-
Licaon_Kter
jabber.de is down because of DDOS apparently?
-
Menel
Eatxmpp?
-
MattJ
Licaon_Kter, source?
-
Licaon_Kter
MattJ: an user, will dig
-
Licaon_Kter
MattJ: https://www.jabber.de/ddos-angriff-downtime/
-
Ingolf
Does anyone here know if any other servers were attacked as well?
-
Menel
https://social.tchncs.de/@trashserver/108911537786777778 Is there some mod_firewall equivalent for ejabberd or something? I don't know what magic yax.im or jabber.fr use...
-
Ingolf
Thank you, Menel
-
Licaon_Kter
Menel: yax (prosody) uses https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/
-
Licaon_Kter
Menel: so this is a coordinated spam campaign?
-
Holger
Menel: There's no mod_firewall equivalent, no. There's other means but I avoid discussing details in public.
-
Zash
What about account invites?
-
Licaon_Kter
_"Who's got a riseup invite you guys?"_ thing?
-
Holger
Zash: Clearly a good solution for small servers, not sure about larger ones like Trashserver? Maybe.
-
Holger
ejabberd doesn't have that yet but I'd be interested myself for domain hosting specifically.
-
Zash
I would like to believe it could work for a public server too, but probably not in every situation.
-
diane
root, thanks for the links to the xmpp monitoring tools
-
MattJ
The invite-only model has worked for many public (non-XMPP) services
-
Holger
Isn't it hard to exclude spammers without excluding others?
-
MattJ
Also, trashserver until today was being recommended by jmp.chat to their new customers. If ejabberd had similar functionality to Prosody in this area, they would have been able to continue with that by simply generating invites. For now they've had to switch to recommending a different server.
-
MattJ
For a communication platform it's much more likely that you are joining because someone you know is already using it
-
Holger
I'm in no way arguing against offering invites of course 🙂
-
bkil
Note that Facebook also started out as invite-only until they could hire a moderation team. We also welcome you in the mod-ideas@conference.movim.eu MUC if you have any concrete experience or idea for future tricks to deal with scammers.
-
MattJ
and I'm not saying it should be impossible to join any other way, but I don't think it's preferable to see services close up entirely due to spammers
-
MattJ
Invites are a very workable middle-ground
-
diane
Well if you have a reasonably defined set of seed users.
-
bkil
What do you think about lobsters/lobste.rs? https://lobste.rs/about#invitations
-
Holger
> For a communication platform it's much more likely that you are joining because someone you know is already using it Ok yeah I get the idea under the assumption that everyone offers it. Not an option for the university server I'm using, so I can't onboard my contacts that way. But probably not the common case yes.
-
MattJ
bkil, yes, it's an example of a service where it's used and relied upon
-
bkil
You are supposed to find a friend in the user/invite tree and ask for an invite there. Incidentally, the invite tree also provides transparency against abuse..
-
MattJ
Holger, so the university server is public-registration?
-
Holger
No, it's closed.
-
bkil
However, registered users need to be non-anonymous so their friends could identify them by name, so it's a trade-off towards privacy.
-
MattJ
Okay, so you're saying you'd want to onboard people to XMPP but on a different server
-
Holger
Yes.
-
Holger
I mean I'm not making this up this *is* my case, and I onboarded many private contacts. But yes *I* would manage to create invites nevertheless 🙂
-
MattJ
I think that's a less common case, but not uncommon (I mean, Snikket has a similar situation). But it still doesn't mean you can't give out invites to public services based on whatever criteria.
-
MattJ
When I first gave the talk at FOSDEM (pre-Snikket) about my ideas around invite registration, my plan at the time was to build a registration gateway, e.g. joinjabber.org. It would implement whatever anti-spammer stuff was necessary, but still allow people to sign up to various public servers.
-
MattJ
And there's no need to limit it to a single such portal, e.g. you could have them for different languages or communities
-
MattJ
But also since that time I increasingly lost faith in large volunteer-run public services as a sustainable model anyway
-
MattJ
Anyway, it seems clear to me that there are services that would be good candidates for invite-only registration that are just closing registration entirely instead
-
MattJ
So I remain a firm believer that invite-based registration would result in a more open network overall, rather than a more closed one
-
Holger
If this is meant to be an anti-spam measure, is the idea to end up with non-invite-based somehow being identifiable as a spam filter criteria?✎ -
Holger
If this is meant to be an anti-spam measure, is the idea to end up with non-invite-based services somehow being identifiable as a spam filter criteria? ✏
-
Holger
I mean if you don't invite the spammer the obvious next step is simply that the spammer will move to another server. To his own if all else fails. And then?
-
MattJ
I don't think it even has to be used as a direct criteria. The fact is that >99.9% of spam is coming from servers with public IBR
-
MattJ
And those servers are already being added to Lists
-
Holger
100% is coming from XMPP servers.
-
MattJ
A subset of XMPP servers
-
Holger
🙂
-
Holger
Yes but the conclusion that spammers will go away if IBR goes away doesn't sound plausible to me.
-
Holger
They just need to adjust their scripts no?
-
MattJ
So I don't see a need to change how servers end up on spam lists. Whatever mechanisms they implement (or don't) to tackle spam, the results show themselves.
-
MattJ
What would they change their scripts to do?
-
MattJ
and I've never claimed that spam will just go away
-
Holger
As I said above. If all else fails the script will have to do s2s.
-
MattJ
I missed that implication. Whether servers use public or invite-only IBR doesn't change whether that tactic would work on today's network.
-
Holger
I understood the "99% is coming from IBR" to imply that "ditching IBR will reduce spam".
-
emus
Would there be a way to for example verify via mail?
-
emus
asking for email to regiater (and password reset 🙂)
-
Holger
Asking for b$$$ helps!✎ -
Holger
Asking for $$$ helps! ✏
-
emus
Holger: Sure 😄
-
MattJ
There is the network perspective, and the operator perspective. I've mostly talked about the operator perspective, but of course they are linked. I would like it if operators didn't have to close up entirely because they can't deal with the spam registrations on their server.
-
MattJ
From the network perspective, we need to be able to handle s2s spam regardless of anything else
-
MattJ
If everyone dropped public IBR, sure, it would make spammers more likely to go that route
-
Holger
> I would like it if operators didn't have to close up entirely because they can't deal with the spam registrations on their server. I agree of course (and already suggested ideas to Thomas, let's see).
-
Zash
You could have a hybrid approach, where e.g. the website publishes single use invites at some rate that can be bypassed by getting an invite from an existing user.
-
moparisthebest
What if we build s2s spamming tools in the hopes spammers use them instead of ruining public servers
-
Holger
Hah.
-
Zash
Don't give them ideas
-
moparisthebest
Think of what you could do with a wildcard a record pointed at your IP
-
bkil
Well, the income could be used to fund XMPP related development. 🤷 Banning spammers does not pay well.