-
Ellenor Malik
oh god
-
Ellenor Malik
can someone help me diagnose a correct-password unauthorized problem?
-
mimi89999
https://is.gd/SyJF9o
-
mimi89999
Is that the Jabber spam service?
-
mimi89999
BTW, got spam from `intercoracoid@404.city`.
-
mimi89999
real and rare
-
Ge0rG
mimi89999: that's a jabber spam service indeed
-
mimi89999
Can the operators of those servers remove their accounts or we block their servers?
-
mimi89999
Who is the admin of 404 city?
-
Ge0rG
he's often here as 404city
-
mimi89999
I'm flooded with spam from that server now.
-
mimi89999
Like one message every 10 sec
-
Ge0rG
mimi89999: from the same account or from different ones?
-
mimi89999
Where is he?
-
mimi89999
Same
-
Ge0rG
mimi89999: I've pinged the admin now
-
tom
Yes there's a channel
-
tom
A process
-
tom
You have to give them some time to proccess the abuse request though before they get in a blocklist
-
mimi89999
OK. Can you link the channel/form/whatever?
-
tom
What's that private spamfighting muc on yax.im again?
-
tom
I got an invite ounce but forgot about it
-
Ge0rG
it doesn't exist any more
-
tom
mimi89999: https://github.com/JabberSPAM
-
mimi89999
How to quickly block a JID server level?
-
tom
With mod_firewall
-
tom
Or for a specific account
-
tom
https://xmpp.org/extensions/xep-0191.html
-
bastoon
> mimi89999: https://github.com/JabberSPAM Should it rather contain only registered domain names (to ICANN registrars) and not sub-domains? This might break implementations if you change the format in a hurry (and that probably will one day).✎ -
bastoon
> mimi89999: https://github.com/JabberSPAM Shouldn't it rather contain only registered domain names (to ICANN registrars) and not sub-domains? This might break implementations if you change the format in a hurry (and that probably will one day). ✏
-
bastoon
> mimi89999: https://github.com/JabberSPAM Why this list contains FQDNs. IMO no need for sub-domains, and only disavantages. Then if format is changed in a hurry, this may break current implementation (and that probably will one day). ✏
-
bastoon
> mimi89999: https://github.com/JabberSPAM Why do this list contain FQDNs. IMO no need for sub-domains, only cons. Then if format is changed in a hurry, this may break current implementation (and that probably will one day). ✏
-
Martin
bastoon: Because some xmppds are served on a subdomain.
-
bastoon
Martin: I'm sure spammers will exploit the possibility to infinite subs. Then don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer.✎ -
bastoon
Martin: I'm sure spammers will exploit the possibility to infinite subs. Then I don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer. ✏
-
bastoon
Martin: I'm quite sure spammers will exploit the possibility to infinite subs. Then I don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer. ✏
-
bastoon
Martin: I'm quite sure spammers will exploit the possibility of infinite subs. Then I don't think you'll ever have to consider multiple (sub) servers per names, one being ok, the other one spammer. ✏
-
Martin
Spammers usually use unmaintained servers with IBR and do not fire up own servers.
-
Martin
Also there is this case: Befor I was running my xmppd on a shared hoster. If I would not have used my own domain it would have been running at user.tucana.uberspace.de. So if I spam why should the innocent xmppd another-user.tucana.uberspace.de also be blocked?
-
bastoon
Because he could fire you from using his domain before being considered as spammer. Just thought it would be simpler, lighter and more robust against spammer, but surely bad sides to investigate / accommodate.
-
Martin
> Because he could fire you from using his domain before being considered as spammer. I don't understand this.
-
kahlb
This list even blacklists creep.im, which is one of the more popular public servers (among the gajim Standard Servers). Not a good Idea I think, it might break xmpp
-
raucao
> it might break xmpp how so? it merely breaks creep.im if they don't get their spam users under control
-
raucao
that's what a federation is for
-
creep.im
creep.im is a known spam server
-
raucao
:)
-
Martin
kahlb: The issue was that the operator was not reachable on his 0157 contacts. You'll see the history in my MR.
-
Martin
Unfortunately we found him in here just after it got merged.
-
bastoon
> I don't understand this. From your example uberspace.de is still in control to allow/disallow a sub domains (on spam complaining).
-
Martin
Yes, that's why you should report spammers. But blocking all operators from one domain because one is spamming is not useful.
-
raucao
Operators are free to choose
-
Ge0rG
let's block all OVH and Hetzner then?
-
mathieui
operators being unreachable while their server is used as a spam relay is a valid reason for inclusion in spam lists
-
Ge0rG
mathieui: how long should one wait to determine "unrechable"?
-
mathieui
Ge0rG, no available means of contact
-
mathieui
if one is available, I guess it’s up to you
-
raucao
> let's block all OVH and Hetzner then? hetzner do actually block your server's network traffic if you spam their local network
-
Ge0rG
raucao: but hetzner isn't using xmpp internally.
-
raucao
comparing someone using a hetzner server to spamming the outside network with the hetzner network itself makes no sense
-
raucao
the xmpp spam server is not a data center
-
raucao
it is a specific service running under a specific domain
-
Ge0rG
raucao: what's your point?
-
raucao
what is yours
-
raucao
your comparison was a non-sequitur
-
raucao
> operators being unreachable while their server is used as a spam relay is a valid reason for inclusion in spam lists this is the point that some people seem to disagree with, and so far there were no valid arguments against it brought forward here
-
Ge0rG
raucao: my response was to the point about blocking all of uberspace if there are spammy servers on there.
-
Arne
do those spammers use some settings?
-
Arne
like a special cipher for prosody
-
Arne
or a deprecated maybe
-
Arne
so we need to change all our settings ;D
-
Ge0rG
Arne: spammers register accounts on free servers.
-
Ge0rG
Ah, it was strato who requested headers as evidence for the spam I reported.
-
bastoon
> let's block all OVH and Hetzner then? OVH automatically forwards whois alias to real mails. I don't get this point. Moreover XEP (if generalized) make the process operator independent.
-
raucao
> raucao: my response was to the point about blocking all of uberspace if there are spammy servers on there. sry, i didn't see that someone wanted to block all of uberspace
-
raucao
i thought it was in response to blocking creep.im
-
raucao
mea culpa
-
Ge0rG
bastoon: of the two reports I sent to OVH, one server got shot down, and for the other one I never heard back
-
Ge0rG
kode.im and im.koderoot.net are the #1 and #2 sources of spam for me for the last weeks.
-
Ge0rG
creep.im is #3. creep.im, wanna have a new list of JIDs to delete?
-
creep.im
shoot it. you have my JID
-
Arne
mh, maybe free inbandregistration is not really good xD
-
mimi89999
BTW, are SPAM reports verified in any way?
-
mimi89999
Ge0rG: Did 404 admin respond?
-
Ge0rG
mimi89999: haven't seen them online yet
-
Ge0rG
Arne: yes, you shouldn't do it if you don't want to be a full time anti-spam admin
-
Arne
I use my own webregistration combined with some other things
-
Ge0rG
mimi89999: how would you verify them? I always send logs to the ISP / server admin so they can match against their own logs
-
creep.im
I do IBR and I am only removing spam accounts by request
-
creep.im
it's not much work
-
creep.im
although this is meaningless: spammers easily create dozens of new accounts
-
Ge0rG
creep.im: it's only not much work if nobody reports ;)
-
mimi89999
I used to get spam from creep.im, but I'm not getting anymore
-
Ge0rG
hundreds.
-
creep.im
if you care about your users, the best bet to filter spam at the receiving side
-
creep.im
I told you guys like a million times
-
Ge0rG
creep.im: you mean, each user must filter spam on their own?
-
creep.im
but for some reason you are afraid of captcha
-
creep.im
not user. server. there are plugins for that
-
Ge0rG
captchas are bad for usability
-
creep.im
you only enter it once
-
creep.im
not a big deal for usability
-
Ge0rG
what if you can't read well?
-
creep.im
you want to create a walled garden without spammers, introducing your custom esoteric registration systems, but his is it different from WhatsApp? it's actually less usable than WhatsApp✎ -
creep.im
you want to create a walled garden without spammers, introducing your custom esoteric registration systems, but how is it different from WhatsApp? it's actually less usable than WhatsApp ✏
-
mjk
Ge0rG, creep.im: audio captcha is a thing, too
-
mimi89999
creep.im: So every time I want to contact a new new account I need to fill a captcha?
-
Ge0rG
mjk: but not in the typical xmpp captcha "solutions"
-
Ge0rG
creep.im: my server has IBR and no captchas
-
creep.im
you fight spammers, but spammers don't care. users are hurt instead
-
Ge0rG
same with captchas ;)
-
mimi89999
Would be better to fill the captcha once.
-
mimi89999
On registration
-
creep.im
Ge0rG: you have IBR with your custom esoteric filtration system, I heard about it
-
mjk
Ge0rG: > but not in the typical xmpp captcha "solutions" Unfortunately. I was nudging creep.im to think about it :)
-
creep.im
Ge0rG: now open source it and encourage everyone to use it
-
Ge0rG
creep.im: I'm doing RBL checks against dnsbl.dronebl.org with ready-made prosody modules
-
creep.im
write an article about it, I don't know. a lot of people have no idea how to approach this problem
-
Ge0rG
creep.im: https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/
-
Ge0rG
oh, spammers are also solving recaptcha to register bot accounts.
-
Licaon_Kter
Ge0rG: > I'm doing RBL checks against dnsbl.dronebl.org with ready-made prosody modules That site is down?
-
Ge0rG
Licaon_Kter: https://dronebl.org/ - the other one is the RBL address
-
Licaon_Kter
Oh
-
creep.im
> creep.im: https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/ great job. someone will definitely find that helpful. although not privacy-oriented operators, who want to keep legitimate Proxy/Tor users using the service
-
Ge0rG
creep.im: legitimate Tor users can connect via Tor, join the yaxim support MUC and ask to be unblocked.
-
creep.im
how do you distinguish if the user is legitimate?
-
Ge0rG
creep.im: I don't ask questions.
-
creep.im
also, there may be dozens of such requests
-
creep.im
on a day
-
raucao
why would you in the first place. if they spam, the account gets blocked
-
raucao
tor or not
-
Ge0rG
creep.im: I had a dozen of such requests since I made that policy
-
Ge0rG
creep.im: a spammer will register hundreds or thousands of accounts at the same time
-
creep.im
how many such requests you receive daily?
-
Ge0rG
creep.im: I had a dozen of such requests since I made that policy
-
Ge0rG
that's two per month
-
creep.im
are there a lot of daily registrations?
-
creep.im
proxied and regular
-
Ge0rG
100 - 500 per month
-
Ge0rG
I don't count the proxy registrations, I only count the ones that complain
-
creep.im
that's manageable
-
Ge0rG
I also have hundreds of bot registrations sometimes, so it's hard to tell for sure
-
creep.im
anyway, you are coming up with your own solutions to a common problem. there should be a universal ready made way of doing this. like a plugin, or a built-in fictionally right in the server(s). manual process is a no go, especially for one-man server operations
-
Licaon_Kter
creep.im: redo everything on Prosody then, easy :)
-
Ge0rG
creep.im: I've documented my way and made the tools accessible. Somebody else needs to do the same for ejabberd.
-
creep.im
Licaon_Kter: it'll still not be automated
-
Ge0rG
creep.im: spammers will circumvent automated systems
-
creep.im
somehow I didn't get a single spam message in months...
-
creep.im
a lot of accounts add me daily
-
creep.im
I guess miss of them are spammers
-
Ge0rG
I had to solve a captcha before reporting spam to you :P
-
creep.im
yes, this is how it works
-
creep.im
my point is that it is automated and it works
-
Ge0rG
it's automated for you, not for the people who want to talk to you
-
Ge0rG
well, maybe for the spammers who can just buy captchas for 5$/1000
-
creep.im
still, seems like they're not doing that
-
creep.im
I guess they just spam another servers✎ -
creep.im
I guess they just spam other servers ✏
-
Ge0rG
creep.im: I know that spammers are buying into IBR captchas, because you buy one, and send thousans of spam messages
-
creep.im
IBR captchas... maybe. but to be able to actually send messages, you have to solve another captcha, also you have to be added by the other party as well
-
creep.im
only then you are free to chat
-
creep.im
anyway, this is rather a temporary measure until the real solution will be available
-
Ge0rG
the real solution: people who don't click on spam
-
creep.im
"temporary" could mean for next few years...
-
Licaon_Kter
We are well beyond years already
-
Martin
The captcha spam was the reason I could not contact creep.im
-
Martin
I got spammed with requests to fill a captcha and did so several times. Still my messages didn't get through. That was pretty annoying and I had to block him to make his server spam me with captcha requests. That's why I contacted him t✎ -
Martin
I got spammed with requests to fill a captcha and did so several times. Still my messages didn't get through. That was pretty annoying and I had to block him to make his server spam me with captcha requests. That's why I tried to contact him via email. ✏
-
creep.im
I didn't add you back immediately, that's why you've been "spammed" by captcha
-
creep.im
better to spam sender with captcha, then the other way around, right?
-
Martin
Captchas are just the most annoying UX in spam fighting.
-
Martin
Those block stranger modules break XMPP.
-
mjk
Could the invite-only model be the ultimate solution? If, by chance, a rare spammer is invited and then invites a horde of other spammers, the whole sub-tree of accounts can be efficiently truncated manually
-
mjk
That, of course, requires storing the data on who invited whom
-
mjk
That is, basically, a social graph. A nutritious, concentrated, morsel of user data...
-
mjk
Ugh.
-
Martin
Invitations are nice for family and friends servers but not for public ones.
-
raucao
we have closed regs and just started with invitations. but not public yet
-
raucao
in the future we're adding lightning network payments for signups
-
raucao
that way a spammer would have to pay for their account first. that makes it both harder to automate it as well as introduces a cost
-
raucao
i think users inviting other users is generally a good idea
-
raucao
obviously having to donate/pay upfront introduces friction, but then again pretty much any effective anti-spam mesure does
-
raucao
s/mesure/measure
-
junaid
> better to spam sender with captcha, then the other way around, right? creep.im: hence why you dont get many spam complaints. Maybe operators choose to block the domain instead?
-
raucao
i think there are also many other ways to have semi-open signups where it's difficult to create many accounts and also easier to shut spammers down
-
Martin
The RBL approach seems to work well for Ge0rG in reducing spam bots on yax.im.
-
mathieui
the RBL approach prevents 99.99% of automated IBR registrations
-
bastoon
Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration.✎ -
bastoon
Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration. But indeed spammer will waste *others* cpu for their benefit ;-) ✏
-
bastoon
Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration. But indeed spammers will try to waste your cpu for their benefit ;-) ✏
-
bastoon
Or use bitcoin approach to discourage spammers: let the user waste cpu power at registration. ✏
-
mjk
> But indeed spammers will try to waste your cpu for their benefit ;-) Yeah, botnets are totally immune to proof-of-work-based filtering. Actual payments, though...
-
raucao
Exactly
-
tom
bastoon: that doesnt work because you need to mine a whole block to get a payout
-
bastoon
I'm not talking about Bitcoin directly but proof of work related challenge. So can be adapted to every situation.✎ -
bastoon
I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. ✏
-
bastoon
I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. Ex challenge: find a hash which verify sha-256(JID + random block) < X With X given by server. ✏
-
bastoon
I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. Ex challenge: find X which verify sha-256(JID + random X < Y With Y given by server. ✏
-
bastoon
I was just talking about Bitcoin related principle (rather said proof-of-work). So can be adapted to every situation. Ex challenge: find X which verify sha-256(JID + random X) < Y With Y given by server. ✏
-
tom
bastoon:
-
tom
All this digital methods are not very effective or degrade accessibility in my opinion
-
tom
And even then
-
tom
Well
-
tom
It's just a matter of how much of a skid the spammer is
-
tom
Here's a recommendation and I want to give this to the creep.im admin too
-
tom
In the old days when we wanted to registered for an account on the shared UNIX system we shelled in (can be a special ssh user like registration@yourdomain.tld) and that user was redirected to a terminal forum program
-
tom
You entered the username and other detailed you wanted then you were given a code
-
tom
In order to activate your account all you had to do was mail a postcard to the sysadmin with that code written on it
-
tom
You can still anonymously mail letters so this doesn't hurt anonymity
-
tom
And you can mail letters from anywhere in the world
-
tom
Postcards are universal
-
tom
It also gives you an opportunity to build a collage and a better sense of community
-
tom
When you receive the postcard you just type it into your server to lookup the reg details and activate the account
-
tom
If you don't get a poscard in 30 days for a code you purge the reg info
-
tom
Most spammers don't bother when the turing test is in meatspace and costs actual money
-
tom
Not much mind you postage and a postcard are only a few cents even worldwide postage
-
jonas’
doesn’t scale though
-
tom
Anybody can afford to send a postcard
- jonas’ imagines handling 1k postcards / day
-
jonas’
or even per week
-
Ellenor Malik
:O
-
jonas’
or month
-
tom
jonas’: i doubt that many reges are legit and if your that scale then geeze you would be replacing bigtech and FAANGs
-
tom
But
-
tom
If you were
-
tom
Just replace the postcard with a printable form and buy a SCANTRON machine
-
tom
The same kind of machine they use for standardized tests
-
jonas’
SCANTRON :D
-
raucao
> bastoon: that doesnt work because you need to mine a whole block to get a payout That's what lightning network is for
-
raucao
Instant cobfirmation, virtually no fee
-
tom
This things scale up to nationwide elections
-
raucao
Extra bonus with LN is that you could block a spammer's LN node, too
-
tom
https://www.ebay.com/sch/i.html?_from=R40&_trksid=m570.l1313&_nkw=scantron&_sacat=0
-
tom
jonas’: you really get over 1k legit reges a day?
-
jonas’
tom, no, I don’t run a public server