XMPP Service Operators - 2020-07-30

  1. kryptic

    is this where i can come to learn about hostiing an xmpp server?

  2. Ellenor Malik

    Yeah sure

  3. mike

    There are worse places you could have come to, for sure.

  4. Ge0rG

    kryptic: don't run a public xmpp server.

  5. kryptic

    Ge0rG: what do you mean?

  6. a

    don't run a public XMPP server, destroy the federation

  7. tom

    Why not? Spam?

  8. jonas’

    kryptic, do not run an XMPP server with open registration.

  9. jonas’

    but of course, you should federate :)

  10. mike

    Or do run one if you're really feeling the call, but be aware of what you're in for.

  11. a

    do not run an XMPP server with open registration, destroy the accessibility

  12. jonas’

    mike, that, exactly

  13. jonas’

    if you are deterred by a person saying "don’t" then you probably are not up for it :)

  14. jonas’

    (and if you don’t ask "why", then we already know we need to be on the watch for a new spam source)

  15. mike

    heh yeah

  16. jonas’

    however, I agree that the term "public" is ambiguous and may be taken as referring to federation

  17. Ge0rG

    a: I run a server with IBR, and I have deleted tens thousands of spam accounts.

  18. tom

    Tens of thousands!?

  19. mike

    that's not hard to rack up.

  20. Ge0rG

    tom: yes

  21. a

    on the other hand, spam problem is easily mitigated on the receiver server's side

  22. a

    but that is very hard

  23. a

    since you have to enable additional plugin in the configuration

  24. tom


  25. tom

    Are there guides on metigating xmpp spam like there is for smtp?

  26. Django

    Tens of thousands sounds like a lot of work?

  27. jonas’

    Django, hence he goes around and tell everyone to not do it ;)

  28. jonas’

    (unless they know what they’re in for)

  29. kryptic

    Ge0rG: I wanted a private one, not public

  30. Django

    And I guess not taking care of spam accounts might lead to other servers stopping federating with me?

  31. a

    tom: mod_block_strangers exists for ejabberd, for example

  32. mike

    spam detection is easy - just need one rule. did user send a contact request followed by "privet!"? block, done. 😀

  33. tom

    That's not a real solution

  34. a

    nice piece of xenophobia

  35. tom

    That's a reactionary response

  36. a


  37. jonas’

    a, mod_block_strangers is an excellent example of breaking accessibility :)

  38. mike

    it's a joke. it's an extremely common bot.

  39. jonas’

    Django, yes: see https://github.com/JabberSPAM/blacklist and https://github.com/JabberSPAM/jabber-spam-fighting-manifesto

  40. mike

    I noticed the last wave was mixing up the greeting now though

  41. tom

    A, block_strangers is the nuclear option

  42. jonas’

    Django, but you’ll receive a gentle warning first, if we find a way to contact you ;)

  43. mike

    blocking strangers is something best left as a per-user pref, honestly.

  44. tom

    I tell people not to make an account on 404.city because of that

  45. jonas’

    mike, agreed

  46. a

    jonas’: if you have better ideas or suggestions, you are very welcome to contribute to some open source project. ejabberd awaits. just introducing more hurdles to mitigate spam is a lazy man's approach

  47. jonas’

    a, :-)

  48. jonas’

    a, emitting servers should handle the spam, not receiving.

  49. jonas’

    and if they can’t, they should close IBR

  50. jonas’

    and if they don’t, they’ll be stopped from federating.

  51. a

    says who?

  52. jonas’

    I do

  53. jonas’

    and a few others do, too, see that manifesto

  54. a

    thanks for your opinion

  55. jonas’

    a, you’re welcome! I’m glad you like to hear it!

  56. a

    never seen this manifesto

  57. jonas’

    it was sent to various mailing lists I think

  58. jonas’

    back when it was started

  59. Django

    jonas’: thanks, my server is private, but this is very interesting should I consider creating a public one. But since legislation in the EU does not promise a great future for communication service providers, I might abstain from this idea anyway.

  60. Ge0rG

    Django: I'm not sure what part of EU legislation you see as problematic

  61. tom

    Django: mod_darknet

  62. Ge0rG

    maybe the part about not spying on your users?

  63. tom

    If your local regulation sucks just install mod_darknet

  64. Ge0rG

    tom: rent a box in the CyberBunker?

  65. tom


  66. tom

    Tor and I2P is enough

  67. jonas’

    talk about accessiblity, eh?

  68. tom

    Regarding spam though, is there anything more nuanced than an XMPP equivalent of RBLs

  69. tom

    Like is there an xmpp spamassasin?

  70. Ge0rG

    tom: XMPP spam is like the first generation of email spam, can be filtered by simple pattern matching

  71. tom

    Dcc (distributed checksum clearinghouse)

  72. tom


  73. tom

    In that case I think a DCC would be very helpful

  74. tom

    We can share fuzzy-hashes automaticity and block if we spot too many of the same showing up across the world

  75. tom


  76. Ge0rG

    tom: you'll end up blocking all short greetings and emoji responses

  77. vanitasvitae

    I was about to say

  78. vanitasvitae

    "Hi" would be blocked pretty soon 😛

  79. tom

    Hi isn't blocked in email

  80. vanitasvitae

    you'd probably have to limit this to longer messages

  81. jonas’

    longer messages are practically gone now

  82. jonas’

    those are dealt with

  83. jonas’

    the current fun part is subscription request + one-line greeting

  84. vanitasvitae

    is that so?

  85. jonas’

    it is so

  86. tom

    Oh those are annoying

  87. vanitasvitae

    the spam that I receive is mostly ~30 lines or so

  88. vanitasvitae

    but I use a personal server, so I probably only receive a limited subset of all the spam 😀

  89. vanitasvitae

    jonas’, never received something of that sort *knock on wood*

  90. jonas’

    vanitasvitae, I get it occasionally.

  91. tom

    Are just thought those are people with very buggy clients that kept re-sending

  92. vanitasvitae

    I rarely get subscriptions without any text

  93. jonas’

    tom, nope, once you react you get a wall of spam

  94. tom

    Because i don't accept rosters from people i don't know

  95. jonas’

    which is then not filtered by some filters because you have a roster subscription ...

  96. tom

    Would it make sense to make a proof-of-work XEP?

  97. Ge0rG

    tom: no

  98. tom

    Like we have a captcha xep

  99. jonas’

    https://craphound.com/spamsolutions.txt /me ticks: [x] technical [x] It will stop spam for two weeks and then we'll be stuck with it [x] Extreme profitability of spam [x] Sending xmpp messages should be free [x] Sorry dude, but I don't think it would work.

  100. jonas’

    plus my custom: Mobile users will kill you for that

  101. Django


  102. tom

    It's always one of the to

  103. tom


  104. Django

    Ge0rG: https://ec.europa.eu/info/sites/info/files/communication-eu-security-union-strategy.pdf

  105. Ge0rG

    Django: yes, we need to fight that

  106. tom


  107. tom

    jonas’: yes it's a technical solution to a technical problem not if you use a memory access heavy hash like Argon2id so that ASICs and FPGAs can't be used leveling the playing field. We learned a lot of bitcoin & friends it hopefully will be too costly the do all the proof of work to setup messages to random people than the reword for mass spamming why wouldn't it be? If your on xmpp you got a computer of some kind care to elaborate on that? If you only did it to setup connections between new people or first time joining a muc I don't think they would care

  108. Ge0rG

    tom: PoW is much cheaper at scale than on individual systems. Any kind of PoW that works on my smartphone so that I can send a message to my GF will be ridiculously cheap for spammers, especially if they use botnets to outsource the hashing to infected PCs

  109. Django

    Ge0rG: sorry, this is the document I actually meant https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/european-agenda-security/20200724_com-2020-607-commission-communication_en.pdf

  110. tom

    I think it'd still be useful when used in combination with other techniques

  111. tom

    Just like how spamass workds

  112. Ge0rG

    Django: yes, the paranoid police nazis are asking for this shit all the time; so far we were able to avert the worst things

  113. Django

    I remember the ripe meeting were Europol wanted direct access to customer data and got 'get a fucking warrant' as response.

  114. Django

    I just hope, that we will be able to avoid this in the future as well.

  115. tom

    Django: https://mirror.us.oneandone.net/projects/media.ccc.de/congress/2011/webm/28c3-4848-en-the_coming_war_on_general_computation.webm

  116. tom

    This is the endgame of all that

  117. 404.city

    > ‎tom‎: I tell people not to make an account on 404.city because of that If you think spam is the only XMPP problem you are greatly mistaken. There is still a lot of flood abuse. I think you have never received a flood attack, since you offer do not value protection from this.

  118. tom

    No, I do not receive floods (yet)

  119. 404.city

    A flood attack is when you receive millions of messages from thousands of strangers

  120. tom

    Why don't you think a PoW would prevent that?

  121. tom


  122. tom

    If they are strangers to you, then each stranger would have to compute a challenge first

  123. tom

    There is a similar thing in email where new combinations of receivers and senders are differed to 'try again later' as legit senders will try to send later but spammers won't

  124. tom

    All within spek

  125. 404.city

    If the server allows you to receive a message without approving the subscription, then you can flood the user with the message until the client fails.

  126. a

    seems like mod_block_strangers is incredibly useful nowadays

  127. Holger

    Maybe as a workaround to cope with emergency until you have a better solution. It breaks legitimate communication.

  128. a

    exactly. a better standardized solution is vitally needed. we just cannot rely on all servers to use this mod. most are even unaware of its existence I guess

  129. Licaon_Kter

    a: not unaware, just that it makes onboarding new users a pain :((

  130. a

    well, in all honesty, I don't see entering a captcha a too painful process... but yeah, it could be a lot better if you just enter JID of recipient and start talking. like in the good old days

  131. Licaon_Kter

    a: in theory not hard, in practice I had to reach you and point you to this room when someone tried to contact you because the damn captcha somehow failed....

  132. a

    fair point

  133. a

    but I can only pray that someone eventually comes up with a better solution

  134. Licaon_Kter


  135. a

    the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and register roll out new features, but it somehow it's still not enough

  136. a

    the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and roll out new features, but it somehow it's still not enough

  137. a

    the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and roll out new features, but somehow it's still not enough

  138. Licaon_Kter

    That's just one server and one client on one platform, we need an least one *dedicated* dev for each or the others...

  139. Licaon_Kter

    ...if we think the XEPs are perfect I mean, if not...

  140. a

    the big companies like Slack and Google are just ripping XMPP off and run away without giving anything back

  141. Licaon_Kter

    Slack has no xmpp Maybe Whatsapp or Google indeed Maybe Zoom, JitsiMeet

  142. a

    I heard Slack started as an XMPP client

  143. a

    XEPs are great in practice, PEPs in Python work great. but I feel there are not a lot of people pushing XEPs forward

  144. a

    XEPs are great in theory, PEPs in Python work great. but I feel there are not a lot of people pushing XEPs forward