XMPP Service Operators - 2023-12-20

  1. nuegia.net

    I'm testing a custom kernel which seems to resolve the kpanic issue caused by prosody stopping.

  2. mitrov


  3. mitrov

    just wtih that?

  4. nuegia.net


  5. ☭Mike Yellow

    “account reputation”? That sounds awful if implemented and popularized.

  6. ☭Mike Yellow

    Is there a public Prosody server with full MUC plugins installed? I wonder how comprehensive its room configuration is.

  7. nuegia.net

    The three lines of problematic code has been reduced to just one line of correct code

  8. mirux

    Establishing a secure connection to chat.disroot.org failed. Certificate hash: e544a6c496cdaebeeace6ec4e690c4416ca0c3b1. Error with certificate 0: certificate has expired.

  9. MattJ

    nuegia.net: that's great news!

  10. nuegia.net

    the spammer is now registering serveral accounts on conversations.im

  11. nuegia.net

    their latest is rationale (rationale@conversations.im/Conversations.ajVR

  12. MattJ

    Holger, ^

  13. moparisthebest

    TIL DNSSEC support in systemd is just completely useless and they don't currently plan to fix it FYI https://github.com/systemd/systemd/issues/25676

  14. mitrov


  15. Martin

    Oh, lucky I'm using knot for some years now.

  16. MSavoritias (fae,ve)

    they dont even accept patches to mark it experimental. actively malicious at this point

  17. moparisthebest


  18. MattJ

    AIUI it doesn't set the AD bit, so it's not that dangerous, it basically just doesn't support DNSSEC

  19. moparisthebest

    MattJ: depends what you expect, I'd expect DNSSEC enabled to not serve me spoofed records from a MITM at all, systemd will though

  20. moparisthebest

    unbound or any other sane DNSSEC implementation will not

  21. MattJ

    Yeah, it's misleading if it claims to support DNSSEC (e.g. in the configuration)

  22. MattJ

    But an application using it will always see that it's unsupported

  23. MattJ

    Otherwise that would be a disaster

  24. MSavoritias (fae,ve)

    the problem is that its not listed experimental or "havent been tested - may not validate anything" note in docs

  25. MSavoritias (fae,ve)

    which apparently there is none

  26. MSavoritias (fae,ve)

    at least the biggest one imo

  27. moparisthebest

    well it's tricky, because it *does* validate, if a MITM sends it invalid signatures, it will fail, and not hand back any records

  28. moparisthebest

    so if you enable it, test it against one of the bad domains sets up for testing, you decide it validates correctly and think you are safe

  29. moparisthebest

    but then if a MITM *strips* signatures it just hands them to you anyway like they weren't signed at all

  30. MattJ

    I guess the problem is that applications don't surface AD?

  31. moparisthebest

    it's a case of appears-to-work being worse than doesn't-work-at-all, imho

  32. moparisthebest

    I think so MattJ

  33. MattJ

    Browsers, as always :)

  34. moparisthebest

    but also expectations, no one expects a DNSSEC enabled resolver to return records that didn't validate

  35. nuegia.net

    Are there any tools to audit a prosody server for all previous users coming to your mucs from a host, and to whitelist those jids?

  36. nuegia.net

    I'm getting a lot of spam from conversations.im and trashserver from people who register a bs account, use it to spam, and then delete it

  37. nuegia.net

    rinse and repeat

  38. nuegia.net

    I don't want to cause collateral damage, but this is getting to an extreme level

  39. Licaon_Kter

    nuegia.net: you've reported to their admins so at least they try to ban some ips or smth?

  40. nuegia.net

    Not every time because that's a lot of manual work on the administrator and moderator's part when the last couple of times I did they were using random sketchy VPNs

  41. nuegia.net

    it's not like I have the ability to block external users using sketchy vpns

  42. nuegia.net

    I don't think it would be fair to have the other operators enforce 'no sketchy vpn signups allowed to federate with nuegia.net' because I'm not even sure how I would implement that

  43. nuegia.net

    but I don't offer open registration, it's invite only

  44. nuegia.net

    there needs to be something more operators can do to prevent this then just delete an account and ban an IP, when the spammers are deleting their accounts after use and using throwaway IPs

  45. nuegia.net

    I don't know what though

  46. nuegia.net

    and usually by the time I'm almost done writing an abuse email, their back at it again with another jid.

  47. nuegia.net

    any moderation technique that requires 2% effort on the spammer's part and 500% effort on the administrator and moderator's part isn't going to be very effective.

  48. MSavoritias (fae,ve)

    for what its worth i just block domains that persistenly spam my channels now. and its a nuclear solution i know. but as you said the accounts are created too fast

  49. nuegia.net

    conversations.im is a huge domain with a lot of legitimate users of my service.

  50. nuegia.net

    trashserver has legitimate users too

  51. MSavoritias (fae,ve)

    i know. thats why i said its a nuclear option. tradeoffs all around i guess

  52. nuegia.net

    There's got to be a better option out there

  53. nuegia.net

    it doesn't have to be perfect, just some middleground between not-effective and nuclear

  54. mitrov

    why block entire domains? just switch to voice only

  55. nuegia.net

    they do it across mucs

  56. MSavoritias (fae,ve)

    also voice only helps in some cases. for example you have to disable also pms

  57. nuegia.net

    hhhhmmmm what about users from a particular domain who are not members already have to request voice

  58. MSavoritias (fae,ve)

    and even if you do that they can still spam admins

  59. nuegia.net

    is there any way to implement that?

  60. Menel

    Make everyone member and set it member only. The bots are not online beside the time they spam generally, so that works quite good. I don't think there is something better atm

  61. unix.dog

    nuegia.net, you could probably try adding a patch to prosody to add some options for that in the MUC configuration form

  62. unix.dog

    so that people default to Visitor from certain domains

  63. MSavoritias (fae,ve)

    there is also a domain reputation xep. i dont remember the status of that tho

  64. unix.dog


  65. nuegia.net

    that might be beyond my capability right now. i'm not good with Lua

  66. Guus

    Yeah, I was thinking of that too, but I was trying to hold off suggesting solutions that still need to be build :)

  67. nuegia.net

    I do think that would be very effective with the least amount of collateral damage

  68. unix.dog

    i whipped something up in lua but i have no clue if it works or not, or if it would respect existing affiliations

  69. unix.dog

    i’ll probably see if i can test it on a prosody dev server later

  70. nuegia.net

    are SRV records for every xmpp componet neccecary?

  71. nuegia.net

    someone suggested i setup srv records for dig SRV _xmpp-server._tcp.conference.nuegia.net

  72. nuegia.net

    i already have two records for SRV _xmpp-server._tcp.nuegia.net

  73. mitrov

    You don't need any srv records at all

  74. nuegia.net

    I do because some people don't have ipv6

  75. nuegia.net

    my servers only have two IPv6 public addresses, and then there's a reverse proxy server with an IPv4 address that just serves as a TCP relay to IPv6

  76. unix.dog

    you need them on all components that should be accessible to federation

  77. unix.dog

    conference, pubsub, biboumi, etc

  78. nuegia.net

    are xmpp servers connecting to conference.nuegia.net but not to nuegia.net?

  79. nuegia.net

    also, which server specifclly is having issues

  80. unix.dog

    i have two friends on disroot that can't access MUC

  81. nuegia.net

    and when I tried adding a srv record for conference.nuegia.net Linode's dns manager seemed to have issues and translated the actual record to something else

  82. unix.dog

    *MUCs on conference.nuegia.net

  83. nuegia.net

    unix.dog, can you tell them to come here, and have the postmaster of disroot come here so we can figure out how to resolve this?

  84. rewtkid

    nuegia.net in was having a similar issue, told jsj weeks ago in dd and so did one other person and he called us liars. the other person was using xmpp.is and i am using my own server

  85. rewtkid

    i was*