XMPP Service Operators - 2023-02-24

> nuegia.net wrote: > they told my themself they were going to create a ton of bogus accounts on various open reg servers to spam me with and then i didn't, although honestly that's more from fatigue and wanting to forget you existed than any change of heart.

So, have fun with your server filled with right wingers. That's all I'll say.

Mind also that you and we have about the same reputation here - nobody-knows-us essentially single-user server operators who have a bloodfeud.

crazy

I activated captcha in my muc. The users don't get a captcha. It's empty. What is wrong?

if you're using ejabberd be sure you enabled the listen module for it too

Thomas: which clients?

Harper: I have activated the captcha with Gajim. Where can I enable the listen module?

Licaon_Kter: the captcha is in the browser

Thomas: captcha is usually a server feature

Licaon_Kter: it's a server feature requiring a user to click a link to be able to speak

some will show it inline, some won't, but if the link is blank then it is broken on server side

I know what it is...if the server has no captcha setup, not sure what Thomas thought they enabled via Gajim

Its a muc on the dismail server

> it's a server feature requiring a user to click a link to be able to speak That's supposed to help?

rozzin: against bots... But spammers _are human-e in xmpp_

Right, that's what I mean—it sounds like it's based on a hypothesis that most XMPP spammers/trolls/griefers are automated bots and not humans doing it manually..., which AFAICT is generally incorrect.

I am confident that there is no single silver bullet to fix this problem. Many smaller improvements are likely needed. Not doing something because it won't fix the entire problem will leave us with _no_ fixes. That's worse.

Guus: it's more about "threat model"

Guus: there's no silver bullet but problem is that most servers that allow ibr just allow it unrestrictedly without any kind of verification or restriction

I don't think that defines a singular definition.

Amassing the usual excuses of privacy or that mail verification (for example) doesn't solve anything

Maranda: I know - it's bad.

Which is just plain dumbness imho

... which I guess might seem weird, because the situation in other at least passingly-similar domains of "malevolent attackers on the network" is kind of the exact opposite.... Like, how naive users expecting "oh puh-lease who's going to waste their time typing guessed passwords into login dialogs to try to get into my account" are mistaken to assume "the Internet isn't very populated, the vast majority of the population that is there is human, every attack is personal, the vast majority of people are nice and extremely unlikely to have an issue with me personally... so security is not something I need to worry about"....

Doesn't really matter if we think a particular behavior or motive is or isn't dumb - we will have to deal with the fact that these exist.

Maranda: "enter your home address, you should receive a written correspondence within two weeks including a URL and a confirmation code. Once you've accessed that URL and entered the code there, you will be granted voice!"

rozzin: wait, no, not voice...you can join at first... then, after 6 months, using 3 older users refferals...then you get voice

"you've got to buy one if you want to get one free speech"

Freedom is not free

Licaon_Kter: > Think someone banned the admin here over their black cat pic/name, and that's not helpful I still don't quite understand what the rationale for that ban was—AFAIK he was always well-behaved here, so it seems like if he was basically kicked out of op-club ʿfor being too uglyʾ or something that just makes it harder for people to get reach him with admin issues..., which seems counterproductive TBH.

¯\_(ツ)_/¯

rozzin: I don't pick the hilarity of your statements but for sure the said statements aren't backed by facts. And since I'm a rather mean person... I'll pick the usual Matrix example, where big M months ago was plagued by constant denial of servicing drone conducted attacks abusing HomeServers with totally unsecured registration. Well from when they *imposed* servers with open registration to actually secure it or *Synapse would refuse to start* that brought the grinding to a solid halt.. Who would've told.

It's not like requiring email for registration would fix anything, what like spammers can't get emails?

They can

Again: there is no one single silver bullet here.

Maranda: walled gardens do shitty things, unsure how that's relevant

And left just a few scattered human solvers registering accounts on matrix.org to actually attempt spamming, moreover the Muppet actually plaguing XMPP with the gross spam is using all servers with unsecured registration

moparisthebest: your definition of Walled Garden doesn't meet mine ™️

Well if a "network" is controlled by 1 company such that they can turn other people's servers off... I'm not sure what else you'd call it ✏

can't they just turn off the turn-off bit

benk: yes securing open registration or disabling open registration (the default)

lot of bickering in this chat for a serious-business zone

Define "securing open registration" because as far as I knew that is still an unsolved problem

personally I'm not a fan of open registration

Maranda: not sure you realise that many won't be here if their first encounter back in 2015 would have asked thew to use an email. I host, yes, but why would I do that if my first impression would have been "just another silo"? ✏

Maranda: not sure you realise that many won't be here if their first encounter back in 2015 would have asked thew to use an email. I host, yes, but why would I do that if my first impression would have been "just another silo" collecting emails? ✏

Same

it looks good if you're an innocent user, so you think like, "I'm a nice person so it's nice to just sign up quickly" but as soon as you realize what is liable to go wrong then you wouldn't want risking them logging into your service

But also note that collecting emails has never stopped any spammer

collecting e-mails has only enabled spam

Google usually requires a physical cell phone number to register an account now, also stops 0 spammers

But if anyone has great ideas for "securing registrations" that not even Google or Facebook etc has thought of, by all means share

I run closed registration but I have a shall-issue policy. If you ask, I will give.

Telegram and WhatsApp as well. And most spam on matrix originates from those two.

moparisthebest: You have already been invited to mod-ideas and I have also linked to my quite extensive notes about it.

> <moparisthebest> Define "securing open registration" because as far as I knew that is still an unsolved problem Just adding (re)CAPTCHA suffices to give enough security to bar most of the automated registrations like it or lump it

Also please remember anyone can spin up unlimited XMPP servers on unlimited subdomains trivially

True

They aren't automated though

This whole recent spam attack has been done manually by a human

> <moparisthebest> Google usually requires a physical cell phone number to register an account now, also stops 0 spammers And you insist in denying the obvious so that's all I have to say

Ellenor Bjornsd.: I have been rejected from multiple shall-issue mailing lists because the owner "did not like the looks of my email address" without any sane reasoning or method for appeal.

Maranda: how many "disposable email" domains do you ban?

Licaon_Kter: all

bkil: what does 'shall-issue' even mean?

By the way, people ban subdomains as well on mjolnir in general.

bkil, that sounds like a you problem. bkil and Licaon_Kter, Shall-issue means that if you aren't obviously hostile, the oper will give.

@licae

How do you detect a disposable email

Or almost ✏

moparisthebest, using known providers thereof

so it's not entirely accurate

but most of the worst ones will be caught

> <moparisthebest> How do you detect a disposable email Cross reference data on multiple online databases

Licaon_Kter: What was meant by the OP. I.e., invite-only, but with the option to ask for joining the list by clicking a button and typing in an email address (default mailman option). It is a bit sad that they don't really give you a small textbox to introduce yourself in (similar to how it is done during tildeverse registration)

Is sme.moparisthebest.com one? (Hint: it is, MX records point at mailinator)

> <moparisthebest> Is sme.moparisthebest.com one? (Hint: it is, MX records point at mailinator) Wow I'm impressed

Are you checking mx records of all domains? Also again you can set up your own unlimited email domains for free

Again pointless discussion

^

And it was not a disposable email address, it was a well known local provider (but intentionally not gmail.com)

Denying the obvious, over dumb reasoning not my thing

There are things you can do to impede mass automated registration of course, but we are talking about a human doing things manually here, you'll never be able to block that

moparisthebest: and said (multiple times) already that while it may not stop human solvers it slows 'em down

You mean it takes them a full second to solve a captcha? Unsure that's helpful

You can deter that via web of trust and transparent reputation systems such as used by https://lobste.rs/about#invitations But if you think this is off-topic here, I still welcome you in the MUC xmpp: mod-ideas @ conference.movim.eu

Martin: > I put it up to document which servers I block. Other people can decide to follow it, but it's still my personal blocklist without any documented inclusion criteria etc. How do you even remember then? Or does it not matter?

There's a comment for each entry.

rozzin: When we maintained such a block list, we mentioned the type or schema of the abuse and the origin (room/MUC) in the textual ban reason field.

> <moparisthebest> You mean it takes them a full second to solve a captcha? Unsure that's helpful I'm sorry but you have no arguments, and you're bickering and trolling over the meaning of examples. *Fin* ✏

Maranda: what happens when a user that jumped through the hoops ends up beingwa spammer? Does that lower your trust in the email provider?

why use e-mail as the primary identity

should be their jid