[Operators] Spam Problem And Its Simple Solution
a at creep.im
Sat Nov 19 12:19:34 UTC 2016
The spam problem persists and it gets worse and worse each consecutive
day, but seems like nobody actually can or wants to do anything. All the
anti-spam measures discussed here in this list are a mere blocking of
spam JIDs or even whole domains.
But this will not mitigate the spam problem and moreover this is not a
XMPP is blatantly famous for its truly decentralized federation and a
high possibility of automation. This is why it is number one choice for
security-concerned internet users and also criminals of all sorts. The
situation is very similar to that of Bitcoin.
But criminals cannot disrupt Bitcoin, because its ecosystem doesn't
really have human-managed weak points. It does have miner points, but
miner operators rarely do anything. Typically miner-node just runs and
mines and operator just keeps an eye on it to check if it's operating
well and with the lastest software. There is an automated decentralized
Blockchain which automatically sorts out all problems with the network.
XMPP doesn't have a blockchain. XMPP is human-maintained.This is a weak
point from the infrastructure point of view.
XMPP's decentralization and lack of any sort of authority enabled
spamers to easily facilitate the system to conduct huge spam campaigns.
I have my JID posted on Internet and get tens of spam messages every day.
Due to a decentralized nature of XMPP, this problem can't be solved by
operators of some nodes. Even if all the operators unite (which will not
happen anytime) and start cooperate, the problem will persist. When you
block 10 JIDs, spamer pushes one button and automatically creates 1000
new JIDs on dozens of nodes (your included). When you block the whole
node, more of others get used. This is essentially war with a
multi-headed hydra, when 3 new heads are instantly grown up when you cut
off just one.
The solution to disable an in-band registration and/or supervise every
registration are not solutions at all. XMPP enables people to free
communicate with easy registration process, and removing the "easy" part
from this equation renders the whole XMPP system questionable. Why
should users take additional complicated steps when they still can use
Facebook Messenger or Hangouts?
Some operators block particular IPs which is a bad practice as well, and
in the case of my service it will not work, since it has enabled
But the solution to the problem is actually very, very easy. We just
need to take experience from the past.
In the early days of internet messaging in Russia ICQ messenger was
prevalent. This was a service with a single authority, but for some
reason it, a single Israeli company at the moment, was not able or
simply didn't want to do anything to with huge amounts of spam which
fell upon the network. So the prerequisites are the same as in the XMPP
today: there is a persistent spam and there is a lack of possibility or
simple neglect from operators to do anything with the problem.
How do this problem was solved back in 2000s? Very easy. Popular clients
just incorporated simple anti-spam measures to perform human-testing for
any new senders. Client just asked every new sender to answer simple
(customizable) question, such as "What is the planet name we are living
on?" and if sender managed to answer, the client allowed sender to
actually communicate with the recipient. This is just that easy.
Looking at clients I use for XMPP messaging: Gajim, Pidgin, Adiumand
Conversations- none of them have a decent easily accessible anti-spam
solution. Gajim does have "Anti Spam" plugin, but it doesn't have the
"question/answer"feature. The Pidgin doesn't have any anti-spam plugins
in its plugins list, and although there are some plugins on the
Internet, most people will not search plugins themselves (not to mention
most people doesn't know or want to knowhow to install third-party
plugins to Pidgin). Conversations doesn't have plugin system and doesn't
have native anti-spam measures. I emailed Daniel Gultsch (author and
maintainer of Conversations) once if there is a possibility to add
anti-spam feature in some future release,but for some reason he didn't
Authors of clients and plugins should be concerned about the issue. They
shouldbemotivatedto implement simple counter-measures.This is not a
difficult task, someone just need to take his time and do this. Maybe
someone from this list have relevant skills and can implement required
plugins and someone else can persuade client authors to include this
plugin to the default list, which comes with the app.
To combat automated threat we just need to answer accordingly, with an
automated defense solution.
XMPP is an open and mostly unmaintained/unmonitored/uncensored network
and it should to stay this. Users should be able to protect themselves
without any help from node operators.
Take care, A.
More information about the Operators