unsecure, dont you want as admin the best server support? i mean normally you also allow weak ciphers on email so nobody has issues with any old shitty remote server

what is the & for?

perflyst, 404.city (ECC&RSA) => (conected) => yax.im (RSA) . Yax.im (RSA) = (no connected) = 404.city (ECC)

so yaxims openssl (?) is old or what is the issue?

or does yaxim manually forbids curves?

perflyst: I don't trust into ECDSA

ok, so basically you are blocking it?

because ECC is a "standard" and anyone can use it

perflyst, Yax.im server policy does not allow any ECC servers

I've enabled ECDSA now.

just so my users can keep sending spam to atom

Ge0rG: 👍

good choice :)

Ge0rG, 👍

Luckly there's no manifesto to keep you in check anymore, go ahead, by bold Ge0rG

ECDSA is one of the worst crypto algorithms in modern use

lets dont discuss this, this will not end good

atom: but you are the smartest of all. you still keep fighting spam, and doing what the manifesto tells, but you are not listed any more! :D

(disroot does the same, ironically)

BTW, there seems to be a new spam haven, exlpoit.im

(note the typo)

Ge0rG: they're just a victim of your evil manifesto!!!!111

speaking of which... my top 10 spam servers by number of messages in the last two weeks: messages bots domain ---------- ---------- ------------------------------------ 342 256 jabber.ipredator.se 334 303 darkengine.biz 326 264 xmpp.su 313 2 exlpoit.im 302 273 jabber.no 278 263 jabber.sibnet.ru 192 182 bytesund.biz 185 170 jabber.vikings.net 174 156 resolution1.net 158 153 ajabber.me

1 bot = 1 messenges

Ge0rG: nice bots

atom: 1 bot 156 messages

Other servers

no spam from 404.city because no s2s ;)

xmpp.is recently deleted 100,000 account created per day. xmpp.is use captcha

how recently?

yow

my last spam from them was Nov 28th

yow stpeter

;-)

I disabled in-band 404.city to combat spam

I've heard spammers also use web registration

Ge0rG, Yes, spammers can bypass Google captcha and regular captcha Ejabberd and Prosody.

>Ge0rG‎: how recently? About a month ago

atom: can you tell the date? > my last spam from them was Nov 28th

> Ge0rG, Yes, spammers can bypass Google captcha and regular captcha Ejabberd and Prosody. 🤔

Hmm nay

Maybe regular

Ge0rG: https://xmpp.is/2019/10/17/registrations-closed-once-again/

Maybe regular

At this time Prosody stable does not support SNI in their HTTP library. I have enabled Google’s captcha but it will not work without SNI support from Prosody. Please see this tweet for further details:

Uh?

That doesnt make sense... 🤣

Because no spam bot on xmpp can solve recaptcha

Recaptcha can be bought from India

Ge0rG: "chingalini" human solving yay 🤓

Too much money for xmpp

How much?

Again the more I read the more *PEBCAK* resonates impedingly in my mind

I don't know how much money people pay for XMPP spam vs. email spam....

stpeter: too much, nothing pierced through mod_spim_block from when I implemented reCAPTCHA, and for nothing I mean nothing

Not even just mail verification for IBR

atom: get Maranda, the enemy of privacy, asking for email

Right

And use recaptcha

And sending stuff to evil google

> And use recaptcha 💖💋

Hey, I can't even solve reCaptcha, so it must be gud

Licaon_Kter: well it works

It's numbers (for now) not xml confettis 🤷🏼‍♂️

I'm not doing any of those, but spammers on my server won't ever reach their audience, and get deleted promptly. And my users can just simply do IBR

Recaptcha is useful when adding contacts or first sending messages. Recaptcha at registration is ineffective. https://rucaptcha.com/ $0.60 = 1000 recaptcha solution

Interesting. That makes sense.

Martin: https://xmpp.is/2019/10/20/registrations-are-back-again/

?

just a response to your last link, I think

Aaand?

Martin: and reCaptcha saves the day

Ge0rg wanted to know when they deleted spammers, not when they added recaptcha…

Martin: right, just that it seemed they're given up

So it's time to report to them again

> Ge0rg wanted to know when they deleted spammers, not when they added recaptcha… Martin: Use backup before mass bot registration

?

I don't have registry open.

Martin: incorrectly translated you

What? Just restore from backup and lose everything that happened after it?

Ge0rG: yes. xmpp.is used backup for delete 100 000 bot account

Because you can't just delete them?

I think this server has a daily backup

That doesn't matter

atom, but that doesn't work, *coughs*

Why was recaptcha chosen over any other captcha system?

tom, because it's the only one that _does something_?

What is does something?

I don't understand

the opposite of _does nothing_

I don't understand

🤷‍♂️

tom: not bypassed

Perhaps your doing something wrong them. The whole point of captchas are to stop bots

> Why was recaptcha chosen over any other captcha system? recaptcha is a good captcha, but it is powerless against schoolchildren introducing captcha for 1 dollar per month.

» recaptcha is a good captcha It is really not in my experience. For one it false-positives 90% of the time if your not signed into a Google account or using a Google branded browser, it also leaks your metadata to Google which use it in nefarious ways which may not always be GDPR compliant or follow the correct privacy laws per jurisdiction, and a lot of people are not comfortable or OK with helping Google replace drivers with AI or listening to random audio recordings from people's homes.

And other times it will just decide that it does not like you and make you infinitely solve visual puzzles

tom: recaptcha has translation into all languages ​​of the world

Recaptcha is especially a problem for the handicapped, and a lot of the times it will not let you solve audio based captchas

Not to mention you must ping google to even load the javascript in, which is a privacy hazard in of itself

> it also leaks your metadata to Google which use it in nefarious ways huhu care elaborating which such important metadata does it leak to google that it could use in such "nefarious" ways please?

tom: recaptcha is a good captcha for stop bots, because it is not able to be solved by a bot.I'm talking about technology. google good or evil is a separate issue.

It's not able to be solved by non-google using people either

people have to pay for solving captcha. if you need to enter a lot of captchas, the cost rises.

plus it slows down mass mailing. the number of people deciding on captcha is also limited.

There are plenty of replacement captcha services and self hosted solutions, as well as protocol-level options such as rate-limiting certain endpoints per ip range

And adaptive intrusion prevention systems

even a simple captcha will cause problems for spammers if they receive it when adding a contact.

Just slapping a javascript captcha on something, and the worse one at that doesn't just *reduce* the amount of bots, it also reduces your legitimate traffic, angers users, and violates their privacy by allowing information disclosure to third parties

I run ecommerce websites. There's a lot more at stake when your dealing with actual money is products than just a message passing system that can be used for spam

tom: what other measures do you offer besides captcha?

Huhu

atom: today's xmpp spam can be easily detected and blocked without any captcha

contains russian, contains something about coins and telegram links → spam

Martin: these are popular topics of discussion among Russians

Ok, a message containing all three things can be a normal message?

Martin: Some spam bots divide one message into several and even lead a simple dialogue. Now this type of spam bots has become less popular.

atom: the worst one so far just sent different versions of "hello" and spammed you when you responded

Ge0rG: yes

But I've only seen one such bot, with a single JID. Easy to block again

Oh I've seen several of those.

stpeter: please tell me their JIDs

In the future I will. I didn't note them before.