jdev - 2023-06-24

  1. edhelas

    MattJ so I was finally able to do it "properly" looks like :)

  2. MattJ

    Yay :)

  3. edhelas

    ejabberd still have their weird bug but at least I can fallback to a full manual config if it fails

  4. edhelas

    Mhhh wait, got some ejabberd troubles...

  5. techmetx11

    i'm considering that maybe it was a mistake to make in-band registering way too easy

  6. techmetx11

    some XMPP servers, if not most, lack even the most simplest form of spam reduction, like email verification

  7. techmetx11

    and makes it easy to use servers as a weapon for mass-spamming

  8. singpolyma

    You mean like IP based throttling or something?

  9. techmetx11

    not IP based throttling

  10. techmetx11

    additional verification on in-band registration

  11. singpolyma

    Really, setting up a server is so easy than one doesn't need IBR to spam anyway. Most important thing is spam controls at the receiver

  12. singpolyma

    techmetx11: oh, yes, I see you said email verification I missed that

  13. techmetx11

    right now, registering an account is as easy as connecting to a server

  14. techmetx11

    sending a form

  15. techmetx11

    and boom, you have an account

  16. singpolyma

    I mean, getting an email address is pretty trivial also, no?

  17. techmetx11

    and this isn't a theoritical thing, this has been abused by spammers

  18. lovetox

    i think Metronome IM supports email verification

  19. techmetx11

    singpolyma: no

  20. singpolyma

    We've had people buy dozens of domains in order to set up servers with thousands of JIDs to attack us

  21. Zash

    We (Prosody) think invites is the solution: https://blog.prosody.im/great-invitations/

  22. Zash

    Also see https://snikket.org/

  23. lovetox

    but techmetx11 i banned today 300 spam accounts from our gitlab instance

  24. lovetox

    and it has captcha, and email verification .. so

  25. Zash

    techmetx11, https://yaxim.org/blog/2017/12/22/spam-reduction-on-yax-dot-im/ might be of interest

  26. singpolyma

    lovetox: right. Everything is only a tarpit. *Maybe* it would have been 3000 instead of 300 without those

  27. techmetx11

    singpolyma: yes

  28. techmetx11

    just today, yax.im got 3000 spam accounts registered today

  29. singpolyma

    Ultimately when it comes to spam receiver side is very important though, since anyone can run a source with any policies, including the spammers themselves

  30. techmetx11

    with hex JIDs

  31. techmetx11

    because their in-band registration form is too simple

  32. techmetx11

    honestly, there's no way to protect XMPP from spammers, except going with the same ideas email did

  33. singpolyma

    What's the big problem with that though? Wastes some storage in their servers, a bit if bandwidth

  34. singpolyma

    What's the big problem with that though? Wastes some storage in their servers, a bit of bandwidth

  35. techmetx11

    singpolyma: email servers getting filled with spammers, only wasted some storage in their servers and a bit of bandwidth too

  36. techmetx11

    but it ruins the entire network

  37. singpolyma

    I don't see how it has any effect on the network

  38. lovetox

    yes but there is no super good solution, every network deals with it

  39. singpolyma

    Again, spammers have no trouble running their own serverr

  40. lovetox

    i think server operator needs to have monitoring and do a good job

    👍️ 1
  41. lovetox

    no other way around it

  42. lovetox

    3000 account registrations tells me there are easy solutions

  43. singpolyma

    Maybe we should force them to run their own server when we can, but once we do we still have to deal with that

  44. lovetox

    like monitor if there are more than 20 registrations in half a day

  45. techmetx11

    singpolyma: yes, that's why email went strict

  46. lovetox

    turn registration off for 6 hourse

  47. lovetox

    and review

  48. techmetx11

    like if your server doesn't have reverse hostname, DKIM verification, etc.

  49. singpolyma

    Email has other problems because until recently they had no way to know who even sent a message and still don't always

  50. Zash

    singpolyma, requires hardware, requires DNS, requires certs, requires time. bots running on compromised PCs are cheap.

  51. techmetx11

    no servers will take your data

  52. singpolyma

    techmetx11: sure, we already have all of that in XMPP except the PTR check

  53. singpolyma

    DKIM/SPF equivalents are built in

  54. techmetx11

    singpolyma: but spammers don't have to do that

  55. techmetx11

    they can just flock to some obscure XMPP server

  56. techmetx11

    like anonym.im

  57. techmetx11

    or some shit, and use it to spam MUCs

  58. Zash

    Then bother the admin of those servers until they clean up, if they don't put them on https://github.com/JabberSPAM/blacklist and block them everywhere

  59. MSavoritias (fae,ve)

    the thing is solutions exist. but it will make sign up not as easy as it is now

  60. singpolyma

    > singpolyma, requires hardware, requires DNS, requires certs, requires time. bots running on compromised PCs are cheap. Yeah, it's a small increased cost for sure. It might slow some down

  61. Zash

    singpolyma, have never heard of any spammer running their own server so far

  62. singpolyma

    I just think with limited resources better to work on the thing we will 100% need (receiver side) rather than the thing which may help a little (sender side)

  63. singpolyma

    Zash: like I said, JMP has had dozens to a hundred unique domains and XMPP severs created to spam us in the past

  64. Zash

    singpolyma, I have the exact opposite impression

  65. singpolyma

    We blocked several whole TLDs for awhile while working on solutions

  66. Zash

    Maybe the public server operators are doing a good enough job by now.

  67. Zash

    I haven't seen spam in what feels like years

  68. singpolyma

    Email spammers of course are almost all running their own servers these days because of the tighter access controls for signup at most hosts

  69. singpolyma

    I get spam every day. But less than I used to because of all my filters

  70. Zash

    I can't remember seeing spam from a spam domain either, only compromised servers or compromised end user machines using domains without SPF

  71. Zash

    and Google

  72. Zash

    and Microsoft

  73. Zash

    90% of email spam I get now are from Google and Microsoft, and they pass *all* the SPF and DKIM and whatever checks

  74. singpolyma

    It is more and more from google isn't it? No idea what's going on there

  75. singpolyma

    I'm certainly not against sender side stuff if it helps operators, I just can't imagine it being a substitute for receiver side

  76. singpolyma

    Anyone can have a server with working ssl and DNS up in minutes if they know anything on any cloud provider with free dns

  77. techmetx11

    Zash: usually in email spammers, it's a different case

  78. singpolyma

    And then rotate the DNS name with a few button clicks

  79. techmetx11

    there are entire projects, where email servers work together

  80. Zash

    I'm in the camp of - Make sure the few servers with open registration enabled keep on top of the spam - Have lots and lots of small invite-only servers where spammers can't create any account at all

  81. techmetx11

    and report spam coming from IP addresses, not domains

  82. Zash

    Of course, if it becomes more economical to run their own servers, spammers will do so

  83. techmetx11

    it's calle Project Honeypot or something

  84. singpolyma

    > Of course, if it becomes more economical to run their own servers, spammers will do so You can do it for free already. Just need to know how.

  85. singpolyma

    It'd be happy to have something like a list of known-good servers that are invite-only or else a list of servers and what their access controls are. Could be useful to relax stuff receiver side

  86. singpolyma

    I maintain a very short such list already, but maybe something more complete would be worth trying

  87. Zash


  88. singpolyma

    Well, it would have to be a vetted list since any spammer can just put a spamsolutions.txt on their server ;)

  89. Zash

    No I mean the line in that file like "whitelists suck"

  90. techmetx11

    maybe Project Honeypot needs a new category... Bad XMPP Hosts

  91. singpolyma

    We have the block list already for actually spam only servers