XMPP Service Operators - 2021-12-05


  1. TheCoffeMaker

    cyberdelia's public MUCs were his target too ... but two days later, with second jid ... but what moparisthebest said is true, malisious reports are a threat too. I did solve it by closing registation and only giving accounts to users that I know and trust, their families and friends, but that's my usecase ... If one of cyberdelia's accounts is causing issues I can take may car and drive to his/her home and have a talk (meaning I really khow who they are) ... but how to solve without making XMPP another email like service administration hell ?

  2. MattJ

    TheCoffeMaker, that's pretty much the use-case Snikket tries to satisfy (a server for family/friends/people-you-know), while trying to make it as easy as possible (easier than email hosting for sure)

  3. kikuchiyo

    moparisthebest: > Like I don't like you so I report everything you say as spam, that kind of thing It's not a system that uses manual reporting, not even content, but bulky traffic.

  4. kikuchiyo

    > setting up a central server to handle reporting and checking is easy, though probably a privacy nightmare It's a distributed system, DCC servers exchange common checksums.

  5. MattJ

    The problem with applying content analysis is that there is often too little data to work with

  6. MattJ

    Which is one reason a bunch of spam senders first send "Hi" or "Hello" (often in Russian)

  7. MattJ

    If you successfully match this, you also flag pretty much anyone starting a conversation as a spammer

  8. MattJ

    I meant to say "the problem with applying content analysis **in IM**"

  9. MattJ

    What works for email doesn't map well to shorter message

  10. kikuchiyo

    > Hi is ping spam.

  11. kikuchiyo

    Private chats are different and should not be monitored (since they should be encrypted anyway).

  12. kikuchiyo

    Spam filtering should be applied to non-members in unmoderated rooms. That way it would keep public MUCs relatively open.

  13. kikuchiyo

    _Monolog prevention_ A related problem are *monologues* - meaning single users spamming public space with preaching/ranting/bulky links. E.g. there was a troll attack in several open MUCs Nov 5th remember? > Hello human!!, I have the best gay porn for you, your friends and family :D! You're welcome! [...] A prevention could be similar to iPhone's brute force mitigation: slow down sending frequency if nobody responds. That would have prevented the infamous Darkijah spam too.

  14. MattJ

    The problem with all the things you are suggesting is that they have a high chance of false positives

  15. MattJ

    You just sent 4 messages with nobody else responding, I sent 5 before that

  16. MattJ

    Rate limits already exist, but there is a line to choose between aggressively stopping/slowing bursts of spam and disrupting normal communication

  17. mathieui

    The truth here is that there is no way to get an universal rule for this, doing things à la IRC (aggressive rate limit on everything) is painful in many cases, the only appropriate way would be to plug some kind of auto moderator that room owners tailor to their needs

  18. kikuchiyo

    > the only appropriate way would be to plug some kind of auto moderator that room owners tailor to their needs That would not be aware of bulk spam in other MUCs. That's where DCC is better.

  19. kikuchiyo

    > You just sent 4 messages with nobody else responding, I sent 5 before that Wouldn't be a false positive for members, if the spam filter is applied to non-members only.

  20. jonas’

    sending a bunch of messages is typical though for a well-formulated support case

  21. jonas’

    and having noone reply initially is also typical

  22. me9

    Would false positives even matter much if spam filtering was only applied to non-members as kikuchiyo suggested? Anyone who wouldn't want to be affected by that would just need to convince an admin to make them a member.

  23. me9

    kikuchiyo: Oh, you just said the same thing. ^^

  24. kikuchiyo

    me9: 👍

  25. emus

    maybe more limits if this is the first message posted at all

  26. me9

    emus: What kind of limits do you mean?

  27. Martin

    Someone who joins a support muc for the first time because he needs urgent help might not be member.

  28. me9

    Uhh, but when I think about it, having an annoying and IRC-like rate limit thing that doesn't work all that well, and applying that to every new participant is not a very elegant solution, is it?

  29. me9

    Martin: Yeah, right. And limiting such support cases wouldn't be great.

  30. Martin

    You could have a voting mechanism for members and if $threshold members report it as spam mute the person. But that might be abused.

  31. me9

    That's like the community being an admin if "powerful" enough. Meh.

  32. Martin

    I'm also annoyed by spammers and if I knew a good solution I'd tell you but I think a lot of clever people thought about this and we still have no solution.

  33. Licaon_Kter

    This was my experience with IRC > Eg. Distros having IRC for support, install it, have an issue, join...50-100 people on..."hey, can anyone tell me why X isn't working?" > Wait...no answer for a while, neither RTFM nor Hi nor anything. > IRC is dead...

  34. Sapotaceae

    I love seeing the Matrix rooms with 1k+ memebers, but still dead

  35. Sapotaceae

    because they're literally 👻️

  36. MattJ

    Martin [13:39]: > You could have a voting mechanism for members and if $threshold members report it as spam mute the person. But that might be abused. We had this feature in an XMPP bot 10 years ago... I guess it didn't take off 🙂

  37. MattJ

    I did use it in the crazy off-topic channel on conference.jabber.org, but I believe it was often gamed

  38. TheCoffeMaker

    Sorry for the delay ... Had to go to bed 😅 ... too much wine for the night TL:DR: What can we do for the smallest servers? coz this can be a serious issue to get people/communities deploying new XMPP nodes. MattJ: For our use case, while you are not publishing or sharing your domain name it will away from spammers ... mine actually was running with no issues till yesterday ... a good bunch of years, around 10 years now. The problem with spam control in a distributted environment is trust, how can we trust each other? I mean, for big servers it's easy ... but what about the smaller servers like mine or others like MattJ said? ... how can u trust in me? I can take local actions like banning the jids at server level, but If I report a 404.city or jabber.org user in the distributed system or what if I deploy lots of servers just to handle the ranking? Sorry for the long message

  39. TheCoffeMaker

    Sorry for the delay ... Had to go to bed 😅 ... too much wine for the night TL:DR: What can we do for the smallest servers? coz this can be a serious issue to get people/communities deploying new XMPP nodes. MattJ: For our use case, while you are not publishing or sharing your domain name it will away from spammers ... mine actually was running with no issues till yesterday ... a good bunch of years, around 10 years now. The problem with spam control in a distributted environment is trust, how can we trust each other? I mean, for big servers it's easy ... but what about the smaller servers like mine or others like MattJ said? ... how can u trust in me? I can take local actions like banning the jids at server level, but If I report a 404.city or jabber.org user in the distributed system but it only spam on my server or what if I deploy lots of servers just to handle the ranking? Sorry for the long message

  40. kikuchiyo

    > That's like the community being an admin if "powerful" enough. Meh. It's better to discriminate *traffic patterns* than jids or content to preserve freedom of speech.

  41. Menel

    Wenn can do this: https://blog.prosody.im/simple-anti-spam-tips/ https://github.com/JabberSPAM The simpelest thing is, have some burden to register.

  42. TheCoffeMaker

    Nice article Menel , thx ... Will have a deeper look at it as soon as we can sit and try the recommendations

  43. kikuchiyo

    > The simpelest thing is, have some burden to register. Not if you want to encourage self hosting like snikket. Spammer can be their own operators and you end up discriminating servers/IPs instead of traffic.

  44. Menel

    I'll of course block the whole server after the steps listed on that github, especially if its snikket. I've no problem discriminating against that server.

  45. Menel

    Thinking of it... If its snikket and I get spam from multiple accounts there, I'll assume its a server dedicated to spam and will not wait that long for a response

  46. Menel

    The good thing about an invite system.. Its very unlikely to be a source of spam. Since its not a thing to register anonymously. (Its possible, sharing invites randomly in the internet.., but not the snikket intend) So I don't think I'll see snikket spam

  47. Sapotaceae

    Is there a list of servers that require registration so one can only allow those?

  48. Sapotaceae

    Like ones that meet a criteria for eg. Captcha at a minimum or manual approval

  49. TheCoffeMaker

    Menel: me neither .. But who knows ... I think that ita like u said ... If we see a lot of spamming comming from one server and no other jids seem to be real ... blacklisting the server is a good option ... But again ... We are talking abt trust ... Sapotaceae ... What will happend with nodes like mine that are not providing thos mechanisms?

  50. TheCoffeMaker

    Menel: me neither .. But who knows ... I think that its like u said ... If we see a lot of spamming comming from one server and no other jids seem to be real ... blacklisting the server is a good option ... But again ... We are talking abt trust ... Sapotaceae ... What will happend with nodes like mine that are not providing thos mechanisms?

  51. TheCoffeMaker

    Menel: me neither .. But who knows ... I think that its like u said ... If we see a lot of spamming comming from one server and no other jids seem to be real ... blacklisting the server is a good option ... But again ... We are talking abt trust ... Sapotaceae ... What will happend with nodes like mine that are not providing those mechanisms?

  52. Sapotaceae

    Why wouldn't one have such mechanisms in place?

  53. Sapotaceae

    Why would you want someone to be able to mass create accounts on your server?

  54. Sapotaceae

    Open question

  55. TheCoffeMaker

    In my use case .. i dont cause registration is closed and only give accounts to people I know and trust

  56. Sapotaceae

    Yes so that meets the 'manual approval' criteria

  57. TheCoffeMaker

    But thats my use case

  58. Menel

    If the federating xmpp network would be as relevant as WhatsApp/email. I'm sure the same bad blocking etc would be nessesary as its in mail. Because the spam would be unbearable otherwise.

  59. TheCoffeMaker

    > Yes so that meets the 'manual approval' criteria Yeap

  60. moparisthebest

    Captcha doesn't stop these people at all

  61. moparisthebest

    Captcha doesn't even stop bots, it's all for training image recognition ai now

  62. Sapotaceae

    It is still some barrier

  63. Sapotaceae

    Combine it with aggressive rate limits

  64. Sapotaceae

    Per IP and global

  65. Link Mauve

    Barrier for regular users mostly.

  66. Sapotaceae

    Yes captchas are an accessibility hazard

  67. MattJ

    Sapotaceae, we did that on jabber.org, and we were still getting 200 spam registrations in a day

  68. Link Mauve

    And rate limits for regular users who only have a single IP, while spammers have unlimited IPs.

  69. Sapotaceae

    Yes I remember someone here said that someone did 2000 hcaptchas in a day

  70. MattJ

    Yes, the registrations were from all different IPs, they went through reCaptcha (the original version)

  71. Sapotaceae

    Spam is hard. I'm not an expert. What is the path the community needs to take to further combat it?

  72. Sapotaceae

    I know few people even bother with implementing the jabberspam blocklist

  73. jonas’

    it also doesn't help with egress spam at al

  74. jonas’

    it also doesn't help with egress spam at all

  75. Sapotaceae

    The Tor network has a function where newly added nodes aren't advertised until a period of time has passed and then it starts slowly ramping up traffic towards then. What about a function where new users have no voice by default until they've been manually allowed, but if they get approved on one well-known/longstanding server then they are in the future granted voice by default.

  76. jonas’

    Sapotaceae, has the same issue as the reverse approach, really.

  77. jonas’

    (also, it isn't working really well with Tor, or so I hear (KAX17))

  78. moparisthebest

    Sounds pretty hostile towards new users though

  79. Sapotaceae

    🤷

  80. Martin

    Also, how would you know how old an user on a remote server is?

  81. moparisthebest

    I'm not trying to shoot down every idea, it's just a hard problem, I haven't seen anything that's not a dial between "super real user hostile vs free spam"

  82. Sapotaceae

    Yep

  83. jonas’

    relevant: https://craphound.com/spamsolutions.txt

  84. Sapotaceae

    🤣

  85. Calvin

    Why do people spam XMPP anyway? I get that it’s easy in some sense, but there aren’t that many users on public servers, are there? Seems like you would have very few (if any) people biting for a scam. Is it really profitable?

  86. moparisthebest

    All of that is too real lol

  87. moparisthebest

    This one made me laugh out loud: > It will stop spam for two weeks and then we'll be stuck with it

  88. jonas’

    Calvin, [x] Extreme profitability of spam ;)

  89. Calvin

    lol

  90. moparisthebest

    Calvin: my gut feeling is the same as yours, it shouldn't be profitable, but obviously is or it'd stop on it's own

  91. jjrh

    It's cheap to spam so even if it only ever works 1/1000000 of the time it was profitable.

  92. jjrh

    IRC has a bunch of spam and I can't imagine people going "oh that's something i'm interested in!" but clearly it does work or they wouldn't do it.

  93. Sapotaceae

    Matrix too

  94. rozzin

    moparisthebest: my gut feeling is there's a first mover / early adopter cohort for everything—roughly definable as the ones who try things out that *aren't* profitable in hopes that they just aren't profitable *yet*....

  95. rozzin

    moparisthebest: well, that and "what do I have to lose vs. what do I have to gain" risk/reward calculations.

  96. jjrh

    Really though, how much does it cost to spam XMPP?

  97. Sapotaceae

    You can probably make a spam bot in 30mins

  98. Sapotaceae

    So $0

  99. rozzin

    Interestingly the "daniel" person who mass-pinged MUCs the other day with "I... can accept money" got some "WTF are you doing?" type responses... and engaged with those people; rather than being a send-only "visit this URL" or "contact this address" mass-poster.

  100. Martin

    Seems to be a meatbot. 😃

  101. rozzin

    Yeah.

  102. rozzin

    In any case, I see something like 1 spammer every 6 months or something on XMPP..., which makes me doubt the "risk/reward" calculations of people jumping to "fix the spam problem with XMPP".

  103. Sapotaceae

    My concern is that it could get worse at anytime and we'll be headless chicken

  104. rozzin

    ... though my personal favorite idea is something like "just block and service that has more than 1000 users".

  105. rozzin

    ... though my personal favorite idea is something like "just block any service that has more than 1000 users".

  106. rozzin

    Projects lile Snikket that could radically increase the hoster/user ratio are of great interest for me.

  107. jjrh

    I think a simple central 'block list' and a server module that checks it for updates would be fine.

  108. croax

    jjrh: then we get back on the _general_ definition of spam and get ready to have removal requests

  109. rozzin

    I feel like that was probably a more interesting line of inquiry 30 years when it was a new idea in e-email administration.

  110. jjrh

    Eh I think it's a trust thing, if say conversations, XSF, and prosody main muc's all block the same person I can be pretty certain that is spam

  111. Menel

    > I think a simple central 'block list' and a server module that checks it for updates would be fine. You mean a bit like the one mattj just wrote while we were talking? https://modules.prosody.im/mod_muc_rtbl.html

  112. jjrh

    sure.

  113. Sapotaceae

    Oh wow

  114. Sapotaceae

    70 mins ago? Where was it mentioned?

  115. jjrh

    I think people just find spam to be a interesting technical problem to solve.

  116. Sapotaceae

    I assume it has more bits in snikket?

  117. rozzin

    BTW I'm still trying to figure out this "e-mail spammers apparently don't use DNS" phenomenon that I noticed a couple of years ago.

  118. jjrh

    What is snikket anyways? Just a easy to install XMPP server?

  119. Menel

    Yes

  120. Sapotaceae

    Along with tons of polish on top

  121. Menel

    More on snikket.org

  122. jjrh

    Yeah i'm looking at the website it's unclear to me.

  123. Ellenor Bjornsd.

    > moparisthebest wrote: > When I read DCC I immediately think of the bad old days lol https://en.wikipedia.org/wiki/Direct_Client-to-Client You mean Jingle before there was XMPP? :)

  124. jjrh

    I feel like they could explain their technology stack a bit more. Like it's not even clear to me what the server is (I can guess by the modules it's prosody)

  125. Menel

    jjrh: its prosody in a docker, preconfigured with special modules for family and friends. Has a admin_web interface, coturn in docker, and advanced forks of other apps for android and iOS

  126. jjrh

    Would be nice if they explained that a bit more - like going to the website it's not even clear it's based on XMPP 😛

  127. jjrh

    That said, it's a great idea 🙂

  128. MattJ

    jjrh, Snikket isn't really aiming at people who already know what XMPP is. In fact if you already know what XMPP is, you very likely know enough to configure Prosody or ejabberd yourself

  129. MattJ

    Still, there are some more detailed explanations, such as https://snikket.org/about/goals/

  130. MattJ

    and https://snikket.org/open-source/

  131. Licaon_Kter

    jjrh: > Would be nice if they explained that a bit more - like going to the website it's not even clear it's based on XMPP 😛 If you care what's under the hood, you are not the target audience

  132. Licaon_Kter

    > Along with tons of polish on top It's mostly English, not Polish :)

  133. jjrh

    That's fair. I guess it's more a question of if there is anything Snikket offers that is of benefit or interest to someone like myself. I gather not.

  134. MattJ

    The only thing it has that can't easily be replicated in a DIY XMPP setup is the web interface

  135. jjrh

    What do you use for a web client?

  136. MattJ

    It doesn't have an official web client right now

  137. jjrh

    I seems you're not recommending any desktop clients either?

  138. MattJ

    There's no official desktop client either. See https://snikket.org/faq/#q-can-i-use-the-snikket-apps-with-a-non-snikket-server for alternative client suggestions

  139. jjrh

    Please don't take what I say as negative or critical - I think Snikket is a fantastic idea and exactly what the XMPP ecosystem needs.

  140. MattJ

    Haha, no, it's nothing I've not heard before... believe me :)

  141. MattJ

    Snikket does not present itself the same as other XMPP projects, does not target the XMPP community, and therefore is often misunderstood by XMPP folk when they first encounter it

  142. jjrh

    I mostly am interested in what you guys are doing to overcome the problems I run into which are mostly windows, osx and ios clients.

  143. jjrh

    And webclient - but converse.js is pretty good, could just use a bit of UI love.

  144. MattJ

    iOS has been quite a journey, but we ended up building on top of Siskin (including sponsoring some stuff)

  145. MattJ

    Web is probably the next focus, just because it's an easy way to reach every platform. And yes, Converse.js is definitely one of the options.

  146. jjrh

    iOS is by far the most difficult I have run into - a coworker who would like to use xmpp on his iphone has basically given up.

  147. MattJ

    Right. That's the story I've heard so many times, and have spent most of my time this year trying to fix :)

  148. Calvin

    The latest Siskin release seems miles better at least (as a sad iOS user who has given up many times)

  149. MattJ

    Yes, definitely

  150. jjrh

    Converse.js really just needs someone to make it look like matrix/slack/discord/whatsapp/messenger. A young hipster webdev basically 🙂

  151. Link Mauve

    jjrh, I did that once, it’s the concord theme.

  152. Link Mauve

    My inspiration was Discord back then, from a few screenshots people provided.

  153. Link Mauve

    I was fed up of everyone calling it “not modern”, so I just copied all of the colours and some other elements, and they were all “woah it looks modern!” afterwards. ^^'

  154. MattJ

    :D

  155. Link Mauve

    So dull grey > orange.

  156. jjrh

    got a screenshot? google isn't giving me much

  157. Link Mauve

    With > meaning “looks more modern than”.

  158. Link Mauve

    jjrh, https://github.com/conversejs/converse.js/pull/1167

  159. jjrh

    nice!

  160. Link Mauve

    It changed a bit since then.

  161. jjrh

    Personally I /hate/ the whatsapp/messenger/discord style where all the chats are grouped together and you can't distinguish between a chatroom and 1-1 and there is no roster and what not, but I know others really like that.

  162. jjrh

    MattJ, you mentioned converse is /one/ of the options, what else are you looking at?

  163. MattJ

    https://snikket.org/faq/#q-what-about-a-web-client

  164. MattJ

    (guess the questions I get asked a lot)

  165. jjrh

    heh

  166. jjrh

    Any of them other than converse do omemo?

  167. MattJ

    Movim does, I think JSXC... might? Would have to check. xmpp-web does not.

  168. Calvin

    Isn’t movim’s omemo server-side?

  169. MattJ

    Most of Movim is server-side, so it wouldn't surprise me. Note that the Movim server != the XMPP server though (e.g. you could run Movim locally or whatever)

  170. kikuchiyo

    Why is there is no support for traffic discrimination, but for other forms of anti-spam?

  171. kikuchiyo

    > And rate limits for regular users who only have a single IP, while spammers have unlimited IPs. DCC discrimination against repetitive content patterns avoid this pitfall.

  172. moparisthebest

    kikuchiyo: I think you are right that there is no reason for the same message to be pasted across multiple mucs, now: 1. How do you share this info in a privacy respecting way? 2. Once spammers catch on, how does it handle slightly changing messages?