[Standards] DEFERRED: XEP-0377 (Spam Reporting)

Sam Whited sam at samwhited.com
Sat May 23 20:31:13 UTC 2020

On Sat, May 23, 2020, at 14:08, Georg Lukas wrote:
> I'm not sure when you would come into a situation where you don't
> report a spam message in a timely manner but let it sit there for
> multiple weeks.

I'm not sure when we'd hit that situation either, but that's not going
to make it any less weird when it happens.

> I'm sure that you are aware of the coordinated attacks on
> centralized social networks where trolls mass-report accounts that
> they disagree with.

I am aware of them, and I do think we should try to avoid putting
burden on server operators as much as possible, but also I suspect you
have to check out reports no matter what. Although I would be more
worried that server operators would just trust what was in the payload
if we did it this way.

Mass fake reports could be a problem with sending stanza IDs as well,
especially if the attackers just use a stanza that has expired from the
archive. Either way the operator probably has to do something to verify
that the message was spam and/or actually existed or that the user
continues to send spam.

How spam reports are handled will always be very service specific too.
Servers could do anything from verifying it against the MAM archive
anyways if the specific account has a permanent archive enabled, or they
could do something more clever like generate IDs based on a signature of
the message so that they can verify that the forwarded message hasn't
been modified (this would be overkill to include in the XEP, but it has
no compatibility requirements so individual servers and services could
do something like this if they wanted and no one else would know the
difference). Anyways, just spitballing, I suspect we could find a couple
of good ways for servers to verify messages and just include a mention
of it in the security considerations if we went with a "forward the
message back" approach.


Sam Whited

More information about the Standards mailing list