jdev - 2023-06-24

MattJ so I was finally able to do it "properly" looks like :)

Yay :)

ejabberd still have their weird bug but at least I can fallback to a full manual config if it fails

Mhhh wait, got some ejabberd troubles...

i'm considering that maybe it was a mistake to make in-band registering way too easy

some XMPP servers, if not most, lack even the most simplest form of spam reduction, like email verification

and makes it easy to use servers as a weapon for mass-spamming

You mean like IP based throttling or something?

not IP based throttling

additional verification on in-band registration

Really, setting up a server is so easy than one doesn't need IBR to spam anyway. Most important thing is spam controls at the receiver

techmetx11: oh, yes, I see you said email verification I missed that

right now, registering an account is as easy as connecting to a server

sending a form

and boom, you have an account

I mean, getting an email address is pretty trivial also, no?

and this isn't a theoritical thing, this has been abused by spammers

i think Metronome IM supports email verification

singpolyma: no

We've had people buy dozens of domains in order to set up servers with thousands of JIDs to attack us

We (Prosody) think invites is the solution: https://blog.prosody.im/great-invitations/

Also see https://snikket.org/

but techmetx11 i banned today 300 spam accounts from our gitlab instance

and it has captcha, and email verification .. so

techmetx11, https://yaxim.org/blog/2017/12/22/spam-reduction-on-yax-dot-im/ might be of interest

lovetox: right. Everything is only a tarpit. *Maybe* it would have been 3000 instead of 300 without those

singpolyma: yes

just today, yax.im got 3000 spam accounts registered today

Ultimately when it comes to spam receiver side is very important though, since anyone can run a source with any policies, including the spammers themselves

with hex JIDs

because their in-band registration form is too simple

honestly, there's no way to protect XMPP from spammers, except going with the same ideas email did

What's the big problem with that though? Wastes some storage in their servers, a bit of bandwidth ✏

singpolyma: email servers getting filled with spammers, only wasted some storage in their servers and a bit of bandwidth too

but it ruins the entire network

I don't see how it has any effect on the network

yes but there is no super good solution, every network deals with it

Again, spammers have no trouble running their own serverr

i think server operator needs to have monitoring and do a good job

no other way around it

3000 account registrations tells me there are easy solutions

Maybe we should force them to run their own server when we can, but once we do we still have to deal with that

like monitor if there are more than 20 registrations in half a day

singpolyma: yes, that's why email went strict

turn registration off for 6 hourse

and review

like if your server doesn't have reverse hostname, DKIM verification, etc.

Email has other problems because until recently they had no way to know who even sent a message and still don't always

singpolyma, requires hardware, requires DNS, requires certs, requires time. bots running on compromised PCs are cheap.

no servers will take your data

techmetx11: sure, we already have all of that in XMPP except the PTR check

DKIM/SPF equivalents are built in

singpolyma: but spammers don't have to do that

they can just flock to some obscure XMPP server

like anonym.im

or some shit, and use it to spam MUCs

Then bother the admin of those servers until they clean up, if they don't put them on https://github.com/JabberSPAM/blacklist and block them everywhere

the thing is solutions exist. but it will make sign up not as easy as it is now

> singpolyma, requires hardware, requires DNS, requires certs, requires time. bots running on compromised PCs are cheap. Yeah, it's a small increased cost for sure. It might slow some down ↺

singpolyma, have never heard of any spammer running their own server so far

I just think with limited resources better to work on the thing we will 100% need (receiver side) rather than the thing which may help a little (sender side)

Zash: like I said, JMP has had dozens to a hundred unique domains and XMPP severs created to spam us in the past

singpolyma, I have the exact opposite impression

We blocked several whole TLDs for awhile while working on solutions

Maybe the public server operators are doing a good enough job by now.

I haven't seen spam in what feels like years

Email spammers of course are almost all running their own servers these days because of the tighter access controls for signup at most hosts

I get spam every day. But less than I used to because of all my filters

I can't remember seeing spam from a spam domain either, only compromised servers or compromised end user machines using domains without SPF

and Google

and Microsoft

90% of email spam I get now are from Google and Microsoft, and they pass *all* the SPF and DKIM and whatever checks

It is more and more from google isn't it? No idea what's going on there

I'm certainly not against sender side stuff if it helps operators, I just can't imagine it being a substitute for receiver side

Anyone can have a server with working ssl and DNS up in minutes if they know anything on any cloud provider with free dns

Zash: usually in email spammers, it's a different case

And then rotate the DNS name with a few button clicks

there are entire projects, where email servers work together

I'm in the camp of - Make sure the few servers with open registration enabled keep on top of the spam - Have lots and lots of small invite-only servers where spammers can't create any account at all

and report spam coming from IP addresses, not domains

Of course, if it becomes more economical to run their own servers, spammers will do so

it's calle Project Honeypot or something

> Of course, if it becomes more economical to run their own servers, spammers will do so You can do it for free already. Just need to know how. ↺

It'd be happy to have something like a list of known-good servers that are invite-only or else a list of servers and what their access controls are. Could be useful to relax stuff receiver side

I maintain a very short such list already, but maybe something more complete would be worth trying

`spamsolutions.txt`

Well, it would have to be a vetted list since any spammer can just put a spamsolutions.txt on their server ;)

No I mean the line in that file like "whitelists suck"

maybe Project Honeypot needs a new category... Bad XMPP Hosts

We have the block list already for actually spam only servers