[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some observations from a first time debian.org XMPP user

On 22 January 2017 at 10:01, W. Martin Borgert <debacle@debian.org> wrote:
> On 2017-01-22 09:04, Petter Reinholdtsen wrote:
>> When I connected using gajim, my client was flodded
>> with messages.  I believe I got around 215 messages.  Is this normal?

Developer of the XMPP server software that debian.org is running, here.

Unfortunately yes, spam is becoming somewhat of a problem on XMPP
recently. This has mostly happened within the past 6-12 months....
spam was quite a rare occurance before that. However some groups seem
to have deemed it profitable, have been harvesting addresses and using
them in automated distributed message distribution. Even making easy
front-ends to their "service", such as https://xmppspam.space/howto

Spam is still not a solved problem for email, despite much effort, and
one thing to learn from that is that there is no silver bullet that
will 100% solve spam, any network with enough people on it will be a
valuable target for spammers.

However the good news is that XMPP has a number of potential
advantages over spam that SMTP doesn't have. The problem is that
because of the lack of spam until now, this current wave was totally
unprepared for.

> Unfortunately, it is. I know at least of two DDs who do not use
> our server because of this "SPIM" (spam + IM) issue.
>
>> Is there anything being done on the XMPP server side to avoid spam?

Yes. Various options are available, and work is ongoing to expand and
improve them.

The root of the current spam wave is that spammers are taking
advantage of public servers with open registration, which are offered
by volunteer server admins with good intentions. There is ongoing work
to raise awareness of the issue with server admins. Servers that are
not tightened up typically end up being blacklisted by other servers.
There is not currently a reputable shared blacklist, but I expect one
to emerge. Current intelligence regarding spam issues is shared on the
XMPP operators mailing list:
https://mail.jabber.org/mailman/listinfo/operators

> So far, I did not get any invitation spam, so one might just
> block all strangers: https://bugs.debian.org/846099 OTOH, maybe
> you want to be reachable by people not in your roster?

This is a very effective countermeasure *at the moment*. Two obvious
downsides: people not on your roster won't be able to communicate with
you (some people care about this, some don't). Secondly, it's a
trivial next step for the spammers to move onto subscription request
spam.

Another option that some admins have been having a lot of success with
is Prosody's mod_firewall module:
https://modules.prosody.im/mod_firewall.html

It allows various filtering rules, and I'm working with the admins of
servers that are currently using it to compile a shared collection of
rules, which we hope to make available soon. All of the current spam
can be easily eliminated through such rules based on the context and
content of messages.

Hope this is useful. Happy to assist if there are any questions,
suggestions or feedback on any of the available options.

Regards,
Matthew
Reply to: