-
kryptic
is this where i can come to learn about hostiing an xmpp server?
-
Ellenor Malik
Yeah sure
-
mike
There are worse places you could have come to, for sure.
-
Ge0rG
kryptic: don't run a public xmpp server.
-
kryptic
Ge0rG: what do you mean?
-
a
don't run a public XMPP server, destroy the federation
-
tom
Why not? Spam?
-
jonas’
kryptic, do not run an XMPP server with open registration.
-
jonas’
but of course, you should federate :)
-
mike
Or do run one if you're really feeling the call, but be aware of what you're in for.
-
a
do not run an XMPP server with open registration, destroy the accessibility
-
jonas’
mike, that, exactly
-
jonas’
if you are deterred by a person saying "don’t" then you probably are not up for it :)
-
jonas’
(and if you don’t ask "why", then we already know we need to be on the watch for a new spam source)
-
mike
heh yeah
-
jonas’
however, I agree that the term "public" is ambiguous and may be taken as referring to federation
-
Ge0rG
a: I run a server with IBR, and I have deleted tens thousands of spam accounts.
-
tom
Tens of thousands!?
-
mike
that's not hard to rack up.
-
Ge0rG
tom: yes
-
a
on the other hand, spam problem is easily mitigated on the receiver server's side
-
a
but that is very hard
-
a
since you have to enable additional plugin in the configuration
-
tom
How?
-
tom
Are there guides on metigating xmpp spam like there is for smtp?
-
Django
Tens of thousands sounds like a lot of work?
-
jonas’
Django, hence he goes around and tell everyone to not do it ;)
-
jonas’
(unless they know what they’re in for)
-
kryptic
Ge0rG: I wanted a private one, not public
-
Django
And I guess not taking care of spam accounts might lead to other servers stopping federating with me?
-
a
tom: mod_block_strangers exists for ejabberd, for example
-
mike
spam detection is easy - just need one rule. did user send a contact request followed by "privet!"? block, done. 😀
-
tom
That's not a real solution
-
a
nice piece of xenophobia
-
tom
That's a reactionary response
-
a
congratulations
-
jonas’
a, mod_block_strangers is an excellent example of breaking accessibility :)
-
mike
it's a joke. it's an extremely common bot.
-
jonas’
Django, yes: see https://github.com/JabberSPAM/blacklist and https://github.com/JabberSPAM/jabber-spam-fighting-manifesto
-
mike
I noticed the last wave was mixing up the greeting now though
-
tom
A, block_strangers is the nuclear option
-
jonas’
Django, but you’ll receive a gentle warning first, if we find a way to contact you ;)
-
mike
blocking strangers is something best left as a per-user pref, honestly.
-
tom
I tell people not to make an account on 404.city because of that
-
jonas’
mike, agreed
-
a
jonas’: if you have better ideas or suggestions, you are very welcome to contribute to some open source project. ejabberd awaits. just introducing more hurdles to mitigate spam is a lazy man's approach
-
jonas’
a, :-)
-
jonas’
a, emitting servers should handle the spam, not receiving.
-
jonas’
and if they can’t, they should close IBR
-
jonas’
and if they don’t, they’ll be stopped from federating.
-
a
says who?
-
jonas’
I do
-
jonas’
and a few others do, too, see that manifesto
-
a
thanks for your opinion
-
jonas’
a, you’re welcome! I’m glad you like to hear it!
-
a
never seen this manifesto
-
jonas’
it was sent to various mailing lists I think
-
jonas’
back when it was started
-
Django
jonas’: thanks, my server is private, but this is very interesting should I consider creating a public one. But since legislation in the EU does not promise a great future for communication service providers, I might abstain from this idea anyway.
-
Ge0rG
Django: I'm not sure what part of EU legislation you see as problematic
-
tom
Django: mod_darknet
-
Ge0rG
maybe the part about not spying on your users?
-
tom
If your local regulation sucks just install mod_darknet
-
Ge0rG
tom: rent a box in the CyberBunker?
-
tom
No
-
tom
Tor and I2P is enough
-
jonas’
talk about accessiblity, eh?
-
tom
Regarding spam though, is there anything more nuanced than an XMPP equivalent of RBLs
-
tom
Like is there an xmpp spamassasin?
-
Ge0rG
tom: XMPP spam is like the first generation of email spam, can be filtered by simple pattern matching
-
tom
Dcc (distributed checksum clearinghouse)
-
tom
Oh
-
tom
In that case I think a DCC would be very helpful
-
tom
We can share fuzzy-hashes automaticity and block if we spot too many of the same showing up across the world
-
tom
https://www.rhyolite.com/dcc/
-
Ge0rG
tom: you'll end up blocking all short greetings and emoji responses
-
vanitasvitae
I was about to say
-
vanitasvitae
"Hi" would be blocked pretty soon 😛
-
tom
Hi isn't blocked in email
-
vanitasvitae
you'd probably have to limit this to longer messages
-
jonas’
longer messages are practically gone now
-
jonas’
those are dealt with
-
jonas’
the current fun part is subscription request + one-line greeting
-
vanitasvitae
is that so?
-
jonas’
it is so
-
tom
Oh those are annoying
-
vanitasvitae
the spam that I receive is mostly ~30 lines or so
-
vanitasvitae
but I use a personal server, so I probably only receive a limited subset of all the spam 😀
-
vanitasvitae
jonas’, never received something of that sort *knock on wood*
-
jonas’
vanitasvitae, I get it occasionally.
-
tom
Are just thought those are people with very buggy clients that kept re-sending
-
vanitasvitae
I rarely get subscriptions without any text
-
jonas’
tom, nope, once you react you get a wall of spam
-
tom
Because i don't accept rosters from people i don't know
-
jonas’
which is then not filtered by some filters because you have a roster subscription ...
-
tom
Would it make sense to make a proof-of-work XEP?
-
Ge0rG
tom: no
-
tom
Like we have a captcha xep
-
jonas’
https://craphound.com/spamsolutions.txt /me ticks: [x] technical [x] It will stop spam for two weeks and then we'll be stuck with it [x] Extreme profitability of spam [x] Sending xmpp messages should be free [x] Sorry dude, but I don't think it would work.
-
jonas’
plus my custom: Mobile users will kill you for that
-
Django
https://upload.ppmx.org/upload/2dbc0d0b-2c48-48bd-a71e-ed316aedde0e/IMG_20200730_105615.jpg
-
tom
It's always one of the to
-
tom
Two
-
Django
Ge0rG: https://ec.europa.eu/info/sites/info/files/communication-eu-security-union-strategy.pdf
-
Ge0rG
Django: yes, we need to fight that
-
tom
https://upload.nuegia.net/ceb50d7f-dda6-46cd-abf8-d519a8504959/censorshipbill.jpeg
-
tom
jonas’: yes it's a technical solution to a technical problem not if you use a memory access heavy hash like Argon2id so that ASICs and FPGAs can't be used leveling the playing field. We learned a lot of bitcoin & friends it hopefully will be too costly the do all the proof of work to setup messages to random people than the reword for mass spamming why wouldn't it be? If your on xmpp you got a computer of some kind care to elaborate on that? If you only did it to setup connections between new people or first time joining a muc I don't think they would care
-
Ge0rG
tom: PoW is much cheaper at scale than on individual systems. Any kind of PoW that works on my smartphone so that I can send a message to my GF will be ridiculously cheap for spammers, especially if they use botnets to outsource the hashing to infected PCs
-
Django
Ge0rG: sorry, this is the document I actually meant https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/european-agenda-security/20200724_com-2020-607-commission-communication_en.pdf
-
tom
I think it'd still be useful when used in combination with other techniques
-
tom
Just like how spamass workds
-
Ge0rG
Django: yes, the paranoid police nazis are asking for this shit all the time; so far we were able to avert the worst things
-
Django
I remember the ripe meeting were Europol wanted direct access to customer data and got 'get a fucking warrant' as response.
-
Django
I just hope, that we will be able to avoid this in the future as well.
-
tom
Django: https://mirror.us.oneandone.net/projects/media.ccc.de/congress/2011/webm/28c3-4848-en-the_coming_war_on_general_computation.webm
-
tom
This is the endgame of all that
-
404.city
> tom: I tell people not to make an account on 404.city because of that If you think spam is the only XMPP problem you are greatly mistaken. There is still a lot of flood abuse. I think you have never received a flood attack, since you offer do not value protection from this.
-
tom
No, I do not receive floods (yet)
-
404.city
A flood attack is when you receive millions of messages from thousands of strangers
-
tom
Why don't you think a PoW would prevent that?
-
tom
*metigate
-
tom
If they are strangers to you, then each stranger would have to compute a challenge first
-
tom
There is a similar thing in email where new combinations of receivers and senders are differed to 'try again later' as legit senders will try to send later but spammers won't
-
tom
All within spek
-
404.city
If the server allows you to receive a message without approving the subscription, then you can flood the user with the message until the client fails.
-
a
seems like mod_block_strangers is incredibly useful nowadays
-
Holger
Maybe as a workaround to cope with emergency until you have a better solution. It breaks legitimate communication.
-
a
exactly. a better standardized solution is vitally needed. we just cannot rely on all servers to use this mod. most are even unaware of its existence I guess
-
Licaon_Kter
a: not unaware, just that it makes onboarding new users a pain :((
-
a
well, in all honesty, I don't see entering a captcha a too painful process... but yeah, it could be a lot better if you just enter JID of recipient and start talking. like in the good old days
-
Licaon_Kter
a: in theory not hard, in practice I had to reach you and point you to this room when someone tried to contact you because the damn captcha somehow failed....
-
a
fair point
-
a
but I can only pray that someone eventually comes up with a better solution
-
Licaon_Kter
True
-
a
the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and register roll out new features, but it somehow it's still not enough✎ -
a
the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and roll out new features, but it somehow it's still not enough ✏
-
a
the lack of leadership in XMPP is depressing. we have ejabberd and Conversations devs (among some others) which are doing great job and roll out new features, but somehow it's still not enough ✏
-
Licaon_Kter
That's just one server and one client on one platform, we need an least one *dedicated* dev for each or the others...
-
Licaon_Kter
...if we think the XEPs are perfect I mean, if not...
-
a
the big companies like Slack and Google are just ripping XMPP off and run away without giving anything back
-
Licaon_Kter
Slack has no xmpp Maybe Whatsapp or Google indeed Maybe Zoom, JitsiMeet
-
a
I heard Slack started as an XMPP client
-
a
XEPs are great in practice, PEPs in Python work great. but I feel there are not a lot of people pushing XEPs forward✎ -
a
XEPs are great in theory, PEPs in Python work great. but I feel there are not a lot of people pushing XEPs forward ✏