Re: [Operators] Spam Problem And Its Simple Solution

[Arsimael Inshan]

You have good points. Yes, there is something which has to be changed. But if you want an anti-spam function in clients, preventing spammers from creating new accounts, it will be lost from the start. XMPP is, as you said, opensource. Lets say the network has 100 Server in total. And ALL serverowners introduce anti-spam solutions. If I am a spammer, I simply setup my own server and hook it up to the network. It's opensource after all, so this is no problem. And there are allready spamdomains which only exist to spam other users. So if we all manage it to block spammers, They simply set up own servers. Whatever we do, we need to change something at the registration process, and we can't hope that other people will will adapt it. A solution would be: Jabber servers HAVE TO FORCE an anti spam solution. Like the mentioned random question. Connections to old versions have to be refused. Servers without anti-spam solutions need to be blocked. An authentication system for clients like botsentry for pidgin. "Deny all messages from people outside my contact list, except they can answere a simple question" We don't need to make our system totally safe against spam, we only have to make our system so complex that the ratio of "create spamming accounts and send spam" to "earned money" is not worth it anymore. On the other hand, I have to give my two cents about "keep it easy for users": I don't know how you see things, but If I have users which ask me to "allow unencrypted connections to google because I want to chat with people on googgle talk" I regulary answere them "I am not the right service for you" - If they want to use facebook chat, well... let them use it. I provide a service for people which care about their privacy and are not afraid or too lazy to "do" something for it. regards Arsimael Inshan IT-Consultant email: a...@jhml.de web: https://www.it-native.de (german) ----------------------------------------------------------------- This e-mail may contain confidential and/or privileged Informations. If you are not the intended recipient, please immediately inform the sender and delete this mail. Any unauthorized copying, disclosure or distribution of this Mail is not allowed. Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. ----------------------------------------------------------------- Am 19.11.2016 um 13:19 schrieb A: Hey everyone. The spam problem persists and it gets worse and worse each consecutive day, but seems like nobody actually can or wants to do anything. All the anti-spam measures discussed here in this list are a mere blocking of spam JIDs or even whole domains. But this will not mitigate the spam problem and moreover this is not a solution. XMPP is blatantly famous for its truly decentralized federation and a high possibility of automation. This is why it is number one choice for security-concerned internet users and also criminals of all sorts. The situation is very similar to that of Bitcoin. But criminals cannot disrupt Bitcoin, because its ecosystem doesn't really have human-managed weak points. It does have miner points, but miner operators rarely do anything. Typically miner-node just runs and mines and operator just keeps an eye on it to check if it's operating well and with the lastest software. There is an automated decentralized Blockchain which automatically sorts out all problems with the network. XMPP doesn't have a blockchain. XMPP is human-maintained.This is a weak point from the infrastructure point of view. XMPP's decentralization and lack of any sort of authority enabled spamers to easily facilitate the system to conduct huge spam campaigns. I have my JID posted on Internet and get tens of spam messages every day. Due to a decentralized nature of XMPP, this problem can't be solved by operators of some nodes. Even if all the operators unite (which will not happen anytime) and start cooperate, the problem will persist. When you block 10 JIDs, spamer pushes one button and automatically creates 1000 new JIDs on dozens of nodes (your included). When you block the whole node, more of others get used. This is essentially war with a multi-headed hydra, when 3 new heads are instantly grown up when you cut off just one. The solution to disable an in-band registration and/or supervise every registration are not solutions at all. XMPP enables people to free communicate with easy registration process, and removing the "easy" part from this equation renders the whole XMPP system questionable. Why should users take additional complicated steps when they still can use Facebook Messenger or Hangouts? Some operators block particular IPs which is a bad practice as well, and in the case of my service it will not work, since it has enabled .onion-address. But the solution to the problem is actually very, very easy. We just need to take experience from the past. In the early days of internet messaging in Russia ICQ messenger was prevalent. This was a service with a single authority, but for some reason it, a single Israeli company at the moment, was not able or simply didn't want to do anything to with huge amounts of spam which fell upon the network. So the prerequisites are the same as in the XMPP today: there is a persistent spam and there is a lack of possibility or simple neglect from operators to do anything with the problem. How do this problem was solved back in 2000s? Very easy. Popular clients just incorporated simple anti-spam measures to perform human-testing for any new senders. Client just asked every new sender to answer simple (customizable) question, such as "What is the planet name we are living on?" and if sender managed to answer, the client allowed sender to actually communicate with the recipient. This is just that easy. Looking at clients I use for XMPP messaging: Gajim, Pidgin, Adiumand Conversations- none of them have a decent easily accessible anti-spam solution. Gajim does have "Anti Spam" plugin, but it doesn't have the "question/answer"feature. The Pidgin doesn't have any anti-spam plugins in its plugins list, and although there are some plugins on the Internet, most people will not search plugins themselves (not to mention most people doesn't know or want to knowhow to install third-party plugins to Pidgin). Conversations doesn't have plugin system and doesn't have native anti-spam measures. I emailed Daniel Gultsch (author and maintainer of Conversations) once if there is a possibility to add anti-spam feature in some future release,but for some reason he didn't answer me. Authors of clients and plugins should be concerned about the issue. They shouldbemotivatedto implement simple counter-measures.This is not a difficult task, someone just need to take his time and do this. Maybe someone from this list have relevant skills and can implement required plugins and someone else can persuade client authors to include this plugin to the default list, which comes with the app. To combat automated threat we just need to answer accordingly, with an automated defense solution. XMPP is an open and mostly unmaintained/unmonitored/uncensored network and it should to stay this. Users should be able to protect themselves without any help from node operators. Take care, A.