XMPP Service Operators - 2020-07-30

is this where i can come to learn about hostiing an xmpp server?

Yeah sure

There are worse places you could have come to, for sure.

kryptic: don't run a public xmpp server.

Ge0rG: what do you mean?

don't run a public XMPP server, destroy the federation

Why not? Spam?

kryptic, do not run an XMPP server with open registration.

but of course, you should federate :)

Or do run one if you're really feeling the call, but be aware of what you're in for.

do not run an XMPP server with open registration, destroy the accessibility

mike, that, exactly

if you are deterred by a person saying "don’t" then you probably are not up for it :)

(and if you don’t ask "why", then we already know we need to be on the watch for a new spam source)

heh yeah

however, I agree that the term "public" is ambiguous and may be taken as referring to federation

a: I run a server with IBR, and I have deleted tens thousands of spam accounts.

Tens of thousands!?

that's not hard to rack up.

tom: yes

on the other hand, spam problem is easily mitigated on the receiver server's side

but that is very hard

since you have to enable additional plugin in the configuration

How?

Are there guides on metigating xmpp spam like there is for smtp?

Tens of thousands sounds like a lot of work?

Django, hence he goes around and tell everyone to not do it ;)

(unless they know what they’re in for)

Ge0rG: I wanted a private one, not public

And I guess not taking care of spam accounts might lead to other servers stopping federating with me?

tom: mod_block_strangers exists for ejabberd, for example

spam detection is easy - just need one rule. did user send a contact request followed by "privet!"? block, done. 😀

That's not a real solution

nice piece of xenophobia

That's a reactionary response

congratulations

a, mod_block_strangers is an excellent example of breaking accessibility :)

it's a joke. it's an extremely common bot.

Django, yes: see https://github.com/JabberSPAM/blacklist and https://github.com/JabberSPAM/jabber-spam-fighting-manifesto

I noticed the last wave was mixing up the greeting now though

A, block_strangers is the nuclear option

Django, but you’ll receive a gentle warning first, if we find a way to contact you ;)

blocking strangers is something best left as a per-user pref, honestly.

I tell people not to make an account on 404.city because of that

mike, agreed

jonas’: if you have better ideas or suggestions, you are very welcome to contribute to some open source project. ejabberd awaits. just introducing more hurdles to mitigate spam is a lazy man's approach

a, :-)

a, emitting servers should handle the spam, not receiving.

and if they can’t, they should close IBR

and if they don’t, they’ll be stopped from federating.

says who?

I do

and a few others do, too, see that manifesto

thanks for your opinion

a, you’re welcome! I’m glad you like to hear it!

never seen this manifesto

it was sent to various mailing lists I think

back when it was started

jonas’: thanks, my server is private, but this is very interesting should I consider creating a public one. But since legislation in the EU does not promise a great future for communication service providers, I might abstain from this idea anyway.

Django: I'm not sure what part of EU legislation you see as problematic

Django: mod_darknet

maybe the part about not spying on your users?

If your local regulation sucks just install mod_darknet

tom: rent a box in the CyberBunker?

No

Tor and I2P is enough

talk about accessiblity, eh?

Regarding spam though, is there anything more nuanced than an XMPP equivalent of RBLs

Like is there an xmpp spamassasin?

tom: XMPP spam is like the first generation of email spam, can be filtered by simple pattern matching

Dcc (distributed checksum clearinghouse)

Oh

In that case I think a DCC would be very helpful

We can share fuzzy-hashes automaticity and block if we spot too many of the same showing up across the world

https://www.rhyolite.com/dcc/

tom: you'll end up blocking all short greetings and emoji responses

I was about to say

"Hi" would be blocked pretty soon 😛

Hi isn't blocked in email

you'd probably have to limit this to longer messages

longer messages are practically gone now

those are dealt with

the current fun part is subscription request + one-line greeting

is that so?

it is so

Oh those are annoying

the spam that I receive is mostly ~30 lines or so

but I use a personal server, so I probably only receive a limited subset of all the spam 😀

jonas’, never received something of that sort *knock on wood*

vanitasvitae, I get it occasionally.

Are just thought those are people with very buggy clients that kept re-sending

I rarely get subscriptions without any text

tom, nope, once you react you get a wall of spam

Because i don't accept rosters from people i don't know

which is then not filtered by some filters because you have a roster subscription ...

Would it make sense to make a proof-of-work XEP?

tom: no

Like we have a captcha xep

https://craphound.com/spamsolutions.txt /me ticks: [x] technical [x] It will stop spam for two weeks and then we'll be stuck with it [x] Extreme profitability of spam [x] Sending xmpp messages should be free [x] Sorry dude, but I don't think it would work.

plus my custom: Mobile users will kill you for that

https://upload.ppmx.org/upload/2dbc0d0b-2c48-48bd-a71e-ed316aedde0e/IMG_20200730_105615.jpg

It's always one of the to

Two

Ge0rG: https://ec.europa.eu/info/sites/info/files/communication-eu-security-union-strategy.pdf

Django: yes, we need to fight that

https://upload.nuegia.net/ceb50d7f-dda6-46cd-abf8-d519a8504959/censorshipbill.jpeg

jonas’: yes it's a technical solution to a technical problem not if you use a memory access heavy hash like Argon2id so that ASICs and FPGAs can't be used leveling the playing field. We learned a lot of bitcoin & friends it hopefully will be too costly the do all the proof of work to setup messages to random people than the reword for mass spamming why wouldn't it be? If your on xmpp you got a computer of some kind care to elaborate on that? If you only did it to setup connections between new people or first time joining a muc I don't think they would care

tom: PoW is much cheaper at scale than on individual systems. Any kind of PoW that works on my smartphone so that I can send a message to my GF will be ridiculously cheap for spammers, especially if they use botnets to outsource the hashing to infected PCs

Ge0rG: sorry, this is the document I actually meant https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/european-agenda-security/20200724_com-2020-607-commission-communication_en.pdf

I think it'd still be useful when used in combination with other techniques

Just like how spamass workds

Django: yes, the paranoid police nazis are asking for this shit all the time; so far we were able to avert the worst things

I remember the ripe meeting were Europol wanted direct access to customer data and got 'get a fucking warrant' as response.

I just hope, that we will be able to avoid this in the future as well.

Django: https://mirror.us.oneandone.net/projects/media.ccc.de/congress/2011/webm/28c3-4848-en-the_coming_war_on_general_computation.webm

This is the endgame of all that

> ‎tom‎: I tell people not to make an account on 404.city because of that If you think spam is the only XMPP problem you are greatly mistaken. There is still a lot of flood abuse. I think you have never received a flood attack, since you offer do not value protection from this.

No, I do not receive floods (yet)

A flood attack is when you receive millions of messages from thousands of strangers

Why don't you think a PoW would prevent that?

*metigate

If they are strangers to you, then each stranger would have to compute a challenge first

There is a similar thing in email where new combinations of receivers and senders are differed to 'try again later' as legit senders will try to send later but spammers won't

All within spek

If the server allows you to receive a message without approving the subscription, then you can flood the user with the message until the client fails.

seems like mod_block_strangers is incredibly useful nowadays

Maybe as a workaround to cope with emergency until you have a better solution. It breaks legitimate communication.

exactly. a better standardized solution is vitally needed. we just cannot rely on all servers to use this mod. most are even unaware of its existence I guess

a: not unaware, just that it makes onboarding new users a pain :((

well, in all honesty, I don't see entering a captcha a too painful process... but yeah, it could be a lot better if you just enter JID of recipient and start talking. like in the good old days

a: in theory not hard, in practice I had to reach you and point you to this room when someone tried to contact you because the damn captcha somehow failed....

fair point

but I can only pray that someone eventually comes up with a better solution

True

the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and roll out new features, but it somehow it's still not enough ✏

the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and roll out new features, but somehow it's still not enough ✏

That's just one server and one client on one platform, we need an least one *dedicated* dev for each or the others...

...if we think the XEPs are perfect I mean, if not...

the big companies like Slack and Google are just ripping XMPP off and run away without giving anything back

Slack has no xmpp Maybe Whatsapp or Google indeed Maybe Zoom, JitsiMeet

I heard Slack started as an XMPP client

XEPs are great in theory, PEPs in Python work great. but I feel there are not a lot of people pushing XEPs forward ✏