XMPP Service Operators - 2023-10-06


  1. Lightning Bjornsson

    > MattJ a écrit : > PoW captchas are not a solution here. But didn't we have this whole discussion just a week or so ago? :) > techmetx11 a écrit : > if you all had a discussion about this, then i wasn't here when it happened, sorry > why isn't it a solution? malicious actors will be able to surmount it more easily than the actors you are intending to let pass, who have access to less compute.

  2. distaza

    I would suggest two things. The first is timeouts for registration from a given IP, or even finite registrations -per- IP. The second is realtime validation.

  3. distaza

    The first is pretty self-explanatory. Do not allow registrations > n for a given IP. Further, registrations should be spaced with n amount of reasonable time.

  4. moparisthebest

    > The first is timeouts for registration from a given IP, or even finite registrations -per- IP. That's actually problematic for real users though, many are behind the same IP with CGNAT etc, so often 1 IP can be tens of thousands of legitimate users

  5. distaza

    Better to make exceptions per case rather than an exception for everyone.

  6. distaza

    Maybe implement a checkbox saying 'hey I will need more than n amount'

  7. kainan

    and you can trivally just use tor circuit isolation to get a different IP for a second account

  8. moparisthebest

    They don't even know what CGNAT is

  9. moparisthebest

    Or just get a /64 of ipv6

  10. distaza

    A friend of mine is suggesting 'make the new accounts above n succeed in creation but require manual review to actually be used'. Or, otherwise, make them honeypots of a sort above n.

  11. distaza

    A person could just get a /64 of IPv6, but this still defeats attacks through IPv4 without imposing a burden on IPv6 users.

  12. distaza

    Also, if you see a large mass of accounts inside of a /64 subnet this would ring warning bells.

  13. distaza

    You could use the IPv6 subnet on the left side of the address and simply put the n restriction on that as well.

  14. distaza

    Again, large companies doing natting should tell you if they are going to create thousands of accounts. If they do, they provide IDENT on port 113.

  15. distaza

    I think that's a pretty reasonable expectation. It's the assumption for IRC operators.

  16. moparisthebest

    > Again, large companies doing natting should tell you if they are going to create thousands of accounts. If they do, they provide IDENT on port 113. That's not what I'm talking about, I mean a huge cell phone company has 10,000 different mobile phone users behind the same IP

  17. distaza

    And that would go through a bridge, which goes through one JID Or, multiple JIDs through one provider. Even incumbent cell phone companies are deploying IPv6. In fact, this connection I'm talking to you through is powered by a cellular tower running IPv6.

  18. moparisthebest

    https://en.wikipedia.org/wiki/Carrier-grade_NAT

  19. distaza

    I think I get where you're coming from with, say, a cellular IPv4 address being used as the registration address. Still, those addresses are reused - not individually representing multiple people at the same time.

  20. moparisthebest

    my phone is behind CGNAT and my single ISP choice for home sponsored world ipv6 day a decade ago and still hasn't rolled it out -.-

  21. moparisthebest

    Yes, they are individually representing thousands of people at the same time

  22. distaza

    ... yeah, my friend explained it to me. Sorry for the misunderstanding.

  23. distaza

    Still, 1000 people aren't all going to register at geographic tower A today, and again tomorrow.

  24. distaza

    A saturation point will be hit.

  25. moparisthebest

    Maybe...

  26. distaza

    Even if we'd have to make exceptions for some towers - maybe even drop any such rule for some, it would be a marked improvement for resisting spam from the rest of the IP space. It might even constrain spammers to physically running out to a specific cell tower. That would be pretty funny.

  27. Lightning Bjornsson

    > moparisthebest a écrit : > my phone is behind CGNAT and my single ISP choice for home sponsored world ipv6 day a decade ago and still hasn't rolled it out -.- may i eat them