XMPP Service Operators - 2022-08-30


  1. Licaon_Kter

    jabber.de is down because of DDOS apparently?

  2. Menel

    Eatxmpp?

  3. MattJ

    Licaon_Kter, source?

  4. Licaon_Kter

    MattJ: an user, will dig

  5. Licaon_Kter

    MattJ: https://www.jabber.de/ddos-angriff-downtime/

  6. Ingolf

    Does anyone here know if any other servers were attacked as well?

  7. Menel

    https://social.tchncs.de/@trashserver/108911537786777778 Is there some mod_firewall equivalent for ejabberd or something? I don't know what magic yax.im or jabber.fr use...

  8. Ingolf

    Thank you, Menel

  9. Licaon_Kter

    Menel: yax (prosody) uses https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/

  10. Licaon_Kter

    Menel: so this is a coordinated spam campaign?

  11. Holger

    Menel: There's no mod_firewall equivalent, no. There's other means but I avoid discussing details in public.

  12. Zash

    What about account invites?

  13. Licaon_Kter

    _"Who's got a riseup invite you guys?"_ thing?

  14. Holger

    Zash: Clearly a good solution for small servers, not sure about larger ones like Trashserver? Maybe.

  15. Holger

    ejabberd doesn't have that yet but I'd be interested myself for domain hosting specifically.

  16. Zash

    I would like to believe it could work for a public server too, but probably not in every situation.

  17. diane

    root, thanks for the links to the xmpp monitoring tools

  18. MattJ

    The invite-only model has worked for many public (non-XMPP) services

  19. Holger

    Isn't it hard to exclude spammers without excluding others?

  20. MattJ

    Also, trashserver until today was being recommended by jmp.chat to their new customers. If ejabberd had similar functionality to Prosody in this area, they would have been able to continue with that by simply generating invites. For now they've had to switch to recommending a different server.

  21. MattJ

    For a communication platform it's much more likely that you are joining because someone you know is already using it

  22. Holger

    I'm in no way arguing against offering invites of course 🙂

  23. bkil

    Note that Facebook also started out as invite-only until they could hire a moderation team. We also welcome you in the mod-ideas@conference.movim.eu MUC if you have any concrete experience or idea for future tricks to deal with scammers.

  24. MattJ

    and I'm not saying it should be impossible to join any other way, but I don't think it's preferable to see services close up entirely due to spammers

  25. MattJ

    Invites are a very workable middle-ground

  26. diane

    Well if you have a reasonably defined set of seed users.

  27. bkil

    What do you think about lobsters/lobste.rs? https://lobste.rs/about#invitations

  28. Holger

    > For a communication platform it's much more likely that you are joining because someone you know is already using it Ok yeah I get the idea under the assumption that everyone offers it. Not an option for the university server I'm using, so I can't onboard my contacts that way. But probably not the common case yes.

  29. MattJ

    bkil, yes, it's an example of a service where it's used and relied upon

  30. bkil

    You are supposed to find a friend in the user/invite tree and ask for an invite there. Incidentally, the invite tree also provides transparency against abuse..

  31. MattJ

    Holger, so the university server is public-registration?

  32. Holger

    No, it's closed.

  33. bkil

    However, registered users need to be non-anonymous so their friends could identify them by name, so it's a trade-off towards privacy.

  34. MattJ

    Okay, so you're saying you'd want to onboard people to XMPP but on a different server

  35. Holger

    Yes.

  36. Holger

    I mean I'm not making this up this *is* my case, and I onboarded many private contacts. But yes *I* would manage to create invites nevertheless 🙂

  37. MattJ

    I think that's a less common case, but not uncommon (I mean, Snikket has a similar situation). But it still doesn't mean you can't give out invites to public services based on whatever criteria.

  38. MattJ

    When I first gave the talk at FOSDEM (pre-Snikket) about my ideas around invite registration, my plan at the time was to build a registration gateway, e.g. joinjabber.org. It would implement whatever anti-spammer stuff was necessary, but still allow people to sign up to various public servers.

  39. MattJ

    And there's no need to limit it to a single such portal, e.g. you could have them for different languages or communities

  40. MattJ

    But also since that time I increasingly lost faith in large volunteer-run public services as a sustainable model anyway

  41. MattJ

    Anyway, it seems clear to me that there are services that would be good candidates for invite-only registration that are just closing registration entirely instead

  42. MattJ

    So I remain a firm believer that invite-based registration would result in a more open network overall, rather than a more closed one

  43. Holger

    If this is meant to be an anti-spam measure, is the idea to end up with non-invite-based somehow being identifiable as a spam filter criteria?

  44. Holger

    If this is meant to be an anti-spam measure, is the idea to end up with non-invite-based services somehow being identifiable as a spam filter criteria?

  45. Holger

    I mean if you don't invite the spammer the obvious next step is simply that the spammer will move to another server. To his own if all else fails. And then?

  46. MattJ

    I don't think it even has to be used as a direct criteria. The fact is that >99.9% of spam is coming from servers with public IBR

  47. MattJ

    And those servers are already being added to Lists

  48. Holger

    100% is coming from XMPP servers.

  49. MattJ

    A subset of XMPP servers

  50. Holger

    🙂

  51. Holger

    Yes but the conclusion that spammers will go away if IBR goes away doesn't sound plausible to me.

  52. Holger

    They just need to adjust their scripts no?

  53. MattJ

    So I don't see a need to change how servers end up on spam lists. Whatever mechanisms they implement (or don't) to tackle spam, the results show themselves.

  54. MattJ

    What would they change their scripts to do?

  55. MattJ

    and I've never claimed that spam will just go away

  56. Holger

    As I said above. If all else fails the script will have to do s2s.

  57. MattJ

    I missed that implication. Whether servers use public or invite-only IBR doesn't change whether that tactic would work on today's network.

  58. Holger

    I understood the "99% is coming from IBR" to imply that "ditching IBR will reduce spam".

  59. emus

    Would there be a way to for example verify via mail?

  60. emus

    asking for email to regiater (and password reset 🙂)

  61. Holger

    Asking for b$$$ helps!

  62. Holger

    Asking for $$$ helps!

  63. emus

    Holger: Sure 😄

  64. MattJ

    There is the network perspective, and the operator perspective. I've mostly talked about the operator perspective, but of course they are linked. I would like it if operators didn't have to close up entirely because they can't deal with the spam registrations on their server.

  65. MattJ

    From the network perspective, we need to be able to handle s2s spam regardless of anything else

  66. MattJ

    If everyone dropped public IBR, sure, it would make spammers more likely to go that route

  67. Holger

    > I would like it if operators didn't have to close up entirely because they can't deal with the spam registrations on their server. I agree of course (and already suggested ideas to Thomas, let's see).

  68. Zash

    You could have a hybrid approach, where e.g. the website publishes single use invites at some rate that can be bypassed by getting an invite from an existing user.

  69. moparisthebest

    What if we build s2s spamming tools in the hopes spammers use them instead of ruining public servers

  70. Holger

    Hah.

  71. Zash

    Don't give them ideas

  72. moparisthebest

    Think of what you could do with a wildcard a record pointed at your IP

  73. bkil

    Well, the income could be used to fund XMPP related development. 🤷 Banning spammers does not pay well.