XMPP Service Operators - 2024-07-24


  1. ave

    Hey all, how do you secure your web registrations? I've used captchas before (hcaptcha, recaptcha) on our git instance and while it helped reduce spam registrations, we still got hundreds of spam registrations at times, and eventually had to shut off registrations entirely. Does anyone have a solution that is reasonably safe? I had considered rolling custom image captchas for inband registration prior to multimodal AI models being widespread but now that seems like it's not going to be as successful.

  2. Kris

    Invites

  3. Kris

    Or linking accounts to other platforms that have better tools for vetting registrations.

  4. MSavoritias (fae,ve)

    yep. open registration can't be fixed.

  5. Kris

    Captchas are indeed mostly pointless these days.

  6. MSavoritias (fae,ve)

    after the first few invites you have like 20-50 trusted accounts you can potentially use some kind of vetting/reputation system to invite new people so you dont manually have to do it

  7. MSavoritias (fae,ve)

    i think it can be done somehow in xmpp but idk specifics

  8. Polarian

    I was thinking about this issue myself, as I did want to become a public provider (until the legal paperwork scared me away), has anyone tried using a mailing list, and manually approving each person? or not even a mailing list just an application account... A short email conversation should be enough to detect an AI or a human, problem is if you get thousands of applications a day, you wouldn't handle the workload

  9. Polarian

    I was thinking about this issue myself, as I did want to become a public provider (until the legal paperwork scared me away), has anyone tried using a mailing list, and manually approving each person? or not even a mailing list just an email account... A short email conversation should be enough to detect an AI or a human, problem is if you get thousands of applications a day, you wouldn't handle the workload

  10. Polarian

    its how piracy trackers keep their trackers secure, and it seems to work decently

  11. Polarian

    I doubt people would want to join a jitsi call and have a full on interview for an XMPP account though :P

  12. Menel

    Prosody has invites and can be allowed to let people be invited my members of the server. What's missing is a reputation system. But what it has as a start is a module to track invites. That's only a stub. But could (and should 🙂) be developed so an admin could see and ban a whole "tree" of invited contacts, if a spammer invites its bots etc.

  13. Kris

    There is an old likely defunct prosody module for that

  14. Kris

    Called endorse chain

  15. Kris

    https://gitlab.com/Warr1024/prosody-mod-endorsechain

  16. Kris

    If someone wants to revive it.

  17. ave

    Right now we have manual invites

  18. ave

    as in, contact staff to invite someone

  19. ave

    It would definitely be nice to add an invite and reputation system.

  20. Polarian

    How would you implement it though

  21. ave

    > Or linking accounts to other platforms that have better tools for vetting registrations. I considered this by putting new account registrations to manual review unless they use the big email servers, but most spam accounts we get on our git is hotmail and gmail :/

  22. ave

    I've also seen people generate twitter accounts enmasse. They get blocked when tweeting but work fine for oauth. I guess one could check account age.

  23. MSavoritias (fae,ve)

    yeah you check how many followers, posts, follows, etc. they cant fake activity going back years

  24. MSavoritias (fae,ve)

    unless you are targetted of course for some reason

  25. Polarian

    Where do you draw the line though, at this point you are almost stalknig people to vet them....

  26. xa0.uk

    the sensible choice is to adhere to the time-tested protocol: innocent until proven guilty