XMPP Service Operators - 2023-10-05

huxxer: you're admin for jabbersone?

Yes

Targeted spam attacks coming from: silmik.dynpc.net jabbers.one

User registers with random letter combinations on these two XMPP servers and spams our MUC

huxxer, you're the admin of jabbers.one, right?

The jabbers.one admin has been dealing with it, silmik.dynpc.net is not a server I'm familiar with

silmik.dynpc.net is a odd case

wrbvjodfnlltha@jabbers.one

Out of date Prosody that's been running for a week

the site hosted in that domain doesn't announce that it has a XMPP server

Here's an example JID of the spammer's many accounts

I deleted all Accounts with random letters before some hours

most likely a poorly-maintained private XMPP server

Consider blocking the IP behind it if it's not a VPN/Tor IP

Definitely a candidate for JabberSPAM

silmik is not here

I blocked the IP before one hour

MattJ: maybe warn the server operator first?

that is if they respond ✏

dynpc.net looks like a dynamic DNS service? The kind you'd use if you didn't own a domain and wanted to host at home or so

techmetx11: the jabberspam list has a procedure, yes

yes it is

moparisthebest: i've done some research, the server for silmik is hosted off an austrian ISP that specializes in mobile internet ✏

so there's a possibility it's a Prosody server on a phone?

It's been done before :)

huxxer: they just registered again and spammed again

I wonder whether they're using an automated script to do this

does Prosody have a way to enforce solving cryptographic puzzles before registering or when joining a MUC?

Then we can fight back the spammers by doubling their electricity bill

proof-of-work captcha?

Yes

Like mCaptcha

captcha is useless to fight spam

environmental arguments aside for pow

it was discussed some days ago again

Squeaky Latex Folf: mcaptcha uses SHA256

which is useless if the attacker possesses something like an ASIC capable of hashing trillions of hashes per second with less power

Squeaky Latex Folf: they registered a bunch of Accounts. I deleted all

> captcha is useless to fight spam Regular captchas are bad yes. But I like cryptographic ones ↺

What's that? Solve X for Y?

i think scrypt is better for this

scrypt was designed to make it too expensive to perform large-scale custom hardware attacks (like ASICs, FPGAs) by requiring tons of memory too

Captcha is used for prevent from own server being registered too many spam account. It is useless to prevent from rooms and users being spammed.

Room owners and users should learn to block spammers by themselves.

MSavoritias (fae,ve): the point for POW is to make it too expensive for attackers to attack a server

yes i am ware

i doubt an attacker will waste so much resources to cause environmental problems, especially when there's cost attached to that

and when the payoff is just... to see a chatroom go away

i imagine most attackers will quit once they see how unsustainable it is to solve multiple PoW captchas to register multiple accounts

especially if the cost factor is variable depending on how many accounts are being registered

Oh yeah the spammer used xmpp.076.ne.jp to announce the attack

The attack was performed on accounts on the other two servers I listed

How you know?

I am a moderator in the muc

Ok

So I can see JIDs

👍

In fact, the jid was self@xmpp.076.ne.jp

So does that imply anything about the ownership of that domain or is that the misleading they are attempting?

suwako is not here

to talk about that

Can anyone do disco on xmpp.076.ne.jp? I get service unavailable when trying to direct message the spammer

Or does service unavailable just happen regularly

disco works

contact addresses for xmpp.076.ne.jp are - abuse-addresses : https://technicalsuwako.moe/contact - admin-addresses : https://technicalsuwako.moe/contact , xmpp:suwako@xmpp.076.ne.jp

huxxer, you're the admin of jabbers.one, right?

silmik.dynpc.net is a odd case

the site hosted in that domain doesn't announce that it has a XMPP server

most likely a poorly-maintained private XMPP server

silmik is not here

MattJ: maybe warn the server operator first?

that is if they respond ✏

yes it is

moparisthebest: i've done some research, the server for silmik is hosted on an austrian ISP that specializes in mobile internet

suwako is not here

to talk about that

disco works

holy shit

that was on accident, fucking profanity bug again

You use profanity right? I've seen this bug before :)

yes

this bug got me banned from some MUCs

Has ChatGPT integration? Great tldr

i had to quickly close profanity as soon as i saw tons of message notifications coming from myself to here

hi techmetx11 😁

hi Trung

huxxer: mind sharing the IP address of the spammer?

Squeaky Latex Folf: GDPR would like to say no to that

People like to always say they can't do things because of the GDPR, but that's often not true.

User ts3oingffakfg just registered on jabbers.one from 54.37.140.42

Yes GDPR....

There it is

huxxer: thank you

looks like this is useless, since it's a IP owned by a VPS company

or at least, OVH SAS announces routes related to 54.37.0.0/16

Yes yes, we've been through this analysis, it's used since last week by the spammer

185.67.82.114

This IP was used by the spammer's non-automated account

self@xmpp.076.ne.jp

Squeaky Latex Folf: you are ne.jp admin?

No

Admin sent me the IP

185.67.82.114 is a tor exit node hosted by the EFFI

(electronic frontier finland)

If the spammer is here I want to say something to them. Please do not abuse tor exit nodes. Many people need to use those who are in authoritarian regimes or otherwise in dire need. Your are abusing a public resource for your petty spam. We you do this operators have to block them and they can't be used by the people that need them the most.

techmetx11: From profanity 0.14 there should be a settting to disable resending messages to avoid this stream management bug.

https://profanity-im.github.io/guide/0140/reference.html#strophe

Martin: this is a godsend, now i don't have to patch profanity to disable SM

which is more of a quick hack, since i see that the command has no-resend

nuegia.net: blocking tor nodes wouldn't be necessary, you just need to make registering accounts in bulk too computantially expensive

i'm in favor of PoW captchas

PoW captchas are not a solution here. But didn't we have this whole discussion just a week or so ago? :)

if you all had a discussion about this, then i wasn't here when it happened, sorry

why isn't it a solution?

techmetx11, there are always some servers not well-maintained.

Maybe I just need to write it down somewhere and link it

☭Mike Yellow: true

> techmetx11, there are always some servers not well-maintained. Spammers make use of them.

that's true

PoW scales the number of accounts you can make to the amount of compute resources you have available. Spammers typically have large amounts of (other peoples') compute power available, so PoW is of little concern to them. Unless you require a *lot* of work, at which point you begin to affect legitimate users.

In the meantime, now... The argument...

Some people do not want others public servers blocks many other servers... I guess. ✏

MattJ: i doubt spammers "typically" have large amounts of other peoples' compute power

there was a spammer here who was able to register so many accounts and spam a chatroom with it.... all in a phone

techmetx11, well, that depends what kind of spammer we are talking about. The serious spam on XMPP definitely originates from botnets.

It is easy to know which server is abused and block it, but it is not easy to know when it back to normal and unblock it... I guess.

Individual MUC spammers, maybe not. But then any reasonable PoW requirements would not hinder them.

i'm talking about individual MUC spammers

(the rate of registration on jabbers.one was 3 accounts per hour)

So, would you require an hour's worth of computation to register an account? Bringing that to 1 account/hour? or what?

there was someone who spammed an MUC using accounts automatically registered using multiple servers' in-band registration

in a phone

Sure. I'm not saying that doesn't happen, I'm saying PoW won't stop it.

MattJ: the cost factor would be scaled to the registration load

if there aren't too many accounts being registered, it'll be easy to solve a PoW captcha (very low cost factor)

So if 3 accounts per hour is too much, how long should a normal person have to wait to obtain an account?

More than 20 minutes?

if there's like more than 2000 accounts being registered per hour, the cost factor will be extremely high

WhatsApp/Telegram accounts are free and can be obtained in the time it takes to receive an SMS

3 accounts per hour is too low of a limit

i meant an exponential cost factor

with no limit

I'm telling you, the spammer we have been talking about today *was* registering 3 accounts per hour

and you think the limit should be higher

You underestimate how much time and compute spammers have :)

3 accounts per hour because they were doing it manually

i'm talking about those who register over 2000 accounts per hour through a script

So we're not talking about today's spammer?

like what happened before

yes

techmetx11, most spammers register such amount of accounts over many different servers in the span of multiple months.

i see

So no amount of work is going to stop them.

Well, you could require a month's worth of computation, limiting them to $number_of_servers accounts per month. The numbers just don't add up to make PoW a magic solution.

i'm not asking for a inhumanly expensive cost factor

Anything less won't impact them

also PoW is not time-based

i'm just glad i don't have to implement one :P

It also takes a single server not deploying your new challenge to foil your plans.

yes

> also PoW is not time-based I'm not sure if you offer this statement as an advantage or a disadvantage of PoW

PoW is meant to make attacking something too costly

It's a disadvantage, because it's easy to obtain higher-than-average compute power

not limit the time of it

it depends on the algorithm used by the PoW system

some PoW systems use SHA256 only, which can be solved rather quickly by ASICs

The point of PoW is to stretch the amount of time it takes to perform some operation

Yes, which is why all PoW algorithms allow a scaling factor to increase the time

you see from bitcoin

What does “PoW” mean in English?

ASICs can make up to trillions of hashes

which require a extreme amount of cost factor

unless you use an algorithm that's inefficient for an ASIC

☭Mike Yellow: Proof of Work

> ☭Mike Yellow: Proof of Work Thanks.

☭Mike Yellow: Proof of Work. The idea is to make creating an account or joining a group chat require a bunch of work, with a cost that ideally does not matter much once but adds up when doing it repetitively for spam

ASICs rely on a predictive algorithm to optimize it into a chip

predictable*

this is what makes PoWs useless

if you don't design it against this

so your proposal is to design a pow system that is hard for spammers but not for people and can also be hard to solve even with dedicated hardware like asics? and the alternative is just plain old ip blocking, checking for weird usernames or even stricter requirment in accounts like disroot?

im picking the disroot solution then :) ✏

MSavoritias (fae,ve): disroot solution is always better than anything else

seriously i didn't mind waiting a day for my account

:P

Hello techmetx11

hi rodney7865, are you here for your VPN for your phoen thing?

No

oh, i thought you were that guy, sorry

> oh, i thought you were that guy, sorry What guy? I've had a bunch of messages like this during the last few days. What's the deal?

How to report them? Who are they?

Why do they message me?

rodney7865, you joined this chat and said hi to someone. This is a channel for discussion between XMPP server operators: https://xmpp.org/community/channels/operators

> rodney7865, you joined this chat and said hi to someone. This is a channel for discussion between XMPP server operators: https://xmpp.org/community/channels/operators Yes. Hi. I noticed that there is a guy messaging me and contacting me with the same messages techmetx11 said. Who are they? What do they want? How do I get the info on them? I came here to ask about this guy. He's spamming my inbox.

uhhhh

Are they sending these messages to you directly?

> Are they sending these messages to you directly? yes

Who are they?

You can block people you don't want to receive messages from. Open the menu (three dots in the top right corner), tap 'Contact details'. That will tell you more about them. Then you can open the menu on that screen (three dots) and choose 'Block contact'.

He's making alts and harrassing me. He keeps asking about his Oneplus phone or something. No idea who he is. I want the information on this guy and what he wants and I just want to know who he is.

You should report them to the admin of where they register. (the address after the "@")

rodney7865: oh that guy

i met him on spyware

he keeps annoying everyone with his oneplus phone and VPNs and stuff

> rodney7865: oh that guy > > i met him on spyware yeah what's the deal?

Who is he?

i don't know either

techmetx11: what's the deal?

i don't know, he's absolutely annoying

he never stops