XMPP Service Operators - 2023-09-22

> worse than a spambot: a spamhuman I can not agree more.

It would appear that running a MUC is something I should be very reluctant to allow on my server once I get the stuff I need to set it up.

You can force then to be only for local accounts

That sounds like a good idea. Spam seems to be a problem.

theavidhorizon: public and easily-discoverable MUCs will indeed attract all kinds of people, but that's not really a problem of MUC, it is a fact of life for any platform on the internet. If you don't want it, just keep your MUCs private or unlisted.

The problem is, that there is always a certain percentage of asocial people, who have fun in ruining other people's lives. The more known a platform is, the higher chances are, that one of them ends up on that platform

fireburner, are you talking about battle but not spam?

Not sure what you mean by "battle" in this context?

>“ruining other people's lives” >“ends up”

I meant, that they have fun in annoying other people

Oh. Nevermind.

I feel that the people on XMPP platform is kind of polarized. Many experienced developers, many ignorant newbies, lacks of advanced users(room owners).

So most of users choose to use Hidden Room. Yeah?

I wouldn't say XMPP is really a platform, more of a collection of platforms that can communicate with each other. You're going to have a variety of people running different servers for different reasons. https://search.jabber.network is great for finding public MUCs across various servers, but there's also plenty of servers that don't show up on there for one reason or another. There's also plenty of private MUCs. There's a few different reasons to not want a MUC to be visible to the public

> I wouldn't say XMPP is really a platform, more of a collection of platforms that can communicate with each other. You're going to have a variety of people running different servers for different reasons. https://search.jabber.network is great for finding public MUCs across various servers, but there's also plenty of servers that don't show up on there for one reason or another. There's also plenty of private MUCs. There's a few different reasons to not want a MUC to be visible to the public I say xmpp as a protocol, then there's a few different servers implementations and different clients.

Oh my Stalin... It happened again. We know clearly that XMPP is a protocol. But it is a computing term. Newbies do not even know what a “protocol” is: “Some rules wrote on papers that you need I to agree?”. So we say “(social) platform” instead. We know clearly that every XMPP server can run independently and provide all functions needed to communicate. But if we say “these are platforms”, then those capitalist conservatives habitually think “they are different platforms which have commercial conflicts”. Finally, we say “platform” instead, also since public servers can communicate with others, they performs like one platform.

We say that is a “protocol” in the manual, but we do not think it is good to say so to many XMPP newbies and even many strangers who are even computing newbies.

This is a habit. But yeah, in this room it would be better to say “protocol” or “platforms”. ✏

Chinese language habits.

napon, which country are you from?

>but we do not think it is good to say so to many XMPP newbies and even many strangers who are even computing newbies …in daily communication and promoting XMPP.

How many English speakers know clearly that “protocol” is also a computing term?

They should know because THIS MUC IS FOR TECHNICAL REQUEST OF XMPP-SERVICE-PROVIDER

I mean... how large the part is in all English speakers in the world... ✏

> I mean... how large the part is in all English speakers in the world... Sorry, that was a question, I ought to add a “?” instead of “...”.

> theavidhorizon: public and easily-discoverable MUCs will indeed attract all kinds of people, but that's not really a problem of MUC, it is a fact of life for any platform on the internet. If you don't want it, just keep your MUCs private or unlisted. Security by obscurity? Is it a good plan? > Although it would be possible to scan all ~300,000 XMPP servers found on Shodan,... https://bishopfox.com/blog/xmpp-underappreciated-attack-surface I don't know how good that is, but it came up when looking for info on scale of xmpp. ↺

neutrino: No. Thank you. Exactly, having a 1000 processes provides opportunity for a malicious process to hide!

sagaracharya: Do you want to see my Oneplus nord CE3 Lite

neutrino, it's not about security - this channel is not "insecure" because it is public. My point is that whenever you have a public venue anywhere on the internet, you will get the public coming in, and everything that entails.

MattJ: I agree, but it also looks like there will be people looking to break in and disrupt or take advantage whether it is "public" or not.

Define "break in" - to a private channel?

I'm not as stuck on fine points of semantics. Get in, access, whatever.

I'm not really sure what you're trying to say, hence trying to understand semantics

You asked if security by obscurity is a good plan, but I don't see how it is relevant because I didn't propose trying to gain security through obscurity

Unlisted won't keep _some_ people away.

If it was unrelated to anything I said, then I would answer generally that it's not a good plan to try to achieve security through obscurity alone, but it can be (and is often) often used as a layer on top of other defences

I've had raspberry pis at home be probed with login attemps within an hour or two of being online. I don't think obscurity works at all, and that article linked says xmpp servers are targets. That's all.

If your device has a public IP address, that's not really obscure anymore

But while it may receive login attempts, it doesn't allow someone to enumerate all the user accounts on your system

Which is similar to how you might have a public MUC service, but not every MUC on that service has to be public

The spammer is active again :/ he keeps dming me

Kevino, where?

banned what seemed to be them

they have an axe to grind with my room and kevino :/

and i dont see a way to disable pms

in gajim

great

Which seems more likely to be their motivation: disgruntled because of previous treatment by muc moderators, working for competition (matrix?) to cause problems in xmpp, preparing for future commercial spam, or silly hobby?

do we care?

Maybe you should.

Maybe. But also maybe we shouldn't :)

Speculation is just a waste of time

I heard they've been active for months, so thought someone might have insight.

There are (most likely) multiple "they"

Commercial spam has been a thing on XMPP for years already

And trolling as a hobby is so old it's older than the internet

He is using account hdudiww@conversations.im ✏

Is there a way to put rate limiting by ip address ?

neutrino: > Which seems more likely to be their motivation: disgruntled because.... Sell this script to Hollywood, I wanna see the action movie. Wth...

For sign-ups

Kevin, yes, pretty much all servers support that

Licaon_Kter: Was there a point? I missed it if so.

That guy makes atleast 5 accounts on conversations im per day

Kevin, use XEP-0016(Privacy List) function to achieve white list function, or tell your server host to add mod_block_strangers for the server.

neutrino: you start fantasizing reasons, not sure why...

>mod_block_strangers Also, this mod should be set to block all strangers including the strangers from the same server.

Blocking strangers should be a per-user option, not decided by the admin for all users with no override

“should”? But XEP-0016 is “deprecated”, also Prosody and Gajim removed that function too. ✏

Yes, we need a better way :)

> Blocking strangers should be a per-user option, not decided by the admin for all users with no override It should be blocked by the user, not the server, otherwise it's too closed.

Can i ask if the server zp1.net is blocked by xmpp.org ?

I am not affiliated with the admin of this server

Just needed to know the reason

Kevin, no, it is not blocked

I an not able to msg through that server

What happens when you try?

Waiting....

> Blocking strangers should be a per-user option, not decided by the admin for all users with no override MattJ: kudos. I agree. ↺

Kevin, which server do you belong to? ✏

Current clients allow muting strangers , which is also good

But that guy whispers me in groups , which gives me a ping

Kevin, do you belong to “zp1.net”?

> Current clients allow muting strangers , which is also good Yes, but it should be easier. ↺

I have multiple accounts

Kevin, I can't explain any issue. I see an active s2s connection zp1.net<-->muc.xmpp.org, it received a ping from zp1.net and muc.xmpp.org replied in the same second

Kevin, what is the server that the one account being spammed belong to? ✏

Licaon_Kter: How do you solve a problem if you don't understand the cause(s)?

Kevin, I don't see any incoming messages from zp1.net in the past 20 minutes or so

> Kevin, what is the server that the one account being spammed belong to? Zp1.net ↺

> Kevin, I don't see any incoming messages from zp1.net in the past 20 minutes or so The admins complains , zp1.net domain has been blocked ↺

> > Kevin, what is the server that the one account being spammed belong to? > Zp1.net Sadly, that is a Prosody server. You can only tell your server host to add the module, or register another account from another server software. :D

As for spammers in a room, you need at least one competent Moderator in that room.

If the Moderator is competent indeed, then that means the MUC server has no the function to forbid Visitors to send private messages in room. ✏

So, the Moderator is actually not so competent because they did not choose an MUC server which support that function.

Kevin, it is not the first time the admin has (incorrectly) jumped to the conclusion that their server is blocked

I see an active connection, and traffic in both directions. I'd like to see some evidence of a problem from their side, which could help track down the actual cause.

> Kevin, it is not the first time the admin has (incorrectly) jumped to the conclusion that their server is blocked Ok ↺

For example, debug logs of a message being sent

To block human spammers by one's own decision, one should get Non-Prosody server and Psi(+). :D

> So, the Moderator is actually not so competent because they did not choose an MUC server which support that function. I am the moderator :) ↺

……………………………………

I am sorry about that.

I don't know much about servers

Does disroot support it ?

Its on ejabberd i guess

disroot is prosody

Support what, exactly?

Kevin, Please forbid Visitors to speak privately in room configurations.

You can use another way to let them express “I want Voice”. ✏

https://share.conversations.im/kevino/rv3kETOaT3YNtoli/zb2rhbH96pEMfhb82EGgyxHAAUU33wktnSdpGKvbjz67e7oP1.jpg

https://share.conversations.im/kevino/R0UiHmakNSTaAeOT/zb2rhmmvxpNcqKVB1pJqGJTFt7P2cTya7CGYf2TNDfBNohcmb.jpg

> You can use another way to let them express “I want Voice”. Such as editing their nickname, adding a symbol before.

> Kevin, Please forbid Visitors to speak privately in room configurations. Aah , i think i need to use gajim for that setting ↺

> > Kevin, Please forbid Visitors to speak privately in room configurations. > Aah , i think i need to use gajim for that setting Gajim, Dino, Psi(+), Spark IM, Converse.

>Please forbid Visitors to speak privately in room configurations. If there is no that option, tell your server host to add a module, or... then I have no another way can be called as “good”.

Kevin, if that screenshot was an attempt to join as "Mr. Not Sure" then the response is because your JID is banned

My jid is banned too ?

That depends what you mean by "your JID"

Was it done by RTBL? :D

The one you are chatting here with now is obviously not banned. If there is another, you'll need to clarify which.

test

Kevin2@zp1.net

Not banned, no

Ok

It was working yesterday

Kevin, Remember, if you can see the information of a room of another server (before you join), then that means the communication between two servers is normal. ✏

Kevin, Remember, if you can see the information of a room of another server (before you try to join), then that means the communication between two servers is normal. ✏

I encountered a bug where muc.xmpp.org was not responding to my server yesterday. I checked if zp1 was affected by the same issue, but it doesn't appear to be.

Kevin, Ejabberd MUC server is good for Open Room Moderators.

If the users in your room are not so many, then turn to a Ejabberd MUC servers is a good way.

Funny, every open channel I admin is on Prosody, and I'm very happy with it :)

ejabberd didn't even support RTBL until very recently

RTBL is a very recent thing, to be fair :)

I mean, there's XEP numbers under 100 that Openfire probably doesn't support yet :)

We're well into the 'two decades old' territory here, I think.

Guus, since 2021

There you go. Practically brand new. :D

> Funny, every open channel I admin is on Prosody, and I'm very happy with it :) Would it be still funny for you if the amount of XMPP users is 10 times greater than now?

I'm very happy with prosody (and yes, I do have RTBL enabled)

Also: see my recent Mastodon post on HG. :)

☭Mike Yellow: not sure you've got the gist of it, there's no magic bit that makes ejabberd mucs better ✏

Maybe you got something confused

☭Mike Yellow, I don't see why not

> ☭Mike Yellow, I don't see why not And what about the amount of human spammers is also 10 times greater than now?

> Maybe you got something confused I do not understand. What do you think I confused?

Because there's no reason ejabberd is any better (or worse) than prosody at hosting public MUCs

☭Mike Yellow: you recommending ejabberd over prosody for mucs

He thinks prosody gave up XEP-0016, so he thinks it's not good, and keeps users away from prosody.

I mean I know it's better, c'mon Erlang>LUA all day long /jk but otherwise...not so much

g43p: everybody has their reasons :))

They are both fine servers with different trade-offs all the way down

> ☭Mike Yellow: you recommending ejabberd over prosody for mucs Not really. Prosody server can get powerful modules installed, I may say “Prosody can be better than Ejabberd”.

> He thinks prosody gave up XEP-0016, so he thinks it's not good, and keeps users away from prosody. Not “users”, but “newbies”.

>he thinks it's not good ~Not really.~ Oh sorry, that is really, but only for user server, not MUC server. ✏

>he thinks it's not good ~Not really.~ Oh sorry, that is really, but only for user server, not for MUC server. ✏

Licaon_Kter let me complete that for you: Java>Erlang>LUA :-p

…………

You know where I roam Guus, and you dare to say that? C'mon... :))

I feel very confident that you either do not know where exactly I live or are not bothered enough to show up on my doorstep because of this.

Gotta rewrite it in rust to be cool now

I'm not sure if Erlangees should bring up memory issues in other languages ;)

(doing the fanboy bit of any particular language is as funny as it is utterly pointless - I'll get back to work now)

Licaon_Kter, do you have a quick way for Prosody server users to prevent from meeting human spammers? ✏

We radical XMPP users really need that.

☭Mike Yellow: iirc prosody has more tooling

There is no technology that will prevent users from doing anything that the owner or operator of the technology does not want it to do.

> ☭Mike Yellow: iirc prosody has more tooling I mean human spammers which perform like normal users. Not bot spammers.

>>he thinks it's not good > ~Not really.~ Oh sorry, that is really, but only for user server, not for MUC server. ☭Mike Yellow: except there's no reason this is true, that's the point ↺

Yes.

Emmm... Did I misunderstand something?

☭Mike Yellow, there is no magic way to prevent encounters with human spammers

Machines can barely tell the difference between humans and other machines. They certainly can't determine if a human has the intent to spam or not.

I agree. So I feel weird and a little frustrating when knowing there is XEP-0016 but Deprecated and also two important softwares gave up that. That looks like XMPP is not very friendly to politician users.

XEP-0016 also does not have the functionality to determine what is a bot and what is a human, and whether they intend to spam

But we do have the functionality to determine what is a bot and what is a human, and whether they intend to spam.

Deprecation of XEP-0016 was about the protocol being too complex, it inevitably reached users and they found it too hard to use correctly

99% of people used it for a simple blocklist only, so the first thing we replaced it with was blocklist functionality

Blocking of strangers is another use case I would like to cover, but there is no protocol yet

I have one in my head, but I have not written a XEP or implementation, and nobody else has either yet

I'm quite sure we can achieve that one small thing before XMPP grows 10x

I do love XEP-0016. Now we have chapters specially introduce it in the manual. That is pretty easy to understand and use.

People shouldn't need to read chapters to find out how to be safe

This is obviously my opinion, but it's what guides my development choices

> I'm quite sure we can achieve that one small thing before XMPP grows 10x What if I (and my comrades) say: We want, and may make XMPP grows 10× as soon as possible?

>What if I (and my comrades) say: We want, and may make XMPP grows 10× as soon as possibl Since half of public servers still support XEP-0016.

You could always work on a better way yourselves, submit a XEP etc etc

We will ignore how XMPP develops in the future except XEP-0016 be abandoned by Ejabberd or Psi(+) before an alternative XEP comes out.

Or we can only turn to another Protocol. ✏

He joiner my muc

Test

Test

Test

Received.

Works now 👍

It is a long experience to judge that XMPP is the best for doing political things and become an advanced XMPP user.

I can not be an developer, or I am not a real revolutionist.

Anyone can be a developer

Anyway that's not what I was saying, I'm saying XMPP isn't a silo where you are stuck with what currently exists, you (anyone) can suggest and make changes, you don't have to write code or protocols to propose "we need a feature X that will work like Y and solve problem Z" etc

Writing the protocol and/or code yourself might get it done quicker but it's not a requirement

If you think a certain client is not good, develop a better one. If you think a certain XEP is not good, submit a better one. If you think a certain XMPP server is not good, just design a better one. If you think the XMPP protocol is not good, create a better one. You could always work on a better way yourselves.

With XMPP you never need to create a better protocol, that's the point

Again……………… I can not be a developer. Ah. You can ignore the politician users' needs. If we successfully make XMPP users ×10, then human spammers also ×10, I think you will not dare to abandon XEP-0016. If you can not trust ×10 will happen, then you can trust “accidents will happen”. :D

Did you just ignore the bits where I said you didn't need to be a developer?

Do you think it is possible for the amount of XMPP users to ×10 quickly like an accident? I mean normal users. ✏

>Again……………… I can not be a developer. This sentence was for q7exute. ✏

👍

q7exute, before creating a new one, improving the existing thing is a much smaller step to make.

If after attempting that you still think a new one is needed, at least you understand the problem at hand a bit better.