-
atom
Ge0rG: https://github.com/JabberSPAM/jabber-spam-fighting-manifesto/pull/23
-
Licaon_Kter
atom: TEN we have TENNNNN
-
atom
Licaon_Kter: 10 out of 10 is >80%
-
Licaon_Kter
~80% let's be honest here
-
atom
Licaon_Kter: statistics show a clear misunderstanding of the purpose of the manifest.
-
Licaon_Kter
_"10 out of 10 agree with atom"_
-
atom
Licaon_Kter: you are witty, but your jokes do not solve the problem.
-
Martin
> Licaon_Kter: statistics show a clear misunderstanding of the purpose of the manifest. Why don't you help to clarify it?
-
Martin
What is the point they get wrong?
-
Licaon_Kter
atom: what is the problem? As Martin said, effing add a PR and clarify it instead of "omg delete github" reaction that 404 has
-
atom
Licaon_Kter: the problem is that the manifest is bad. it does not include a list of all manifest compliant servers. the list of servers subscribing by manifest becomes scapegoats.
-
perflyst
atom: are you new 404city support?✎ -
perflyst
atom: are you the new 404city support? ✏
-
Licaon_Kter
atom: you know there's *another* list with the actual blocked servers, right?
-
Licaon_Kter
This is just a page with "I agree spam is bad"....and nothing else
-
Martin
> scapegoats Scapegoats for what?
-
atom
Licaon_Kter: Communities of servers such as blabber and disroot use the manifesto to criticize that all signatories want to enter registration by phone number and for block competitors' servers.
-
atom
The manifest is bad because it allows such interpretations.
-
perflyst
i am quite sure muppeth never said that
-
atom
perflyst: ask him to sign the manifesto, he will refuse.
-
perflyst
yes, for good reasons
-
perflyst
but i will put my hand for him in fire that he never said that all servers on the list will block any servers which not on the list nor forcing phone number
-
atom
> This is just a page with "I agree spam is bad"....and nothing else I understand this, others do not understand.
-
atom
> but i will put my hand for him in fire that he never said that all servers on the list will block any servers which not on the list nor forcing phone number This is what users of his server and his community say.he does not sign the manifesto for this reason.
-
atom
the manifest in the form in which it exists is unnecessary and harmful. Did the manifest win spam? - not. Did he create a bunch of criticism? - Yes
-
Licaon_Kter
atom: > Communities of servers such as blabber and disroot use the manifesto to criticize that all signatories want to enter registration by phone number and for block competitors' servers. Links? Pics? Provide some effing evidence...e
-
Licaon_Kter
Competitors? Wtf?
-
atom
Licaon_Kter: I have no purpose to convince you. If you are looking for evidence, you will find it yourself by creating a discussion.
-
Martin
> the manifest in the form in which it exists is unnecessary and harmful. Did the manifest win spam? - not. Did he create a bunch of criticism? - Yes People following the manifesto got spamming servers operators improve their spammer detection, countless spammers were deleted and some abandoned servers even shut down. It's progress. What did you expect? Spam instantly stopping from one day to another? It's a continuous process.
-
atom
Martin: spammers create accounts not on shabby servers, but on active servers. how will the manifest help from spam if the spammer creates an 100 000 account on yax.im?
-
Martin
yax.im is good at detecting spammy behavior so they go for easier victims.
-
atom
Martin: I got spam from yax.im
-
perflyst
can happen, nothing is perfect but that is why contact addresses exist
-
atom
spammers receive $ 50-100 for spam mailings. New domain price $ 1
-
Ge0rG
I haven't had outgoing spam on yax.im in over a year. And before that, I was really fast at finding the accounts and deleting them.
-
atom
the price for 1000 captcha is also 1 dollar
-
Ge0rG
atom: you've created the discussion. You don't have any evidence. I know there was controversy about the manifesto, but not in the ways you argue
-
atom
Ge0rG: I do not have s2s for about a year. therefore, I have not received spam from yax.im for about a year.
-
Ge0rG
atom: so you tell me you received a spam message from yax.im once, and now it's your proof of the manifesto not working?
-
Licaon_Kter
> I have no purpose to convince you. If you are looking for evidence, you will find it yourself by creating a discussion. Why not put theis evidence there on Github instead of coming down the mountain with *"TEN"* in your hands?
-
Licaon_Kter
> atom: are you the new 404city support or PR or socket puppet or?
-
atom
Ge0rG: I do not argue about the manifesto.I suggest to execute pull request.
-
atom
Ge0rG: https://github.com/JabberSPAM/jabber-spam-fighting-manifesto/pull/23
-
atom
Licaon_Kter: yes
-
perflyst
> Ge0rG: I do not have s2s for about a year. therefore, I have not received spam from yax.im for about a year. so 404city users and the other way cannot chat with yax.im users?
-
perflyst
Nice anti spam
-
Ge0rG
perflyst: yes, sadly
-
perflyst
rather i would get spam than not being able to chat with someone
-
Licaon_Kter
Ge0rG: wait...so he bans server willynilly then comes to github to take the manifesto down? Hypocrisy much?
-
Ge0rG
Licaon_Kter: it's not a ban, we just have different opinions on which ciphers are secure
-
atom
perflyst, 404 (support ECC & RSA) <=> yax.im (support RSA)
-
perflyst
so 404 to yaxim works as you support "old" RSA and new ecc?
-
perflyst
or what do you wanna say
-
atom
404 use ECC
-
perflyst
even if the receiving server extremly unsecure, dont you want as admin the best server support? i mean normally you also allow weak ciphers on email so nobody has issues with any old shitty remote server
-
perflyst
what is the & for?
-
atom
perflyst, 404.city (ECC&RSA) => (conected) => yax.im (RSA) . Yax.im (RSA) = (no connected) = 404.city (ECC)
-
perflyst
so yaxims openssl (?) is old or what is the issue?
-
perflyst
or does yaxim manually forbids curves?
-
Ge0rG
perflyst: I don't trust into ECDSA
-
perflyst
ok, so basically you are blocking it?
-
perflyst
because ECC is a "standard" and anyone can use it
-
atom
perflyst, Yax.im server policy does not allow any ECC servers
-
Ge0rG
I've enabled ECDSA now.
-
Ge0rG
just so my users can keep sending spam to atom
-
Licaon_Kter
Ge0rG: 👍
-
perflyst
good choice :)
-
atom
Ge0rG, 👍
-
Licaon_Kter
Luckly there's no manifesto to keep you in check anymore, go ahead, by bold Ge0rG
-
Ge0rG
ECDSA is one of the worst crypto algorithms in modern use
-
perflyst
lets dont discuss this, this will not end good
-
Ge0rG
atom: but you are the smartest of all. you still keep fighting spam, and doing what the manifesto tells, but you are not listed any more! :D
-
perflyst
(disroot does the same, ironically)
-
Ge0rG
BTW, there seems to be a new spam haven, exlpoit.im
-
Ge0rG
(note the typo)
-
Licaon_Kter
Ge0rG: they're just a victim of your evil manifesto!!!!111
-
Ge0rG
speaking of which... my top 10 spam servers by number of messages in the last two weeks: messages bots domain ---------- ---------- ------------------------------------ 342 256 jabber.ipredator.se 334 303 darkengine.biz 326 264 xmpp.su 313 2 exlpoit.im 302 273 jabber.no 278 263 jabber.sibnet.ru 192 182 bytesund.biz 185 170 jabber.vikings.net 174 156 resolution1.net 158 153 ajabber.me
-
atom
1 bot = 1 messenges
-
Licaon_Kter
Ge0rG: nice bots
-
Licaon_Kter
atom: 1 bot 156 messages
-
atom
Other servers
-
Ge0rG
no spam from 404.city because no s2s ;)
-
atom
xmpp.is recently deleted 100,000 account created per day. xmpp.is use captcha
-
Ge0rG
how recently?
-
stpeter
yow
-
Ge0rG
my last spam from them was Nov 28th
-
Ge0rG
yow stpeter
-
stpeter
;-)
-
atom
I disabled in-band 404.city to combat spam
-
Ge0rG
I've heard spammers also use web registration
-
atom
Ge0rG, Yes, spammers can bypass Google captcha and regular captcha Ejabberd and Prosody.
-
atom
>Ge0rG: how recently? About a month ago
-
Ge0rG
atom: can you tell the date? > my last spam from them was Nov 28th
-
Maranda
> Ge0rG, Yes, spammers can bypass Google captcha and regular captcha Ejabberd and Prosody. 🤔
-
Maranda
Hmm nay
-
Maranda
Maybe regular
-
Martin
Ge0rG: https://xmpp.is/2019/10/17/registrations-closed-once-again/
-
Maranda
Maybe regular
-
Maranda
At this time Prosody stable does not support SNI in their HTTP library. I have enabled Google’s captcha but it will not work without SNI support from Prosody. Please see this tweet for further details:
-
Maranda
Uh?
-
Maranda
That doesnt make sense... 🤣
-
Maranda
Because no spam bot on xmpp can solve recaptcha
-
Ge0rG
Recaptcha can be bought from India
-
Maranda
Ge0rG: "chingalini" human solving yay 🤓
-
Maranda
Too much money for xmpp
-
stpeter
How much?
-
Maranda
Again the more I read the more *PEBCAK* resonates impedingly in my mind
-
stpeter
I don't know how much money people pay for XMPP spam vs. email spam....
-
Maranda
stpeter: too much, nothing pierced through mod_spim_block from when I implemented reCAPTCHA, and for nothing I mean nothing
-
Maranda
Not even just mail verification for IBR
-
Licaon_Kter
atom: get Maranda, the enemy of privacy, asking for email
-
Maranda
Right
-
Ge0rG
And use recaptcha
-
Maranda
And sending stuff to evil google
-
Maranda
> And use recaptcha 💖💋
-
Licaon_Kter
Hey, I can't even solve reCaptcha, so it must be gud
-
Maranda
Licaon_Kter: well it works
-
Maranda
It's numbers (for now) not xml confettis 🤷🏼♂️
-
Ge0rG
I'm not doing any of those, but spammers on my server won't ever reach their audience, and get deleted promptly. And my users can just simply do IBR
-
atom
Recaptcha is useful when adding contacts or first sending messages. Recaptcha at registration is ineffective. https://rucaptcha.com/ $0.60 = 1000 recaptcha solution
-
stpeter
Interesting. That makes sense.
-
Licaon_Kter
Martin: https://xmpp.is/2019/10/20/registrations-are-back-again/
-
Martin
?
-
louiz’
just a response to your last link, I think
-
Martin
Aaand?
-
Licaon_Kter
Martin: and reCaptcha saves the day
-
Martin
Ge0rg wanted to know when they deleted spammers, not when they added recaptcha…
-
Licaon_Kter
Martin: right, just that it seemed they're given up
-
Ge0rG
So it's time to report to them again
-
atom
> Ge0rg wanted to know when they deleted spammers, not when they added recaptcha… Martin: Use backup before mass bot registration
-
Martin
?
-
Martin
I don't have registry open.
-
atom
Martin: incorrectly translated you
-
Ge0rG
What? Just restore from backup and lose everything that happened after it?
-
atom
Ge0rG: yes. xmpp.is used backup for delete 100 000 bot account
-
Ge0rG
Because you can't just delete them?
-
atom
I think this server has a daily backup
-
Ge0rG
That doesn't matter
-
Maranda
atom, but that doesn't work, *coughs*
-
tom
Why was recaptcha chosen over any other captcha system?
-
Maranda
tom, because it's the only one that _does something_?
-
tom
What is does something?
-
tom
I don't understand
-
Maranda
the opposite of _does nothing_
-
tom
I don't understand
-
Maranda
🤷♂️
-
Licaon_Kter
tom: not bypassed
-
tom
Perhaps your doing something wrong them. The whole point of captchas are to stop bots
-
atom
> Why was recaptcha chosen over any other captcha system? recaptcha is a good captcha, but it is powerless against schoolchildren introducing captcha for 1 dollar per month.
-
tom
» recaptcha is a good captcha It is really not in my experience. For one it false-positives 90% of the time if your not signed into a Google account or using a Google branded browser, it also leaks your metadata to Google which use it in nefarious ways which may not always be GDPR compliant or follow the correct privacy laws per jurisdiction, and a lot of people are not comfortable or OK with helping Google replace drivers with AI or listening to random audio recordings from people's homes.
-
tom
And other times it will just decide that it does not like you and make you infinitely solve visual puzzles
-
atom
tom: recaptcha has translation into all languages of the world
-
tom
Recaptcha is especially a problem for the handicapped, and a lot of the times it will not let you solve audio based captchas
-
tom
Not to mention you must ping google to even load the javascript in, which is a privacy hazard in of itself
-
Maranda
> it also leaks your metadata to Google which use it in nefarious ways huhu care elaborating which such important metadata does it leak to google that it could use in such "nefarious" ways please?
-
atom
tom: recaptcha is a good captcha for stop bots, because it is not able to be solved by a bot.I'm talking about technology. google good or evil is a separate issue.
-
tom
It's not able to be solved by non-google using people either
-
atom
people have to pay for solving captcha. if you need to enter a lot of captchas, the cost rises.
-
atom
plus it slows down mass mailing. the number of people deciding on captcha is also limited.
-
tom
There are plenty of replacement captcha services and self hosted solutions, as well as protocol-level options such as rate-limiting certain endpoints per ip range
-
tom
And adaptive intrusion prevention systems
-
atom
even a simple captcha will cause problems for spammers if they receive it when adding a contact.
-
tom
Just slapping a javascript captcha on something, and the worse one at that doesn't just *reduce* the amount of bots, it also reduces your legitimate traffic, angers users, and violates their privacy by allowing information disclosure to third parties
-
tom
I run ecommerce websites. There's a lot more at stake when your dealing with actual money is products than just a message passing system that can be used for spam
-
atom
tom: what other measures do you offer besides captcha?
- Maranda still didn't get an answer.
-
Maranda
Huhu
-
Ge0rG
atom: today's xmpp spam can be easily detected and blocked without any captcha
-
Martin
contains russian, contains something about coins and telegram links → spam
-
atom
Martin: these are popular topics of discussion among Russians
-
Martin
Ok, a message containing all three things can be a normal message?
-
atom
Martin: Some spam bots divide one message into several and even lead a simple dialogue. Now this type of spam bots has become less popular.
-
Ge0rG
atom: the worst one so far just sent different versions of "hello" and spammed you when you responded
-
atom
Ge0rG: yes
-
Ge0rG
But I've only seen one such bot, with a single JID. Easy to block again
-
stpeter
Oh I've seen several of those.
-
Ge0rG
stpeter: please tell me their JIDs
-
stpeter
In the future I will. I didn't note them before.