XMPP Service Operators - 2021-11-22

Licaon_Kter‎: xmpp:support@404.city mailto:support@404.city

moparisthebest: > Or you can just have a simple setup and accept a bit of downtime now and then I'm inclined to think that client-side failover should be a thing. Like, advancing multi-account UIs to the point of (reasonable) transparency for the user, so that they could assign one of the accounts as an explicit fallback of another, and forget about it. Probably would require extending xmpp uris, so that they can carry fallback jids

This gives the ability to distribute not only accross networks and jurisdictions, but also across operators

Cough blabber.im cough

Would be awesome, but seems more like a far goal..

Yup. In the mean time, it's probably the deal-with-it approach :))

from the perspective of whatsapp & co, these are luxury issues really

in that world, I think it's dealt with by having the phone number as identifier, meaning you can try e.g. signal on the same number when whatsapp is borked. abstracting that, the "low-tech" recommendation would probably be to include a fallback JID in a vcard which can be discovered by clients.

> the "low-tech" recommendation would probably be to include a fallback JID in a vcard which can be discovered by clients. Right, that'd be a start

_What is Quicksy..._

What time in UTC do you chat? Communication via PM is not a convenient way, since both interlocutors must be online at the same time. If it is forbidden to write to a spammer in this chat, write in the chat xmpp:en@chat.404.city?join (This is not a contact for feedback and I do not follow the messages, but in this case I will make an exception and check if there are messages from you today, as it is more convenient than waiting for a message in PM)

> Communication via PM is not a convenient way, since both interlocutors must be online at the same time. Don't you have MAM/Carbons?

jonas’, Does PM of group chats allow to send messages offline?

ohh, that kind of PM

nevermind

I was thinking direct 1:1 PMs

jonas’, I don’t know the XMPP address Licaon_Kter

404.city: it's so hard to lurk here all the time?

and you still drop messages from strangers so one cannot contact you via the 156 address?

Licaon_Kter, It doesn't matter anymore. I will write here.

Licaon_Kter, Thanks! I received a your message. This account has been banned.

Licaon_Kter, Is it more like a flood than a spam? You may have collided with Morph, this guy also damaged 404 chats. He just flooded chats with pictures. After blocking, he creates accounts on the new server and continues to flood

404.city: morph or not, not the idea, ban ips, carry on

Licaon_Kter, What chat did this incident take place in? conversations-offtopic-talk? If yes, then he said that he hates this chat

Read my PM above...again...

Not Offtopic

> Read my PM above...again... Hm. I have no new messages from you there PM

Okay, no matter, the account has been banned. Write more, but for faster blocking, you could add a contact xmpp:support@404.city to the roster and write there or tell us your contact. This is the faster way. Thanks for the abuse notice

404.city: > spammed at least the *Dino support* and *Conversations support MUCs* with hundreds of links Now you see it?

404.city: the point of this MUC is that we all join a single MUC for the entire ecosystem, not one room on each and every server ffs

I tend to disagree; this is a place where operators can communicate, and that may include the occasional "hey, who oeprates X, it's spamming" or what not, but this definitely shouldn't be a requirement for all XMPP operators otherwise you can't get spam reports.

Didn't say a requirement, just that "nicer" Also 404 comes here at the drop of a pin if they need to "defend" their server, so rather meh to say _"join our support blahblah"_ when someone else has an issue.

Well, having a JID in XEP-0157 that doesn't block non-contacts would be a good start.

> Didn't say a requirement, just that "nicer". Also 404 comes here at the drop of a pin if they need to "defend" their server, so rather meh to say _"join our support blahblah"_ when someone else has an issue. Licaon_Kter I could not translate the meaning of your words > ‎Licaon_Kter‎: Now you see it? Yes, now I noticed

404.city: it means you were here when Alex and the news@ were discussed

Licaon_Kter, This issue has not been discussed well enough because it is forbidden here to discuss it. Alex was slandered.

> Ge0rG‎: Well, having a JID in XEP-0157 that doesn't block non-contacts would be a good start. How to stop the flood in this case? If anyone can send a message, anyone can send thousands of messages

I've never received floods on my account. I got a bunch of DDoS attacks, and the usual standard spammers from Russia

You're a server administrator, if you're going to administer a good server you're going to have to accept that others need to be able to contact you.

and for the russian spammers, there are mechanisms that you could roll out for you *and* for your users

This is exactly the problem that was contained in the abuse report Licaon_Kter . In group chats this is solved with the help of a - manual check, an analogue of this is in private messages - an addition to the roster

Given that all the spam bots try to subscribe to your roster, how is this a solvable problem?

> Sam‎: You're a server administrator, if you're going to administer a good server you're going to have to accept that others need to be able to contact you. This is possible, for this you need to add a contact to the roster or write to the mail.

> Ge0rG‎: Given that all the spam bots try to subscribe to your roster, how is this a solvable problem? This does not completely solve the problem, but it does not allow you to send millions of messages from thousands of contacts. The problem can be completely solved by solving the captcha after adding it to the roster, but now the captcha in ejabberd is not adapted for mobile devices, which does not allow full use of the captcha. Captcha before sending messages from strangers could solve the problem of spam and flooding in XMPP

> Ge0rG‎: I've never received floods on my account Fortunately, you did not have a similar problem, but if you did have this problem, I think your opinion about the need to receive messages from strangers may have changed

Even if it's true that you're getting floods of messages, if you're a server admin it seems like you either need to accept that or stop being a server admin. It's your responsibility to find a way to take reports, if no one can contact you that seems bad.

We all understand that there is no point in limiting communication unnecessarily.

> Captcha before sending messages from strangers ... ...could solve the problem of having users in XMPP

Sam, These methods exist and have already been described. Especially for those who, for one reason or another, did not want to add a contact to the roster or have a problem with server-to-server connection, an email link has been added.

404.city, seems you publish mailito:support@404.city via '157 (i.e., typo in `mailto`)?

Holger, Thanks for the bug report. Yes, that's a typo

Fixed

Thanks.

FWIW, personally I think it's fine to just publish an email contact for abuse handling. One problem with XMPP is that you'd need to hack around the XMPP design to make it work well for the case where you have multiple admins. The email universe already has the required hacks.

And `mod_block_strangers` conflicting with proper abuse handling is just another example of XMPP not really being prepared for the job. Discovery of abuse report addresses must be very good, but that implies they can easily be discovered by spammers/attackers as well. However, adding barriers to abuse reporting, such as CAPTCHA foo or presence subscription enforcement, is bad. Email has better solutions than we do, right now.

> FWIW, personally I think it's fine to just publish an email contact for abuse handling. One problem with XMPP is that you'd need to hack around the XMPP design to make it work well for the case where you have multiple admins. The email universe already has the required hacks. https://k.sfconservancy.org/ForwardXMPP ?

Yeah, and then where's the knob in my client to respond with Cc: to the other admins ...

And the other knob to only talk about the problem to the other admins ...

And to set the proper from= address ...

Holger: have it forward to your admin MUC?

Maybe, somehow, I dunno. As I said you need to hack around it somehow.

Holger: easy solution: xmpp:support@conference.mydomain.tld?join

Ge0rG, so people report JIDs in public in there?

good point. PM to the admin in the room?

Which of the admins?

And hope he won't loose his connection?

their her their whatever

I'm actually not really familiar with the specifics of how that bot works—e.g. I don't even know whether it's unidirectional or or what it might do with messages arriving from the other side. But, in case someone here might find it useful....

🙂

I'm obviously not arguing *against* using XMPP for abuse reporting. Just that I think it's acceptable to use email instead.

Holger: well, I very much prefer to have a JID or a MUC to directly contact in case of abuse, and if it's a MUC then I'll say there I have something to report and wait for an admin to reply.

Might also be useful to somehow fo something based on https://git.singpolyma.net/cheogram-muc-bridge

I'd see more point in XMPP once we have more automatisms in place. We obviously wouldn't want to build those on top of other protocols.

something with data forms.

... or maybe even combine the two things somehow.

Just use Matrix.

Or just put a floppy disk with a PDF form and a note about what PO box to mail the printed out form to on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’.

spam

spam

spam

spam