On Sat, May 23, 2020, at 14:08, Georg Lukas wrote: > I'm not sure when you would come into a situation where you don't > report a spam message in a timely manner but let it sit there for > multiple weeks.
I'm not sure when we'd hit that situation either, but that's not going to make it any less weird when it happens. > I'm sure that you are aware of the coordinated attacks on > centralized social networks where trolls mass-report accounts that > they disagree with. I am aware of them, and I do think we should try to avoid putting burden on server operators as much as possible, but also I suspect you have to check out reports no matter what. Although I would be more worried that server operators would just trust what was in the payload if we did it this way. Mass fake reports could be a problem with sending stanza IDs as well, especially if the attackers just use a stanza that has expired from the archive. Either way the operator probably has to do something to verify that the message was spam and/or actually existed or that the user continues to send spam. How spam reports are handled will always be very service specific too. Servers could do anything from verifying it against the MAM archive anyways if the specific account has a permanent archive enabled, or they could do something more clever like generate IDs based on a signature of the message so that they can verify that the forwarded message hasn't been modified (this would be overkill to include in the XEP, but it has no compatibility requirements so individual servers and services could do something like this if they wanted and no one else would know the difference). Anyways, just spitballing, I suspect we could find a couple of good ways for servers to verify messages and just include a mention of it in the security considerations if we went with a "forward the message back" approach. —Sam -- Sam Whited _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
