-
rob
Not that anyone uses my server but me really, but expect interruptions on Saturday as the network connection is upgraded. Might as well update the whole system that day too
-
zp1.net
> somebody's abusing Muclumbus How?
-
Licaon_Kter
zp1.net: joining MUCs and spamming
-
zp1.net
So they abusing the mucs not the muclumbus
-
zp1.net
There is a simple solution. Make mucs encrypted without public access.
-
zp1.net
Or give read access only after 6 days.
-
Харпер
What is muclumbus?
-
Харпер
I thought that was the bot for s.j.n?
-
Licaon_Kter
Харпер: sjn's former name that's unsearchable
-
zp1.net
I could not find any documentation about this muclumbus is this a closed source feature?
-
Licaon_Kter
zp1.net: it's https://search.jabber.network aka Discover in Conversations uses it A strange name for whatever reason.
-
Licaon_Kter
Usually short as s.j.n around the ecosystem
-
croax
Christopher Muclumbus, the MUC discoverer!
-
rob
> There is a simple solution. Make mucs encrypted without public access. Not really a solution to spam. How would you have public group chat then?
-
zp1.net
rob, you ask for joining ... and a moderator let you in
-
Sam
Now moderators just get spammed with join requests from bots.
-
zp1.net
Sam, moderators have a ignore button ...
-
Sam
So you've shifted the annoyance from all users to moderators and it's even more valueable for spammers because on the offchance that a moderator accidentally lets one in they appear to be a trusted user.
-
zp1.net
Sam, so you discovered how xmpp works. There is no 100% security.
-
croax
zp1.net: Don't you think spam get adapted to generic rules like this and what you offer may only works as it is a concealed part of the ecosystem?
-
croax
Moreover it ruined the public access of MUC✎ -
croax
Moreover it ruins the public access of MUC ✏
-
Sam
This has nothing to do with XMPP specifically and no one is asking for 100% security.
-
zp1.net
lets admit there there comes a spammer. he posts a link to some bad content. can't we just ignore this?
-
Sam
To fight spam you have to either detect and block it, or raise the barrier to entry high enough that some spammers will decide it's not worth it. Yours puts all the pressure on the people in the MUCs and the moderators instead of the spammers, this is why eg. email and the like don't generally do something similar for public lists.
-
Sam
No, because some people won't realize the link is spam and will click on it, meaning the spam worked and encouraging more spam. Eventually if it's profitable enough there will be too much spam to ignore. I'm not saying that it's a big problem right now, just that we can't pretend it's not a problem forever.
-
zp1.net
I don't worry about spam...I have learned to ignore it. I only click on links whose posters I know, and I don't load pictures or 3 party content.
-
Sam
Good for you. You probably had to learn that through experience which will mean one or two mistakes from new people which means the spam will still be valuable and will keep happening.
-
Sam
I mean, we should all cultivate good practices, but that doesn't mean we don't actively combat spam either.
-
rob
> Moreover it ruins the public access of MUC Exactly, it's not a public chat anymore
-
Sam
^ this is also the main thing; to fight spam you've had to break the entire way many MUCs work. This seems like overkill for something that probably won't even reduce spam that much or will just redirect who the spam is targeted at.
-
pintosesk
sounds like 'people cause spam, we must stop people from doing that but they're too stupid'
-
pintosesk
'so rip'
-
zp1.net
you could write the clients in a way that they show "default" from strangers only text, no links, pictures or other content. and only if you know someone or you have the sender in the address book, you enable your "external" content.
-
Sam
I think the joinjabber.org people had a specific room for discussion of spam fighting; maybe they've had this discussion before or have other ideas
-
Licaon_Kter
zp1.net: anonymous public room.... What?
-
Sam
zp1.net: that seems like a good idea, but I don't think it applies to most MUCs where JIDs aren't known. Also most spam that I've receied is text only anyways
-
zp1.net
Sam, I don't think that not seeing the jid is a good idea anyway
-
zp1.net
f jids were visible, I could block other participants in the room where I am not curious about what they post
-
Licaon_Kter
If jids are visible they can spam everyone...personally, and sell their jids...how about we don't do that, yes?
-
Sam
If everyone can see the JID all the time it gives spammers a good place to harvest JIDs too, making MUCs an even more tempting target. But also I sort of agree with you, we need more persistent JID tracking so that we can block users without them just changing their nick.
-
Sam
Yes, that :)
-
Sam
I started writing the burner JID spec hoping we could come up with specific implementations that did this, but it never really got anywhere and I never figured out how/if it could really be used for this.
-
Sam
Well, sort of, I guess that's not quite the same as this. Ignore me.
-
zp1.net
Nobody forces you to accept messages from strangers. this option is available in almost all clients.
-
Licaon_Kter
zp1.net: yes, but what you're gonna do whes you get continous open chats even?✎ -
croax
Then you shall block all strangers because of spam and this functionality is no more possible to use.
-
Licaon_Kter
zp1.net: yes, but what you're gonna do when you get continous open chats even? ✏
-
zp1.net
All these problems have already been solved in IRC 20 years ago, now we sit there and act as if IRC never existed, and as if all these problems are new.
-
Sam
If that's true that sounds great, but I still see a lot of spam in IRC channels so I'm not sure that's true.
-
Sam
Right now we have most of the same controls IRC has too, so I don't think we ignored what IRC did.
-
Licaon_Kter
zp1.net: IRC resolved it by having users move away, the hardcore that left....they're not spamming
-
Sam
The way we stopped spam in one big IRC channel I'm an admin on is by requiring registration of a nick. This works okay (we still get people who register and then spam and get banned, but it did raise the bar enough to stop some people), but also reduced the utility of the chat for asking questions.
-
croax
IRC is slightly different as it has a single point of entry for registrations. It would be more accurate to see similarities with e-mail.✎ -
croax
IRC is slightly different as it has a single entry point for registrations. It would be more accurate to see similarities with e-mail. ✏
-
zp1.net
I just say we must learn to deal with the spam. Ignore spammers, mute, block, etc. ... And no one says life as a moderator is easy. it is very difficult and you need strong nerves.
-
Sam
I agree that moderation is tough, but IMO that means we shouldn't deliberately make it tougher and we should try to fight spam for their sake, not just ignore it.
-
Sam
What harm does trying to come up with a way to fight spam do? I don't understand why "just ignore it" would ever be a valid position. I mean, for you personally that might work, but why try to tell others not to work on the problem?
-
kuba_
Sam: there is option to make muc only for +v users
-
Sam
kuba_: yes, that's what I was saying, we have the same things IRC does
-
zp1.net
We have to get away from the "cancel culture". i know that's fantastically difficult. We need to make people immune to spam. The approach to completely eradicate spam is wrong, we will never succeed.
-
zp1.net
Most people are IT analfabets. I keep seeing politicians like Hillary Clinton and Antony Fauci, who are expected not to be IT illiterate, having their passwords stolen with simple phishing. The se people have too high an expectation of IT security.
-
zp1.net
So in my opinion we need to educate people, not look for the perfect spam protection.
-
Sam
And there goes the discussion. I was hesitant to assume bad faith, but it's just another troll. Plonk please.
-
Sam
No one is saying that spam protection needs to be perfect or that we shouldn't have any education.
-
Sam
Anyways, if anyone is actually interested in discussing abuse mitigation this might be another good room for it: xmpp:abuse@joinjabber.org?join
-
Sam
(not that this isn't a good place since it probably affects operators a lot more than most people)
-
qy
zp1.net, zp1.net:
-
qy
Oops
-
zp1.net
i am not trying to minimize the problem, spam is a very serious and dangerous thing. And we should discuss the problem ad nauseam. The topic is in no way OT.
-
qy
Didnt mean to send that. (but i do fail to see how that is trolling)
-
rozzin
If we're going to have this conversation, I think it would be helpful to actually define what sort of behavior we're even talking about when we say "spamming" here: > joining MUCs and spamming
-
rob
I think of both trolling and literally spamming the same message over and over
-
rozzin
zp1.net appears to have read "spamming" as "posting links and images that advertise things"; if I hadn't seen that, I would have just assumed it meant "connecting and dumping large volumes of text"
-
rozzin
"connecting and dumping large volumes of text" is the meaning of "spamming" that I've known in MUCs and IRC; vs. the other meaning which I've found to be more specific to e-mail.
-
zp1.net
rozzin, yes I think spam hast to be "potentialy" dangerous. Dumping large volumes of text is OT or trolling, but it is not spam.
-
rozzin
zp1.net: that also seems backward to me.
-
rozzin
zp1.net: trolling is an attempt to elicit a response.
-
rob
Trolling is just ranting on and on trying to get a rise out of people or annoy them
-
Sam
I'm not sure that the exact definition matters, I'm just pushing back against "lock down all MUCs or do nothing" as solutions and that I thin would be a bad idea for either of those things.
-
rob
Opposing am opinion for the sake of arguing etc✎ -
rob
Opposing an opinion for the sake of arguing etc ✏
-
rozzin
zp1.net: like, a buggy program that repeatedly crashes and auto-restarts and generates 1k messages per second is "spamming your log", it is not "trolling your log".
-
rob
> I'm not sure that the exact definition matters, I'm just pushing back against "lock down all MUCs or do nothing" as solutions and that I thin would be a bad idea for either of those things. Same, we don't need to stop allowing open public discussion. But find a way to combat the issue we have while allowing said open discussion to continue
-
croax
Hey guys. The good news are this is up to MUC/server policy to regulate this. No need for an agreement here ;-)
-
rozzin
croax: yeah, well put 😃
-
rob
As the operators of said services however, pretty on topic
-
zp1.net
brb
-
croax
rob: Yeah, not saying this OT and also it may have impact: public MUC interoperability, Christopher Muclumbus, ... and I'm glad people share their point of views.
-
rozzin
I think the edge where the e-mail meaning and IRC meaning of "spamming" actually agree is "sending a message to many recipients indiscriminately", which is still more about overall volume rather than content. I guess this was what was meant in this particular "abusing Muclumbus" case?
-
rozzin
i.e. "bulk posting to MUCs listed in search.jabber.network"?
-
rozzin
Haven't seen it hit any of mine yet.
-
rob
> rob: Yeah, not saying this OT and also it may have impact: public MUC interoperability, Christopher Muclumbus, ... and I'm glad people share their point of views. And it's always a good conversation, setting what other operators face and worry about✎ -
rob
> rob: Yeah, not saying this OT and also it may have impact: public MUC interoperability, Christopher Muclumbus, ... and I'm glad people share their point of views. And it's always a good conversation, seeing what other operators face and worry about ✏
-
rob
> Haven't seen it hit any of mine yet. Mine neither, they are basically empty though
-
xorman
Is the "hotel california" bifrost issue also present backwards? namely matrix users unable to leave xmpp rooms
-
qy
Not afaik
-
qy
Remember, matrix users are profitable, xmpp users arent
-
ernst.on.tour
Just a little idea: Whats about a "portal" before entering a public MUC ? A bot told you to send "!getaccess ..." before entering and if it was send, access is granted. The "payload" should change for each !getaccess and a lot of automatic spammers will be stopped ? Some (I know very oldschool😉) forums ask for "How many wheels got a Kawasaki ?" or "Whats the name of the part between your eyes and your mouth ?" If queries will not be calculated "What is the result of 2+2 ?" and be a little nativ speaking, they will need a "human" Don't help for trolls, don't help for flooting, but robotspam maybe You'll never get an automatic for "access denied" if a human is sitting on the other end of the line jm2c
-
qy
Most spam isnt automated
-
Menel
Talking about spam: Anyone using this module? https://modules.prosody.im/mod_muc_ban_ip.html Its only effective if the server the spam comes from enable it..
-
stpeter
Also of interest: https://spam.goxmpp.com/
-
croax
Menel: With this, what do prevent from evil s2s banning all server's users?✎ -
croax
Menel: With this, what do prevent evil s2s from banning all server's users? ✏
-
Menel
Evil admins can just stop federation ? Why not
-
Menel
Ah, now I get what you mean. It should contain a whitelist of servers you trust that are allowed to ban
-
croax
Menel: yes sure. Maybe this is missing at the moment, or may combine with firewall rules.✎ -
croax
Menel: yes sure. Maybe this is missing at the moment, or maybe to combine with firewall rules. ✏
-
croax
Menel: yes sure. Maybe this is missing at the moment, or to combine with firewall rules. ✏
-
rozzin
Mmm..., we've been having conversations like that WRT xmpp-ircd, about how to use IRC-style bans for IRC users gatewaying into XMPP MUCs....
-
rozzin
One idea was "just log something every time a user gets banned from a MUC on this server, and if connects from some host are frequently getting banned from MUCs here then fail2ban or whatever can see that and automatically just block the whole origin host".
-
rozzin
The idea is not really specific to xmpp-ircd.
-
rozzin
For that specific case the next question was "well what about nasties coming in through a shared IRC bouncer?", and the answer was "the operator of the bouncer then gets to deal with that nasty user and appeal to get their bouncer IP un-banned"
-
rozzin
...which is basically the same situation as we have in XMPP.
-
rozzin
Would be nice to be able to provide other users of the banned s2s node a helpful error-message, like "sorry, some spammer on your XMPP service got your whole domain blocked from our chatrooms; ask your admin to get in touch with us".
-
xorman
> Remember, matrix users are profitable, xmpp users arent it may seem like scrapping as much of XMPP chatrooms is the goal. They are basically achieving a big centralized chatlog of the whole network
-
qy
rozzin: does xmpp-ircd work?
-
qy
Do you use it
-
qy
xorman: Yep
-
rozzin
qy: Yes.
-
rozzin
qy: https://github.com/moparisthebest/xmpp-ircd
-
qy
rozzin: Where?
-
qy
Last i heard it was unviable
-
rozzin
qy: if you want to try it yourself: https://github.com/moparisthebest/xmpp-ircd
-
qy
I saw, you sent that 3 minutes ago
-
qy
rozzin: I meant where do you use it
-
rozzin
Sorry, itchy paste-finger 😜️
-
rozzin
qy: we have it running on irc.hackerposse.com, gatewaying into the xmpp-ircd MUC and other MUCs hosted there
-
rozzin
qy: please don't test how we currently handle spammers ;)
-
rozzin
qy: I'm curious as to what you mean by "unviable"?
-
qy
rozzin: Hm, well for example, i cant connect currently :p
-
qy
Not sure though. I heard reports that it doesnt work well
-
rozzin
Well, crap ;)
- rozzin kicks it.
-
rozzin
qy: I think it's because I restarted the XMPP server but didn't restart the xmpp-ircd.
-
rozzin
Will file a bug for that ;)
-
rob
Why do I try to run updates when I'm away from my server? Lol
-
rozzin
qy: config error; corrected. Feel free to try it out now.
-
qy
Oh! Neat.
-
emus
Hello, are there any admins of the Tigase public xmpp server here?
-
MattJ
emus: I don't think so, but you can find them at tigase@muc.tigase.org
-
emus
MattJ: thanks!