-
Ellenor Bjornsd.
> nuegia.net wrote: > they told my themself they were going to create a ton of bogus accounts on various open reg servers to spam me with and then i didn't, although honestly that's more from fatigue and wanting to forget you existed than any change of heart.
-
Ellenor Bjornsd.
So, have fun with your server filled with right wingers. That's all I'll say.
-
Ellenor Bjornsd.
Mind also that you and we have about the same reputation here - nobody-knows-us essentially single-user server operators who have a bloodfeud.
-
nuegia.net
crazy
-
Thomas
I activated captcha in my muc. The users don't get a captcha. It's empty. What is wrong?
-
Harper
if you're using ejabberd be sure you enabled the listen module for it too
-
Licaon_Kter
Thomas: which clients?
-
Thomas
Harper: I have activated the captcha with Gajim. Where can I enable the listen module?
-
Thomas
Licaon_Kter: the captcha is in the browser
-
Licaon_Kter
Thomas: captcha is usually a server feature
-
Ellenor Bjornsd.
Licaon_Kter: it's a server feature requiring a user to click a link to be able to speak
-
Harper
some will show it inline, some won't, but if the link is blank then it is broken on server side
-
Licaon_Kter
I know what it is...if the server has no captcha setup, not sure what Thomas thought they enabled via Gajim
-
Thomas
Its a muc on the dismail server
-
rozzin
> it's a server feature requiring a user to click a link to be able to speak That's supposed to help?
-
Licaon_Kter
rozzin: against bots... But spammers _are human-e in xmpp_
-
rozzin
Right, that's what I mean—it sounds like it's based on a hypothesis that most XMPP spammers/trolls/griefers are automated bots and not humans doing it manually..., which AFAICT is generally incorrect.
-
Guus
I am confident that there is no single silver bullet to fix this problem. Many smaller improvements are likely needed. Not doing something because it won't fix the entire problem will leave us with _no_ fixes. That's worse.
-
Licaon_Kter
Guus: it's more about "threat model"
-
Maranda
Guus: there's no silver bullet but problem is that most servers that allow ibr just allow it unrestrictedly without any kind of verification or restriction
-
Guus
I don't think that defines a singular definition.
-
Maranda
Amassing the usual excuses of privacy or that mail verification (for example) doesn't solve anything
-
Guus
Maranda: I know - it's bad.
-
Maranda
Which is just plain dumbness imho
-
rozzin
... which I guess might seem weird, because the situation in other at least passingly-similar domains of "malevolent attackers on the network" is kind of the exact opposite.... Like, how naive users expecting "oh puh-lease who's going to waste their time typing guessed passwords into login dialogs to try to get into my account" are mistaken to assume "the Internet isn't very populated, the vast majority of the population that is there is human, every attack is personal, the vast majority of people are nice and extremely unlikely to have an issue with me personally... so security is not something I need to worry about"....
-
Guus
Doesn't really matter if we think a particular behavior or motive is or isn't dumb - we will have to deal with the fact that these exist.
-
rozzin
Maranda: "enter your home address, you should receive a written correspondence within two weeks including a URL and a confirmation code. Once you've accessed that URL and entered the code there, you will be granted voice!"
-
Licaon_Kter
rozzin: wait, no, not voice...you can join at first... then, after 6 months, using 3 older users refferals...then you get voice
-
rozzin
"you've got to buy one if you want to get one free speech"
-
benk
Freedom is not free
-
rozzin
Licaon_Kter: > Think someone banned the admin here over their black cat pic/name, and that's not helpful I still don't quite understand what the rationale for that ban was—AFAIK he was always well-behaved here, so it seems like if he was basically kicked out of op-club ʿfor being too uglyʾ or something that just makes it harder for people to get reach him with admin issues..., which seems counterproductive TBH.
-
Licaon_Kter
¯\_(ツ)_/¯
-
Maranda
rozzin: I don't pick the hilarity of your statements but for sure the said statements aren't backed by facts. And since I'm a rather mean person... I'll pick the usual Matrix example, where big M months ago was plagued by constant denial of servicing drone conducted attacks abusing HomeServers with totally unsecured registration. Well from when they *imposed* servers with open registration to actually secure it or *Synapse would refuse to start* that brought the grinding to a solid halt.. Who would've told.
-
moparisthebest
It's not like requiring email for registration would fix anything, what like spammers can't get emails?
-
benk
They can
-
Guus
Again: there is no one single silver bullet here.
-
moparisthebest
Maranda: walled gardens do shitty things, unsure how that's relevant
-
Maranda
And left just a few scattered human solvers registering accounts on matrix.org to actually attempt spamming, moreover the Muppet actually plaguing XMPP with the gross spam is using all servers with unsecured registration
-
Maranda
moparisthebest: your definition of Walled Garden doesn't meet mine ™️
-
moparisthebest
Will if a "network" is controlled by 1 company such that they can turn other people's servers off... I'm not sure what else you'd call it✎ -
moparisthebest
Well if a "network" is controlled by 1 company such that they can turn other people's servers off... I'm not sure what else you'd call it ✏
-
benk
can't they just turn off the turn-off bit
-
Maranda
benk: yes securing open registration or disabling open registration (the default)
-
benk
lot of bickering in this chat for a serious-business zone
-
moparisthebest
Define "securing open registration" because as far as I knew that is still an unsolved problem
-
benk
personally I'm not a fan of open registration
-
Licaon_Kter
Maranda: not sure you realise that many won't be here if their first encounter back in 2015 would have asked me to use an email. I host, yes, but why would I do that if my first impression would have been "just another silo"?✎ -
Licaon_Kter
Maranda: not sure you realise that many won't be here if their first encounter back in 2015 would have asked thew to use an email. I host, yes, but why would I do that if my first impression would have been "just another silo"? ✏
-
Licaon_Kter
Maranda: not sure you realise that many won't be here if their first encounter back in 2015 would have asked thew to use an email. I host, yes, but why would I do that if my first impression would have been "just another silo" collecting emails? ✏
-
moparisthebest
Same
-
benk
it looks good if you're an innocent user, so you think like, "I'm a nice person so it's nice to just sign up quickly" but as soon as you realize what is liable to go wrong then you wouldn't want risking them logging into your service
-
moparisthebest
But also note that collecting emails has never stopped any spammer
-
benk
collecting e-mails has only enabled spam
-
moparisthebest
Google usually requires a physical cell phone number to register an account now, also stops 0 spammers
-
moparisthebest
But if anyone has great ideas for "securing registrations" that not even Google or Facebook etc has thought of, by all means share
-
Ellenor Bjornsd.
I run closed registration but I have a shall-issue policy. If you ask, I will give.
-
bkil
Telegram and WhatsApp as well. And most spam on matrix originates from those two.
-
bkil
moparisthebest: You have already been invited to mod-ideas and I have also linked to my quite extensive notes about it.
-
Maranda
> <moparisthebest> Define "securing open registration" because as far as I knew that is still an unsolved problem Just adding (re)CAPTCHA suffices to give enough security to bar most of the automated registrations like it or lump it
-
moparisthebest
Also please remember anyone can spin up unlimited XMPP servers on unlimited subdomains trivially
-
Ellenor Bjornsd.
True
-
moparisthebest
They aren't automated though
-
moparisthebest
This whole recent spam attack has been done manually by a human
-
Maranda
> <moparisthebest> Google usually requires a physical cell phone number to register an account now, also stops 0 spammers And you insist in denying the obvious so that's all I have to say
-
bkil
Ellenor Bjornsd.: I have been rejected from multiple shall-issue mailing lists because the owner "did not like the looks of my email address" without any sane reasoning or method for appeal.
-
Licaon_Kter
Maranda: how many "disposable email" domains do you ban?
-
Maranda
Licaon_Kter: all
-
Licaon_Kter
bkil: what does 'shall-issue' even mean?
-
bkil
By the way, people ban subdomains as well on mjolnir in general.
-
Maranda
Or almodt✎ -
Ellenor Bjornsd.
bkil, that sounds like a you problem. bkil and Licaon_Kter, Shall-issue means that if you aren't obviously hostile, the oper will give.
-
bkil
@licae
-
moparisthebest
How do you detect a disposable email
-
Maranda
Or almost ✏
-
Ellenor Bjornsd.
moparisthebest, using known providers thereof
-
Ellenor Bjornsd.
so it's not entirely accurate
-
Ellenor Bjornsd.
but most of the worst ones will be caught
-
Maranda
> <moparisthebest> How do you detect a disposable email Cross reference data on multiple online databases
-
bkil
Licaon_Kter: What was meant by the OP. I.e., invite-only, but with the option to ask for joining the list by clicking a button and typing in an email address (default mailman option). It is a bit sad that they don't really give you a small textbox to introduce yourself in (similar to how it is done during tildeverse registration)
-
moparisthebest
Is sme.moparisthebest.com one? (Hint: it is, MX records point at mailinator)
-
Maranda
> <moparisthebest> Is sme.moparisthebest.com one? (Hint: it is, MX records point at mailinator) Wow I'm impressed
-
moparisthebest
Are you checking mx records of all domains? Also again you can set up your own unlimited email domains for free
-
Maranda
Again pointless discussion
-
benk
^
-
bkil
And it was not a disposable email address, it was a well known local provider (but intentionally not gmail.com)
-
Maranda
Denying the obvious, over dumb reasoning not my thing
-
moparisthebest
There are things you can do to impede mass automated registration of course, but we are talking about a human doing things manually here, you'll never be able to block that
-
Maranda
moparisthebest: and said (multiple times) already that while it may not stop human solvers it slows 'em down
-
moparisthebest
You mean it takes them a full second to solve a captcha? Unsure that's helpful
-
bkil
You can deter that via web of trust and transparent reputation systems such as used by https://lobste.rs/about#invitations But if you think this is off-topic here, I still welcome you in the MUC xmpp: mod-ideas @ conference.movim.eu
-
rozzin
Martin: > I put it up to document which servers I block. Other people can decide to follow it, but it's still my personal blocklist without any documented inclusion criteria etc. How do you even remember then? Or does it not matter?
-
Martin
There's a comment for each entry.
-
bkil
rozzin: When we maintained such a block list, we mentioned the type or schema of the abuse and the origin (room/MUC) in the textual ban reason field.
-
Maranda
> <moparisthebest> You mean it takes them a full second to solve a captcha? Unsure that's helpful I'm sorry but you have no arguments, and you're bickering nd trolling over the meaning of examples. *Fin*✎ -
Maranda
> <moparisthebest> You mean it takes them a full second to solve a captcha? Unsure that's helpful I'm sorry but you have no arguments, and you're bickering and trolling over the meaning of examples. *Fin* ✏
-
Licaon_Kter
Maranda: what happens when a user that jumped through the hoops ends up beingwa spammer? Does that lower your trust in the email provider?
-
benk
why use e-mail as the primary identity
-
benk
should be their jid