[Pkg-xmpp-devel] DebConf - talk scheduled: Debian & XMPP: packaging and infrastructure

Matthew Wild mwild1 at gmail.com
Mon Jul 23 10:22:55 BST 2018

On 23 July 2018 at 10:13, W. Martin Borgert <debacle at debian.org> wrote:
> Quoting Matthew Wild <mwild1 at gmail.com>:
>> Prosody's mod_firewall has the capability to filter/block anything.
>> The tricky part (as with all spam) is identifying what should be
>> blocked and what should not. There is very little information
>> contained in a subscription request (unlike a message, which may
>> contain spam URLs, etc.).
> True. The best way would be a receiving server side captcha. "Before
> you can contact this user, please tell me what is the airspeed
> velocity of an unladen swallow?" But that would need a new XEP, right?

It wouldn't need a new XEP. There is already a CAPTCHA XEP, and it's
extensible and compatible with all clients. However CAPTCHA is not a
full solution, they are easy to solve by humans, and humans are cheap
in many parts of the world. jabber.org attempted to prevent spam
registrations with CAPTCHA and still got hundreds of spam accounts
registered per day.

>> The current "best" approach seems to be blocking servers that generate
>> lots of outbound spam (such servers typically allow open registration
>> and are not well-maintained). E.g. see here:
>> https://github.com/ge0rg/jabber-spam-fighting-manifesto
> Yes. As long as inline registration and anonymous accounts are still
> considered OK, but only limitation on number of accounts for IP per
> hour is required, this is fine.

IPs are also cheap, and don't mean very much. Spammers have access to
a massive number of IP addresses, through cheap botnets.

>> Any other ideas are welcome, but I don't think the issue of spam will
>> ever be 100% solved. I do believe we can get a long way though - spam
>> has never been solved entirely for email, but we have a lot of
>> advantages in XMPP, such as stronger server identity verification
>> built into the protocol.
> I agree. One or the other spam message in a while (or contact request)
> is not a problem. Last year it was just far too much. Some users of
> the Debian XMPP server got around 10 messages a day. Do you have any
> idea, why spim exploded last year and is not so much a problem now?
> Did admins actually read Ge0rgs manifesto? :~)

Partly, yes. A lot of server operators have started taking spam more
seriously, and stopping spam at the place it enters the network.
Numerous filters have been developed, including rulesets for
mod_firewall which filter the majority of incoming spam too. Plus I
believe there has been a reduction - maybe spammers did not find it as
profitable as they hoped compared to SMTP spam.


More information about the Pkg-xmpp-devel mailing list