[Operators] Spam Problem And Its Simple Solution

A a at creep.im
Sat Nov 19 12:19:34 UTC 2016 

Hey everyone.

The spam problem persists and it gets worse and worse each consecutive 
day, but seems like nobody actually can or wants to do anything. All the 
anti-spam measures discussed here in this list are a mere blocking of 
spam JIDs or even whole domains.

But this will not mitigate the spam problem and moreover this is not a 
solution.

XMPP is blatantly famous for its truly decentralized federation and a 
high possibility of automation. This is why it is number one choice for 
security-concerned internet users and also criminals of all sorts. The 
situation is very similar to that of Bitcoin.

But criminals cannot disrupt Bitcoin, because its ecosystem doesn't 
really have human-managed weak points. It does have miner points, but 
miner operators rarely do anything. Typically miner-node just runs and 
mines and operator just keeps an eye on it to check if it's operating 
well and with the lastest software. There is an automated decentralized 
Blockchain which automatically sorts out all problems with the network. 
XMPP doesn't have a blockchain. XMPP is human-maintained.This is a weak 
point from the infrastructure point of view.

XMPP's decentralization and lack of any sort of authority enabled 
spamers to easily facilitate the system to conduct huge spam campaigns. 
I have my JID posted on Internet and get tens of spam messages every day.

Due to a decentralized nature of XMPP, this problem can't be solved by 
operators of some nodes. Even if all the operators unite (which will not 
happen anytime) and start cooperate, the problem will persist. When you 
block 10 JIDs, spamer pushes one button and automatically creates 1000 
new JIDs on dozens of nodes (your included). When you block the whole 
node, more of others get used. This is essentially war with a 
multi-headed hydra, when 3 new heads are instantly grown up when you cut 
off just one.

The solution to disable an in-band registration and/or supervise every 
registration are not solutions at all. XMPP enables people to free 
communicate with easy registration process, and removing the "easy" part 
from this equation renders the whole XMPP system questionable. Why 
should users take additional complicated steps when they still can use 
Facebook Messenger or Hangouts?

Some operators block particular IPs which is a bad practice as well, and 
in the case of my service it will not work, since it has enabled 
.onion-address.

But the solution to the problem is actually very, very easy. We just 
need to take experience from the past.

In the early days of internet messaging in Russia ICQ messenger was 
prevalent. This was a service with a single authority, but for some 
reason it, a single Israeli company at the moment, was not able or 
simply didn't want to do anything to with huge amounts of spam which 
fell upon the network. So the prerequisites are the same as in the XMPP 
today: there is a persistent spam and there is a lack of possibility or 
simple neglect from operators to do anything with the problem.

How do this problem was solved back in 2000s? Very easy. Popular clients 
just incorporated simple anti-spam measures to perform human-testing for 
any new senders. Client just asked every new sender to answer simple 
(customizable) question, such as "What is the planet name we are living 
on?" and if sender managed to answer, the client allowed sender to 
actually communicate with the recipient. This is just that easy.

Looking at clients I use for XMPP messaging: Gajim, Pidgin, Adiumand 
Conversations- none of them have a decent easily accessible anti-spam 
solution. Gajim does have "Anti Spam" plugin, but it doesn't have the 
"question/answer"feature. The Pidgin doesn't have any anti-spam plugins 
in its plugins list, and although there are some plugins on the 
Internet, most people will not search plugins themselves (not to mention 
most people doesn't know or want to knowhow to install third-party 
plugins to Pidgin). Conversations doesn't have plugin system and doesn't 
have native anti-spam measures. I emailed Daniel Gultsch (author and 
maintainer of Conversations) once if there is a possibility to add 
anti-spam feature in some future release,but for some reason he didn't 
answer me.

Authors of clients and plugins should be concerned about the issue. They 
shouldbemotivatedto implement simple counter-measures.This is not a 
difficult task, someone just need to take his time and do this. Maybe 
someone from this list have relevant skills and can implement required 
plugins and someone else can persuade client authors to include this 
plugin to the default list, which comes with the app.

To combat automated threat we just need to answer accordingly, with an 
automated defense solution.

XMPP is an open and mostly unmaintained/unmonitored/uncensored network 
and it should to stay this. Users should be able to protect themselves 
without any help from node operators.

Take care, A.

More information about the Operators mailing list