XMPP Service Operators - 2021-07-09

Not that anyone uses my server but me really, but expect interruptions on Saturday as the network connection is upgraded. Might as well update the whole system that day too

> somebody's abusing Muclumbus How?

zp1.net: joining MUCs and spamming

So they abusing the mucs not the muclumbus

There is a simple solution. Make mucs encrypted without public access.

Or give read access only after 6 days.

What is muclumbus?

I thought that was the bot for s.j.n?

Харпер: sjn's former name that's unsearchable

I could not find any documentation about this muclumbus is this a closed source feature?

zp1.net: it's https://search.jabber.network aka Discover in Conversations uses it A strange name for whatever reason.

Usually short as s.j.n around the ecosystem

Christopher Muclumbus, the MUC discoverer!

> There is a simple solution. Make mucs encrypted without public access. Not really a solution to spam. How would you have public group chat then?

rob, you ask for joining ... and a moderator let you in

Now moderators just get spammed with join requests from bots.

Sam, moderators have a ignore button ...

So you've shifted the annoyance from all users to moderators and it's even more valueable for spammers because on the offchance that a moderator accidentally lets one in they appear to be a trusted user.

Sam, so you discovered how xmpp works. There is no 100% security.

zp1.net: Don't you think spam get adapted to generic rules like this and what you offer may only works as it is a concealed part of the ecosystem?

Moreover it ruins the public access of MUC ✏

This has nothing to do with XMPP specifically and no one is asking for 100% security.

lets admit there there comes a spammer. he posts a link to some bad content. can't we just ignore this?

To fight spam you have to either detect and block it, or raise the barrier to entry high enough that some spammers will decide it's not worth it. Yours puts all the pressure on the people in the MUCs and the moderators instead of the spammers, this is why eg. email and the like don't generally do something similar for public lists.

No, because some people won't realize the link is spam and will click on it, meaning the spam worked and encouraging more spam. Eventually if it's profitable enough there will be too much spam to ignore. I'm not saying that it's a big problem right now, just that we can't pretend it's not a problem forever.

I don't worry about spam...I have learned to ignore it. I only click on links whose posters I know, and I don't load pictures or 3 party content.

Good for you. You probably had to learn that through experience which will mean one or two mistakes from new people which means the spam will still be valuable and will keep happening.

I mean, we should all cultivate good practices, but that doesn't mean we don't actively combat spam either.

> Moreover it ruins the public access of MUC Exactly, it's not a public chat anymore

^ this is also the main thing; to fight spam you've had to break the entire way many MUCs work. This seems like overkill for something that probably won't even reduce spam that much or will just redirect who the spam is targeted at.

sounds like 'people cause spam, we must stop people from doing that but they're too stupid'

'so rip'

you could write the clients in a way that they show "default" from strangers only text, no links, pictures or other content. and only if you know someone or you have the sender in the address book, you enable your "external" content.

I think the joinjabber.org people had a specific room for discussion of spam fighting; maybe they've had this discussion before or have other ideas

zp1.net: anonymous public room.... What?

zp1.net: that seems like a good idea, but I don't think it applies to most MUCs where JIDs aren't known. Also most spam that I've receied is text only anyways

Sam, I don't think that not seeing the jid is a good idea anyway

f jids were visible, I could block other participants in the room where I am not curious about what they post

If jids are visible they can spam everyone...personally, and sell their jids...how about we don't do that, yes?

If everyone can see the JID all the time it gives spammers a good place to harvest JIDs too, making MUCs an even more tempting target. But also I sort of agree with you, we need more persistent JID tracking so that we can block users without them just changing their nick.

Yes, that :)

I started writing the burner JID spec hoping we could come up with specific implementations that did this, but it never really got anywhere and I never figured out how/if it could really be used for this.

Well, sort of, I guess that's not quite the same as this. Ignore me.

Nobody forces you to accept messages from strangers. this option is available in almost all clients.

Then you shall block all strangers because of spam and this functionality is no more possible to use.

zp1.net: yes, but what you're gonna do when you get continous open chats even? ✏

All these problems have already been solved in IRC 20 years ago, now we sit there and act as if IRC never existed, and as if all these problems are new.

If that's true that sounds great, but I still see a lot of spam in IRC channels so I'm not sure that's true.

Right now we have most of the same controls IRC has too, so I don't think we ignored what IRC did.

zp1.net: IRC resolved it by having users move away, the hardcore that left....they're not spamming

The way we stopped spam in one big IRC channel I'm an admin on is by requiring registration of a nick. This works okay (we still get people who register and then spam and get banned, but it did raise the bar enough to stop some people), but also reduced the utility of the chat for asking questions.

IRC is slightly different as it has a single entry point for registrations. It would be more accurate to see similarities with e-mail. ✏

I just say we must learn to deal with the spam. Ignore spammers, mute, block, etc. ... And no one says life as a moderator is easy. it is very difficult and you need strong nerves.

I agree that moderation is tough, but IMO that means we shouldn't deliberately make it tougher and we should try to fight spam for their sake, not just ignore it.

What harm does trying to come up with a way to fight spam do? I don't understand why "just ignore it" would ever be a valid position. I mean, for you personally that might work, but why try to tell others not to work on the problem?

Sam: there is option to make muc only for +v users

kuba_: yes, that's what I was saying, we have the same things IRC does

We have to get away from the "cancel culture". i know that's fantastically difficult. We need to make people immune to spam. The approach to completely eradicate spam is wrong, we will never succeed.

Most people are IT analfabets. I keep seeing politicians like Hillary Clinton and Antony Fauci, who are expected not to be IT illiterate, having their passwords stolen with simple phishing. The se people have too high an expectation of IT security.

So in my opinion we need to educate people, not look for the perfect spam protection.

And there goes the discussion. I was hesitant to assume bad faith, but it's just another troll. Plonk please.

No one is saying that spam protection needs to be perfect or that we shouldn't have any education.

Anyways, if anyone is actually interested in discussing abuse mitigation this might be another good room for it: xmpp:abuse@joinjabber.org?join

(not that this isn't a good place since it probably affects operators a lot more than most people)

zp1.net, zp1.net:

Oops

i am not trying to minimize the problem, spam is a very serious and dangerous thing. And we should discuss the problem ad nauseam. The topic is in no way OT.

Didnt mean to send that. (but i do fail to see how that is trolling)

If we're going to have this conversation, I think it would be helpful to actually define what sort of behavior we're even talking about when we say "spamming" here: > joining MUCs and spamming

I think of both trolling and literally spamming the same message over and over

zp1.net appears to have read "spamming" as "posting links and images that advertise things"; if I hadn't seen that, I would have just assumed it meant "connecting and dumping large volumes of text"

"connecting and dumping large volumes of text" is the meaning of "spamming" that I've known in MUCs and IRC; vs. the other meaning which I've found to be more specific to e-mail.

rozzin, yes I think spam hast to be "potentialy" dangerous. Dumping large volumes of text is OT or trolling, but it is not spam.

zp1.net: that also seems backward to me.

zp1.net: trolling is an attempt to elicit a response.

Trolling is just ranting on and on trying to get a rise out of people or annoy them

I'm not sure that the exact definition matters, I'm just pushing back against "lock down all MUCs or do nothing" as solutions and that I thin would be a bad idea for either of those things.

Opposing an opinion for the sake of arguing etc ✏

zp1.net: like, a buggy program that repeatedly crashes and auto-restarts and generates 1k messages per second is "spamming your log", it is not "trolling your log".

> I'm not sure that the exact definition matters, I'm just pushing back against "lock down all MUCs or do nothing" as solutions and that I thin would be a bad idea for either of those things. Same, we don't need to stop allowing open public discussion. But find a way to combat the issue we have while allowing said open discussion to continue

Hey guys. The good news are this is up to MUC/server policy to regulate this. No need for an agreement here ;-)

croax: yeah, well put 😃

As the operators of said services however, pretty on topic

brb

rob: Yeah, not saying this OT and also it may have impact: public MUC interoperability, Christopher Muclumbus, ... and I'm glad people share their point of views.

I think the edge where the e-mail meaning and IRC meaning of "spamming" actually agree is "sending a message to many recipients indiscriminately", which is still more about overall volume rather than content. I guess this was what was meant in this particular "abusing Muclumbus" case?

i.e. "bulk posting to MUCs listed in search.jabber.network"?

Haven't seen it hit any of mine yet.

> rob: Yeah, not saying this OT and also it may have impact: public MUC interoperability, Christopher Muclumbus, ... and I'm glad people share their point of views. And it's always a good conversation, seeing what other operators face and worry about ✏

> Haven't seen it hit any of mine yet. Mine neither, they are basically empty though

Is the "hotel california" bifrost issue also present backwards? namely matrix users unable to leave xmpp rooms

Not afaik

Remember, matrix users are profitable, xmpp users arent

Just a little idea: Whats about a "portal" before entering a public MUC ? A bot told you to send "!getaccess ..." before entering and if it was send, access is granted. The "payload" should change for each !getaccess and a lot of automatic spammers will be stopped ? Some (I know very oldschool😉) forums ask for "How many wheels got a Kawasaki ?" or "Whats the name of the part between your eyes and your mouth ?" If queries will not be calculated "What is the result of 2+2 ?" and be a little nativ speaking, they will need a "human" Don't help for trolls, don't help for flooting, but robotspam maybe You'll never get an automatic for "access denied" if a human is sitting on the other end of the line jm2c

Most spam isnt automated

Talking about spam: Anyone using this module? https://modules.prosody.im/mod_muc_ban_ip.html Its only effective if the server the spam comes from enable it..

Also of interest: https://spam.goxmpp.com/

Menel: With this, what do prevent evil s2s from banning all server's users? ✏

Evil admins can just stop federation ? Why not

Ah, now I get what you mean. It should contain a whitelist of servers you trust that are allowed to ban

Menel: yes sure. Maybe this is missing at the moment, or maybe to combine with firewall rules. ✏

Menel: yes sure. Maybe this is missing at the moment, or to combine with firewall rules. ✏

Mmm..., we've been having conversations like that WRT xmpp-ircd, about how to use IRC-style bans for IRC users gatewaying into XMPP MUCs....

One idea was "just log something every time a user gets banned from a MUC on this server, and if connects from some host are frequently getting banned from MUCs here then fail2ban or whatever can see that and automatically just block the whole origin host".

The idea is not really specific to xmpp-ircd.

For that specific case the next question was "well what about nasties coming in through a shared IRC bouncer?", and the answer was "the operator of the bouncer then gets to deal with that nasty user and appeal to get their bouncer IP un-banned"

...which is basically the same situation as we have in XMPP.

Would be nice to be able to provide other users of the banned s2s node a helpful error-message, like "sorry, some spammer on your XMPP service got your whole domain blocked from our chatrooms; ask your admin to get in touch with us".

> Remember, matrix users are profitable, xmpp users arent it may seem like scrapping as much of XMPP chatrooms is the goal. They are basically achieving a big centralized chatlog of the whole network

rozzin: does xmpp-ircd work?

Do you use it

xorman: Yep

qy: Yes.

qy: https://github.com/moparisthebest/xmpp-ircd

rozzin: Where?

Last i heard it was unviable

qy: if you want to try it yourself: https://github.com/moparisthebest/xmpp-ircd

I saw, you sent that 3 minutes ago

rozzin: I meant where do you use it

Sorry, itchy paste-finger 😜️

qy: we have it running on irc.hackerposse.com, gatewaying into the xmpp-ircd MUC and other MUCs hosted there

qy: please don't test how we currently handle spammers ;)

qy: I'm curious as to what you mean by "unviable"?

rozzin: Hm, well for example, i cant connect currently :p

Not sure though. I heard reports that it doesnt work well

Well, crap ;)

qy: I think it's because I restarted the XMPP server but didn't restart the xmpp-ircd.

Will file a bug for that ;)

Why do I try to run updates when I'm away from my server? Lol

qy: config error; corrected. Feel free to try it out now.

Oh! Neat.

Hello, are there any admins of the Tigase public xmpp server here?

emus: I don't think so, but you can find them at tigase@muc.tigase.org

MattJ: thanks!