XMPP Service Operators - 2019-12-11


  1. atom

    Ge0rG: https://github.com/JabberSPAM/jabber-spam-fighting-manifesto/pull/23

  2. Licaon_Kter

    atom: TEN we have TENNNNN

  3. atom

    Licaon_Kter: 10 out of 10 is >80%

  4. Licaon_Kter

    ~80% let's be honest here

  5. atom

    Licaon_Kter: statistics show a clear misunderstanding of the purpose of the manifest.

  6. Licaon_Kter

    _"10 out of 10 agree with atom"_

  7. atom

    Licaon_Kter: you are witty, but your jokes do not solve the problem.

  8. Martin

    > Licaon_Kter: statistics show a clear misunderstanding of the purpose of the manifest. Why don't you help to clarify it?

  9. Martin

    What is the point they get wrong?

  10. Licaon_Kter

    atom: what is the problem? As Martin said, effing add a PR and clarify it instead of "omg delete github" reaction that 404 has

  11. atom

    Licaon_Kter: the problem is that the manifest is bad. it does not include a list of all manifest compliant servers. the list of servers subscribing by manifest becomes scapegoats.

  12. perflyst

    atom: are you new 404city support?

  13. perflyst

    atom: are you the new 404city support?

  14. Licaon_Kter

    atom: you know there's *another* list with the actual blocked servers, right?

  15. Licaon_Kter

    This is just a page with "I agree spam is bad"....and nothing else

  16. Martin

    > scapegoats Scapegoats for what?

  17. atom

    Licaon_Kter: Communities of servers such as blabber and disroot use the manifesto to criticize that all signatories want to enter registration by phone number and for block competitors' servers.

  18. atom

    The manifest is bad because it allows such interpretations.

  19. perflyst

    i am quite sure muppeth never said that

  20. atom

    perflyst: ask him to sign the manifesto, he will refuse.

  21. perflyst

    yes, for good reasons

  22. perflyst

    but i will put my hand for him in fire that he never said that all servers on the list will block any servers which not on the list nor forcing phone number

  23. atom

    > This is just a page with "I agree spam is bad"....and nothing else I understand this, others do not understand.

  24. atom

    > but i will put my hand for him in fire that he never said that all servers on the list will block any servers which not on the list nor forcing phone number This is what users of his server and his community say.he does not sign the manifesto for this reason.

  25. atom

    the manifest in the form in which it exists is unnecessary and harmful. Did the manifest win spam? - not. Did he create a bunch of criticism? - Yes

  26. Licaon_Kter

    atom: > Communities of servers such as blabber and disroot use the manifesto to criticize that all signatories want to enter registration by phone number and for block competitors' servers. Links? Pics? Provide some effing evidence...e

  27. Licaon_Kter

    Competitors? Wtf?

  28. atom

    Licaon_Kter: I have no purpose to convince you. If you are looking for evidence, you will find it yourself by creating a discussion.

  29. Martin

    > the manifest in the form in which it exists is unnecessary and harmful. Did the manifest win spam? - not. Did he create a bunch of criticism? - Yes People following the manifesto got spamming servers operators improve their spammer detection, countless spammers were deleted and some abandoned servers even shut down. It's progress. What did you expect? Spam instantly stopping from one day to another? It's a continuous process.

  30. atom

    Martin: spammers create accounts not on shabby servers, but on active servers. how will the manifest help from spam if the spammer creates an 100 000 account on yax.im?

  31. Martin

    yax.im is good at detecting spammy behavior so they go for easier victims.

  32. atom

    Martin: I got spam from yax.im

  33. perflyst

    can happen, nothing is perfect but that is why contact addresses exist

  34. atom

    spammers receive $ 50-100 for spam mailings. New domain price $ 1

  35. Ge0rG

    I haven't had outgoing spam on yax.im in over a year. And before that, I was really fast at finding the accounts and deleting them.

  36. atom

    the price for 1000 captcha is also 1 dollar

  37. Ge0rG

    atom: you've created the discussion. You don't have any evidence. I know there was controversy about the manifesto, but not in the ways you argue

  38. atom

    Ge0rG: I do not have s2s for about a year. therefore, I have not received spam from yax.im for about a year.

  39. Ge0rG

    atom: so you tell me you received a spam message from yax.im once, and now it's your proof of the manifesto not working?

  40. Licaon_Kter

    > I have no purpose to convince you. If you are looking for evidence, you will find it yourself by creating a discussion. Why not put theis evidence there on Github instead of coming down the mountain with *"TEN"* in your hands?

  41. Licaon_Kter

    > atom: are you the new 404city support or PR or socket puppet or?

  42. atom

    Ge0rG: I do not argue about the manifesto.I suggest to execute pull request.

  43. atom

    Ge0rG: https://github.com/JabberSPAM/jabber-spam-fighting-manifesto/pull/23

  44. atom

    Licaon_Kter: yes

  45. perflyst

    > Ge0rG: I do not have s2s for about a year. therefore, I have not received spam from yax.im for about a year. so 404city users and the other way cannot chat with yax.im users?

  46. perflyst

    Nice anti spam

  47. Ge0rG

    perflyst: yes, sadly

  48. perflyst

    rather i would get spam than not being able to chat with someone

  49. Licaon_Kter

    Ge0rG: wait...so he bans server willynilly then comes to github to take the manifesto down? Hypocrisy much?

  50. Ge0rG

    Licaon_Kter: it's not a ban, we just have different opinions on which ciphers are secure

  51. atom

    perflyst, 404 (support ECC & RSA) <=> yax.im (support RSA)

  52. perflyst

    so 404 to yaxim works as you support "old" RSA and new ecc?

  53. perflyst

    or what do you wanna say

  54. atom

    404 use ECC

  55. perflyst

    even if the receiving server extremly unsecure, dont you want as admin the best server support? i mean normally you also allow weak ciphers on email so nobody has issues with any old shitty remote server

  56. perflyst

    what is the & for?

  57. atom

    perflyst, 404.city (ECC&RSA) => (conected) => yax.im (RSA) . Yax.im (RSA) = (no connected) = 404.city (ECC)

  58. perflyst

    so yaxims openssl (?) is old or what is the issue?

  59. perflyst

    or does yaxim manually forbids curves?

  60. Ge0rG

    perflyst: I don't trust into ECDSA

  61. perflyst

    ok, so basically you are blocking it?

  62. perflyst

    because ECC is a "standard" and anyone can use it

  63. atom

    perflyst, Yax.im server policy does not allow any ECC servers

  64. Ge0rG

    I've enabled ECDSA now.

  65. Ge0rG

    just so my users can keep sending spam to atom

  66. Licaon_Kter

    Ge0rG: 👍

  67. perflyst

    good choice :)

  68. atom

    Ge0rG, 👍

  69. Licaon_Kter

    Luckly there's no manifesto to keep you in check anymore, go ahead, by bold Ge0rG

  70. Ge0rG

    ECDSA is one of the worst crypto algorithms in modern use

  71. perflyst

    lets dont discuss this, this will not end good

  72. Ge0rG

    atom: but you are the smartest of all. you still keep fighting spam, and doing what the manifesto tells, but you are not listed any more! :D

  73. perflyst

    (disroot does the same, ironically)

  74. Ge0rG

    BTW, there seems to be a new spam haven, exlpoit.im

  75. Ge0rG

    (note the typo)

  76. Licaon_Kter

    Ge0rG: they're just a victim of your evil manifesto!!!!111

  77. Ge0rG

    speaking of which... my top 10 spam servers by number of messages in the last two weeks: messages bots domain ---------- ---------- ------------------------------------ 342 256 jabber.ipredator.se 334 303 darkengine.biz 326 264 xmpp.su 313 2 exlpoit.im 302 273 jabber.no 278 263 jabber.sibnet.ru 192 182 bytesund.biz 185 170 jabber.vikings.net 174 156 resolution1.net 158 153 ajabber.me

  78. atom

    1 bot = 1 messenges

  79. Licaon_Kter

    Ge0rG: nice bots

  80. Licaon_Kter

    atom: 1 bot 156 messages

  81. atom

    Other servers

  82. Ge0rG

    no spam from 404.city because no s2s ;)

  83. atom

    xmpp.is recently deleted 100,000 account created per day. xmpp.is use captcha

  84. Ge0rG

    how recently?

  85. stpeter

    yow

  86. Ge0rG

    my last spam from them was Nov 28th

  87. Ge0rG

    yow stpeter

  88. stpeter

    ;-)

  89. atom

    I disabled in-band 404.city to combat spam

  90. Ge0rG

    I've heard spammers also use web registration

  91. atom

    Ge0rG, Yes, spammers can bypass Google captcha and regular captcha Ejabberd and Prosody.

  92. atom

    >Ge0rG‎: how recently? About a month ago

  93. Ge0rG

    atom: can you tell the date? > my last spam from them was Nov 28th

  94. Maranda

    > Ge0rG, Yes, spammers can bypass Google captcha and regular captcha Ejabberd and Prosody. 🤔

  95. Maranda

    Hmm nay

  96. Maranda

    Maybe regular

  97. Martin

    Ge0rG: https://xmpp.is/2019/10/17/registrations-closed-once-again/

  98. Maranda

    Maybe regular

  99. Maranda

    At this time Prosody stable does not support SNI in their HTTP library. I have enabled Google’s captcha but it will not work without SNI support from Prosody. Please see this tweet for further details:

  100. Maranda

    Uh?

  101. Maranda

    That doesnt make sense... 🤣

  102. Maranda

    Because no spam bot on xmpp can solve recaptcha

  103. Ge0rG

    Recaptcha can be bought from India

  104. Maranda

    Ge0rG: "chingalini" human solving yay 🤓

  105. Maranda

    Too much money for xmpp

  106. stpeter

    How much?

  107. Maranda

    Again the more I read the more *PEBCAK* resonates impedingly in my mind

  108. stpeter

    I don't know how much money people pay for XMPP spam vs. email spam....

  109. Maranda

    stpeter: too much, nothing pierced through mod_spim_block from when I implemented reCAPTCHA, and for nothing I mean nothing

  110. Maranda

    Not even just mail verification for IBR

  111. Licaon_Kter

    atom: get Maranda, the enemy of privacy, asking for email

  112. Maranda

    Right

  113. Ge0rG

    And use recaptcha

  114. Maranda

    And sending stuff to evil google

  115. Maranda

    > And use recaptcha 💖💋

  116. Licaon_Kter

    Hey, I can't even solve reCaptcha, so it must be gud

  117. Maranda

    Licaon_Kter: well it works

  118. Maranda

    It's numbers (for now) not xml confettis 🤷🏼‍♂️

  119. Ge0rG

    I'm not doing any of those, but spammers on my server won't ever reach their audience, and get deleted promptly. And my users can just simply do IBR

  120. atom

    Recaptcha is useful when adding contacts or first sending messages. Recaptcha at registration is ineffective. https://rucaptcha.com/ $0.60 = 1000 recaptcha solution

  121. stpeter

    Interesting. That makes sense.

  122. Licaon_Kter

    Martin: https://xmpp.is/2019/10/20/registrations-are-back-again/

  123. Martin

    ?

  124. louiz’

    just a response to your last link, I think

  125. Martin

    Aaand?

  126. Licaon_Kter

    Martin: and reCaptcha saves the day

  127. Martin

    Ge0rg wanted to know when they deleted spammers, not when they added recaptcha…

  128. Licaon_Kter

    Martin: right, just that it seemed they're given up

  129. Ge0rG

    So it's time to report to them again

  130. atom

    > Ge0rg wanted to know when they deleted spammers, not when they added recaptcha… Martin: Use backup before mass bot registration

  131. Martin

    ?

  132. Martin

    I don't have registry open.

  133. atom

    Martin: incorrectly translated you

  134. Ge0rG

    What? Just restore from backup and lose everything that happened after it?

  135. atom

    Ge0rG: yes. xmpp.is used backup for delete 100 000 bot account

  136. Ge0rG

    Because you can't just delete them?

  137. atom

    I think this server has a daily backup

  138. Ge0rG

    That doesn't matter

  139. Maranda

    atom, but that doesn't work, *coughs*

  140. tom

    Why was recaptcha chosen over any other captcha system?

  141. Maranda

    tom, because it's the only one that _does something_?

  142. tom

    What is does something?

  143. tom

    I don't understand

  144. Maranda

    the opposite of _does nothing_

  145. tom

    I don't understand

  146. Maranda

    🤷‍♂️

  147. Licaon_Kter

    tom: not bypassed

  148. tom

    Perhaps your doing something wrong them. The whole point of captchas are to stop bots

  149. atom

    > Why was recaptcha chosen over any other captcha system? recaptcha is a good captcha, but it is powerless against schoolchildren introducing captcha for 1 dollar per month.

  150. tom

    » recaptcha is a good captcha It is really not in my experience. For one it false-positives 90% of the time if your not signed into a Google account or using a Google branded browser, it also leaks your metadata to Google which use it in nefarious ways which may not always be GDPR compliant or follow the correct privacy laws per jurisdiction, and a lot of people are not comfortable or OK with helping Google replace drivers with AI or listening to random audio recordings from people's homes.

  151. tom

    And other times it will just decide that it does not like you and make you infinitely solve visual puzzles

  152. atom

    tom: recaptcha has translation into all languages ​​of the world

  153. tom

    Recaptcha is especially a problem for the handicapped, and a lot of the times it will not let you solve audio based captchas

  154. tom

    Not to mention you must ping google to even load the javascript in, which is a privacy hazard in of itself

  155. Maranda

    > it also leaks your metadata to Google which use it in nefarious ways huhu care elaborating which such important metadata does it leak to google that it could use in such "nefarious" ways please?

  156. atom

    tom: recaptcha is a good captcha for stop bots, because it is not able to be solved by a bot.I'm talking about technology. google good or evil is a separate issue.

  157. tom

    It's not able to be solved by non-google using people either

  158. atom

    people have to pay for solving captcha. if you need to enter a lot of captchas, the cost rises.

  159. atom

    plus it slows down mass mailing. the number of people deciding on captcha is also limited.

  160. tom

    There are plenty of replacement captcha services and self hosted solutions, as well as protocol-level options such as rate-limiting certain endpoints per ip range

  161. tom

    And adaptive intrusion prevention systems

  162. atom

    even a simple captcha will cause problems for spammers if they receive it when adding a contact.

  163. tom

    Just slapping a javascript captcha on something, and the worse one at that doesn't just *reduce* the amount of bots, it also reduces your legitimate traffic, angers users, and violates their privacy by allowing information disclosure to third parties

  164. tom

    I run ecommerce websites. There's a lot more at stake when your dealing with actual money is products than just a message passing system that can be used for spam

  165. atom

    tom: what other measures do you offer besides captcha?

  166. Maranda still didn't get an answer.

  167. Maranda

    Huhu

  168. Ge0rG

    atom: today's xmpp spam can be easily detected and blocked without any captcha

  169. Martin

    contains russian, contains something about coins and telegram links → spam

  170. atom

    Martin: these are popular topics of discussion among Russians

  171. Martin

    Ok, a message containing all three things can be a normal message?

  172. atom

    Martin: Some spam bots divide one message into several and even lead a simple dialogue. Now this type of spam bots has become less popular.

  173. Ge0rG

    atom: the worst one so far just sent different versions of "hello" and spammed you when you responded

  174. atom

    Ge0rG: yes

  175. Ge0rG

    But I've only seen one such bot, with a single JID. Easy to block again

  176. stpeter

    Oh I've seen several of those.

  177. Ge0rG

    stpeter: please tell me their JIDs

  178. stpeter

    In the future I will. I didn't note them before.