XMPP Service Operators - 2020-12-14

oh god

can someone help me diagnose a correct-password unauthorized problem?

https://is.gd/SyJF9o

Is that the Jabber spam service?

BTW, got spam from `intercoracoid@404.city`.

real and rare

mimi89999: that's a jabber spam service indeed

Can the operators of those servers remove their accounts or we block their servers?

Who is the admin of 404 city?

he's often here as 404city

I'm flooded with spam from that server now.

Like one message every 10 sec

mimi89999: from the same account or from different ones?

Where is he?

Same

mimi89999: I've pinged the admin now

Yes there's a channel

A process

You have to give them some time to proccess the abuse request though before they get in a blocklist

OK. Can you link the channel/form/whatever?

What's that private spamfighting muc on yax.im again?

I got an invite ounce but forgot about it

it doesn't exist any more

mimi89999: https://github.com/JabberSPAM

How to quickly block a JID server level?

With mod_firewall

Or for a specific account

https://xmpp.org/extensions/xep-0191.html

> mimi89999: https://github.com/JabberSPAM Shouldn't it rather contain only registered domain names (to ICANN registrars) and not sub-domains? This might break implementations if you change the format in a hurry (and that probably will one day). ✏

> mimi89999: https://github.com/JabberSPAM Why this list contains FQDNs. IMO no need for sub-domains, and only disavantages. Then if format is changed in a hurry, this may break current implementation (and that probably will one day). ✏

> mimi89999: https://github.com/JabberSPAM Why do this list contain FQDNs. IMO no need for sub-domains, only cons. Then if format is changed in a hurry, this may break current implementation (and that probably will one day). ✏

bastoon: Because some xmppds are served on a subdomain.

Martin: I'm sure spammers will exploit the possibility to infinite subs. Then I don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer. ✏

Martin: I'm quite sure spammers will exploit the possibility to infinite subs. Then I don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer. ✏

Martin: I'm quite sure spammers will exploit the possibility of infinite subs. Then I don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer. ✏

Spammers usually use unmaintained servers with IBR and do not fire up own servers.

Also there is this case: Befor I was running my xmppd on a shared hoster. If I would not have used my own domain it would have been running at user.tucana.uberspace.de. So if I spam why should the innocent xmppd another-user.tucana.uberspace.de also be blocked?

Because he could fire you from using his domain before being considered as spammer. Just thought it would be simpler, lighter and more robust against spammer, but surely bad sides to investigate / accommodate.

> Because he could fire you from using his domain before being considered as spammer. I don't understand this.

This list even blacklists creep.im, which is one of the more popular public servers (among the gajim Standard Servers). Not a good Idea I think, it might break xmpp

> it might break xmpp how so? it merely breaks creep.im if they don't get their spam users under control

that's what a federation is for

creep.im is a known spam server

:)

kahlb: The issue was that the operator was not reachable on his 0157 contacts. You'll see the history in my MR.

Unfortunately we found him in here just after it got merged.

> I don't understand this. From your example uberspace.de is still in control to allow/disallow a sub domains (on spam complaining).

Yes, that's why you should report spammers. But blocking all operators from one domain because one is spamming is not useful.

Operators are free to choose

let's block all OVH and Hetzner then?

operators being unreachable while their server is used as a spam relay is a valid reason for inclusion in spam lists

mathieui: how long should one wait to determine "unrechable"?

Ge0rG, no available means of contact

if one is available, I guess it’s up to you

> let's block all OVH and Hetzner then? hetzner do actually block your server's network traffic if you spam their local network

raucao: but hetzner isn't using xmpp internally.

comparing someone using a hetzner server to spamming the outside network with the hetzner network itself makes no sense

the xmpp spam server is not a data center

it is a specific service running under a specific domain

raucao: what's your point?

what is yours

your comparison was a non-sequitur

> operators being unreachable while their server is used as a spam relay is a valid reason for inclusion in spam lists this is the point that some people seem to disagree with, and so far there were no valid arguments against it brought forward here

raucao: my response was to the point about blocking all of uberspace if there are spammy servers on there.

do those spammers use some settings?

like a special cipher for prosody

or a deprecated maybe

so we need to change all our settings ;D

Arne: spammers register accounts on free servers.

Ah, it was strato who requested headers as evidence for the spam I reported.

> let's block all OVH and Hetzner then? OVH automatically forwards whois alias to real mails. I don't get this point. Moreover XEP (if generalized) make the process operator independent.

> raucao: my response was to the point about blocking all of uberspace if there are spammy servers on there. sry, i didn't see that someone wanted to block all of uberspace

i thought it was in response to blocking creep.im

mea culpa

bastoon: of the two reports I sent to OVH, one server got shot down, and for the other one I never heard back

kode.im and im.koderoot.net are the #1 and #2 sources of spam for me for the last weeks.

creep.im is #3. creep.im, wanna have a new list of JIDs to delete?

shoot it. you have my JID

mh, maybe free inbandregistration is not really good xD

BTW, are SPAM reports verified in any way?

Ge0rG: Did 404 admin respond?

mimi89999: haven't seen them online yet

Arne: yes, you shouldn't do it if you don't want to be a full time anti-spam admin

I use my own webregistration combined with some other things

mimi89999: how would you verify them? I always send logs to the ISP / server admin so they can match against their own logs

I do IBR and I am only removing spam accounts by request

it's not much work

although this is meaningless: spammers easily create dozens of new accounts

creep.im: it's only not much work if nobody reports ;)

I used to get spam from creep.im, but I'm not getting anymore

hundreds.

if you care about your users, the best bet to filter spam at the receiving side

I told you guys like a million times

creep.im: you mean, each user must filter spam on their own?

but for some reason you are afraid of captcha

not user. server. there are plugins for that

captchas are bad for usability

you only enter it once

not a big deal for usability

what if you can't read well?

you want to create a walled garden without spammers, introducing your custom esoteric registration systems, but how is it different from WhatsApp? it's actually less usable than WhatsApp ✏

Ge0rG, creep.im: audio captcha is a thing, too

creep.im: So every time I want to contact a new new account I need to fill a captcha?

mjk: but not in the typical xmpp captcha "solutions"

creep.im: my server has IBR and no captchas

you fight spammers, but spammers don't care. users are hurt instead

same with captchas ;)

Would be better to fill the captcha once.

On registration

Ge0rG: you have IBR with your custom esoteric filtration system, I heard about it

Ge0rG: > but not in the typical xmpp captcha "solutions" Unfortunately. I was nudging creep.im to think about it :)

Ge0rG: now open source it and encourage everyone to use it

creep.im: I'm doing RBL checks against dnsbl.dronebl.org with ready-made prosody modules

write an article about it, I don't know. a lot of people have no idea how to approach this problem

creep.im: https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/

oh, spammers are also solving recaptcha to register bot accounts.

Ge0rG: > I'm doing RBL checks against dnsbl.dronebl.org with ready-made prosody modules That site is down?

Licaon_Kter: https://dronebl.org/ - the other one is the RBL address

Oh

> creep.im: https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/ great job. someone will definitely find that helpful. although not privacy-oriented operators, who want to keep legitimate Proxy/Tor users using the service

creep.im: legitimate Tor users can connect via Tor, join the yaxim support MUC and ask to be unblocked.

how do you distinguish if the user is legitimate?

creep.im: I don't ask questions.

also, there may be dozens of such requests

on a day

why would you in the first place. if they spam, the account gets blocked

tor or not

creep.im: I had a dozen of such requests since I made that policy

creep.im: a spammer will register hundreds or thousands of accounts at the same time

how many such requests you receive daily?

creep.im: I had a dozen of such requests since I made that policy

that's two per month

are there a lot of daily registrations?

proxied and regular

100 - 500 per month

I don't count the proxy registrations, I only count the ones that complain

that's manageable

I also have hundreds of bot registrations sometimes, so it's hard to tell for sure

anyway, you are coming up with your own solutions to a common problem. there should be a universal ready made way of doing this. like a plugin, or a built-in fictionally right in the server(s). manual process is a no go, especially for one-man server operations

creep.im: redo everything on Prosody then, easy :)

creep.im: I've documented my way and made the tools accessible. Somebody else needs to do the same for ejabberd.

Licaon_Kter: it'll still not be automated

creep.im: spammers will circumvent automated systems

somehow I didn't get a single spam message in months...

a lot of accounts add me daily

I guess miss of them are spammers

I had to solve a captcha before reporting spam to you :P

yes, this is how it works

my point is that it is automated and it works

it's automated for you, not for the people who want to talk to you

well, maybe for the spammers who can just buy captchas for 5$/1000

still, seems like they're not doing that

I guess they just spam other servers ✏

creep.im: I know that spammers are buying into IBR captchas, because you buy one, and send thousans of spam messages

IBR captchas... maybe. but to be able to actually send messages, you have to solve another captcha, also you have to be added by the other party as well

only then you are free to chat

anyway, this is rather a temporary measure until the real solution will be available

the real solution: people who don't click on spam

"temporary" could mean for next few years...

We are well beyond years already

The captcha spam was the reason I could not contact creep.im

I got spammed with requests to fill a captcha and did so several times. Still my messages didn't get through. That was pretty annoying and I had to block him to make his server spam me with captcha requests. That's why I tried to contact him via email. ✏

I didn't add you back immediately, that's why you've been "spammed" by captcha

better to spam sender with captcha, then the other way around, right?

Captchas are just the most annoying UX in spam fighting.

Those block stranger modules break XMPP.

Could the invite-only model be the ultimate solution? If, by chance, a rare spammer is invited and then invites a horde of other spammers, the whole sub-tree of accounts can be efficiently truncated manually

That, of course, requires storing the data on who invited whom

That is, basically, a social graph. A nutritious, concentrated, morsel of user data...

Ugh.

Invitations are nice for family and friends servers but not for public ones.

we have closed regs and just started with invitations. but not public yet

in the future we're adding lightning network payments for signups

that way a spammer would have to pay for their account first. that makes it both harder to automate it as well as introduces a cost

i think users inviting other users is generally a good idea

obviously having to donate/pay upfront introduces friction, but then again pretty much any effective anti-spam mesure does

s/mesure/measure

> better to spam sender with captcha, then the other way around, right? creep.im: hence why you dont get many spam complaints. Maybe operators choose to block the domain instead?

i think there are also many other ways to have semi-open signups where it's difficult to create many accounts and also easier to shut spammers down

The RBL approach seems to work well for Ge0rG in reducing spam bots on yax.im.

the RBL approach prevents 99.99% of automated IBR registrations

Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration. But indeed spammer will waste *others* cpu for their benefit ;-) ✏

Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration. But indeed spammers will try to waste your cpu for their benefit ;-) ✏

Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration. ✏

> But indeed spammers will try to waste your cpu for their benefit ;-) Yeah, botnets are totally immune to proof-of-work-based filtering. Actual payments, though...

Exactly

bastoon: that doesnt work because you need to mine a whole block to get a payout

I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. ✏

I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. Ex challenge: find a hash which verify sha-256(JID + random block) < X With X given by server. ✏

I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. Ex challenge: find X which verify sha-256(JID + random X < Y With Y given by server. ✏

I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. Ex challenge: find X which verify sha-256(JID + random X) < Y With Y given by server. ✏

bastoon:

All this digital methods are not very effective or degrade accessibility in my opinion

And even then

Well

It's just a matter of how much of a skid the spammer is

Here's a recommendation and I want to give this to the creep.im admin too

In the old days when we wanted to registered for an account on the shared UNIX system we shelled in (can be a special ssh user like registration@yourdomain.tld) and that user was redirected to a terminal forum program

You entered the username and other detailed you wanted then you were given a code

In order to activate your account all you had to do was mail a postcard to the sysadmin with that code written on it

You can still anonymously mail letters so this doesn't hurt anonymity

And you can mail letters from anywhere in the world

Postcards are universal

It also gives you an opportunity to build a collage and a better sense of community

When you receive the postcard you just type it into your server to lookup the reg details and activate the account

If you don't get a poscard in 30 days for a code you purge the reg info

Most spammers don't bother when the turing test is in meatspace and costs actual money

Not much mind you postage and a postcard are only a few cents even worldwide postage

doesn’t scale though

Anybody can afford to send a postcard

or even per week

:O

or month

jonas’: i doubt that many reges are legit and if your that scale then geeze you would be replacing bigtech and FAANGs

But

If you were

Just replace the postcard with a printable form and buy a SCANTRON machine

The same kind of machine they use for standardized tests

SCANTRON :D

> bastoon: that doesnt work because you need to mine a whole block to get a payout That's what lightning network is for

Instant cobfirmation, virtually no fee

This things scale up to nationwide elections

Extra bonus with LN is that you could block a spammer's LN node, too

https://www.ebay.com/sch/i.html?_from=R40&_trksid=m570.l1313&_nkw=scantron&_sacat=0

jonas’: you really get over 1k legit reges a day?

tom, no, I don’t run a public server