├── README.md └── Freedom-and-Anonymity.md /README.md: -------------------------------------------------------------------------------- 1 | # The Jabber Spam Fighting Manifesto 2 | 3 | *Version 0.8, 2018-04-07* 4 | 5 | The Jabber network (a federated set of thousands of servers with many 6 | tens or hundreds thousands of users) is under a continuous flood of spam 7 | messages for multiple years. Similar to the open email relays of the 8 | mid-1990s, public (and often abandoned) XMPP servers are being abused to 9 | deliver those messages. 10 | 11 | We, as the operators of public XMPP servers, commit to the following 12 | *Server Policies* to fight spam on our servers, and we announce our intent 13 | to block incoming communication from public servers that distribute spam 14 | messages and do not react to abuse reports. Furthermore, we 15 | will inform other *Public Server* operators and the general public of 16 | domains sending spam and not reacting to abuse reports by keeping those 17 | servers on a [public blacklist](https://github.com/JabberSPAM/blacklist). 18 | 19 | ## Server Policies 20 | 21 | A *Public Server* is an XMPP server that allows both the registration of 22 | accounts by third parties (either via [In Band Registration][XEP-0077] 23 | or by other means, like a web form), and federation to other XMPP 24 | servers, making it possible for its users to reach out to other XMPP 25 | domains. 26 | 27 | The operators of a *Public Server* shall perform the following actions to 28 | fight spam: 29 | 30 | * Provide an abuse contact according to 31 | [XEP-0157: Contact Addresses for XMPP Services][XEP-0157] and 32 | react to incoming abuse reports in a timely fashion. 33 | 34 | * Limit the number of new user registrations per IP address per hour. 35 | 36 | * Monitor and review registrations from IP addresses with bad reputation 37 | (open proxy servers, Tor exit nodes), OR enforce additional checks on 38 | those users, for example by requesting a CAPTCHA or verifying the user's phone number. 39 | 40 | * Throttle the traffic from local clients, especially unsolicited 41 | subscription requests and messages. 42 | 43 | 44 | [XEP-0077]: https://xmpp.org/extensions/xep-0077.html 45 | [XEP-0157]: https://xmpp.org/extensions/xep-0157.html 46 | 47 | ## Schedule 48 | 49 | With our signature under this Manifesto, we assure that our servers are 50 | already following the above stated *Server Policies*. 51 | 52 | Starting with **July 1st, 2018**, we will start blocking incoming server 53 | connections from Public Servers not following the *Server Policies* above, 54 | if those are forwarding spam messages to our users. The blocking message 55 | will contain a reference to this Manifesto. 56 | 57 | ## Commitment 58 | 59 | Signed, 60 | 61 | * Ave Ozkal, Luna Mendes, **a3.pm** (https://a3.pm/xmpp.html) 62 | * Thomas Camaran, **chatme.im** (https://chatme.im/) 63 | * Mathias Ertl, **jabber.at** (https://jabber.at) 64 | * Emmanuel Gil Peyrot, Mathieu Pasquet, **jabber.fr** (https://jabberfr.org) 65 | * Stian B. Barmen **jabber.no** (https://www.jabber.no/) 66 | * Oxpa, Ermine, **jabber.ru** (https://jabber.ru/) 67 | * Rafal Zawadzki, **jabberpl.org** (https://jabberpl.org) 68 | * Sven Sperling, **jabbers.one** (https://jabbers.one) 69 | * Marco Cirillo, **lightwitch.org** (https://lightwitch.org) 70 | * Nico Wellpott **magicbroccoli.de** (https://magicbroccoli.de/xmpp/) 71 | * Carlos Lopez, **parloteo.es** (https://parloteo.es) 72 | * Carlos Lopez, **suchat.org** (https://www.suchat.org) 73 | * Tsukasa Hamano, **xmpp.jp** (https://www.xmpp.jp/) 74 | * Georg Lukas, **yax.im** (https://yaxim.org/yax.im/) 75 | * ... _(ordered by server name)_ 76 | 77 | * * * 78 | 79 | _If you run a public Jabber server and commit to the above Policies, please 80 | sign the manifesto by opening a PR with your name, server domain and a URL 81 | of the service description._ 82 | -------------------------------------------------------------------------------- /Freedom-and-Anonymity.md: -------------------------------------------------------------------------------- 1 | # Freedom and Anonymity on XMPP 2 | 3 | There were some concerns that the [Spam Fighting Manifesto](README.md) will 4 | impede the Freedom of Speech, break XMPP for (legitimately) anonymous users 5 | and is an unacceptable invasion into the users' privacy. Examples of concerns 6 | raised in public: 7 | 8 | * [XMPP Manifesto for Freedom](https://gitlab.com/senpie/xmpp-manifesto-for-freedom) 9 | * [xmpp.is: Why We DO NOT Fully Support “The Jabber Spam Fighting Manifesto”](https://xmpp.is/2018/02/21/the-jabber-spam-fighting-manifesto/) 10 | 11 | All these points need to be discussed and addressed, but this discussion is 12 | too long and too complex for the Manifesto. Therefore, we would like to 13 | address them in this separate post. 14 | 15 | ## Freedom of Speech and Censorship 16 | 17 | In the Manifesto of Freedom, it is implied that filtering spam and blocking 18 | servers is a form of censorship, and that it violates the fundamental freedom 19 | of users. 20 | 21 | Freedom of Speech is considered a fundamental human right for good reasons. 22 | And one might make the argument that [sending spam is covered by Freedom of 23 | Speech rights](https://www.washingtonpost.com/news/the-intersect/wp/2014/07/31/is-spam-free-speech/). 24 | And some of our users might even be interested in stolen credit cards, gift 25 | cards and cheap drugs. 26 | 27 | ### Blocking Messages 28 | 29 | With email, we have the luxury of hiding all the spam messages (automatically 30 | filtered by our server) into a dedicated folder, which is well hidden in the 31 | client and doesn't make our phone vibrate at 3 AM. For XMPP, we lack such a 32 | function yet. 33 | 34 | It would be great if each user could easily define which kind of unsolicited 35 | messages they are interested in, right from their client. We already have a 36 | mechanism for a user to [block individual senders](https://xmpp.org/extensions/xep-0191.html), 37 | but it does not keep up with the auto-registered spam bots. 38 | 39 | And it would be great if automatially classified messages would end up in a 40 | dedicated "mailbox" that can be checked on demand. I'm sure we all miss the 41 | XMPP version of the often-heard advice "please check your spam folder". 42 | 43 | The reality for most users, however, is that they don't want to receive spam. 44 | And they don't want to be bothered with configuring anti-spam plugins, jumping 45 | through hoops to chat with a friend, and getting their important messages 46 | [silently dropped](https://github.com/processone/ejabberd/issues/2197). 47 | 48 | If we, the server operators, don't solve the spam problem for our non-nerd 49 | users, they will simply move away to a different (proprietary) chat platform. 50 | 51 | Users don't want to be bothered by spam, and server-based spam detection and 52 | rejection can be implemented with comparably low overhead, and improved by 53 | cooperation between server operators. 54 | 55 | ### Blocking Servers 56 | 57 | Obviously, blocking servers is also a kind of censorship. The Manifesto 58 | imposes three preconditions to blocking a server: 59 | 60 | * the server is public (i.e. allows anyone to register there) AND 61 | * the server is used to send spam (and is thus actively harming the Jabber 62 | network) AND 63 | * the admins do not react to abuse reports. 64 | 65 | However, the Manifesto does not require the signers to block a server if these 66 | conditions are met - it is still a judgment call for the operators. 67 | 68 | There are hundreds of servers that are used by spambots, and most of these 69 | servers lack proper abuse reporting mechanisms. The most probable background 70 | is that their "admins" followed a How-To, read "allow to register accounts 71 | right from your client" and enabled [In-band 72 | Registration](https://xmpp.org/extensions/xep-0077.html) (IBR). They probably 73 | even forgot that they enabled it, and maybe even forgot that they have an XMPP 74 | server running. Reports sent to the contact info on the respective domain or 75 | IP address are ignored or not taken seriously. 76 | 77 | Judging from the XMPP domain names of most such servers, they are small 78 | businesses without a dedicated IT person, and they probably don't have more 79 | than five real users. On the other hand, they have hundreds of spam bots 80 | abusing the registration feature and harming the whole XMPP ecosystem. 81 | 82 | If it is not possible to contact the administrators and to let them know of 83 | the spam problem, we can either choose to let them poison our network, or take 84 | appropriate measures. By blocking the whole server, there is a chance that the 85 | actual users of the server will notice and complain to their admin, causing 86 | them to finally take action. 87 | 88 | By making a public "shame list", there is a chance that it will be reported 89 | about and that the administrators will notice. 90 | 91 | These servers are essentially open relays, and the email network provides [a 92 | good precedent](https://en.wikipedia.org/wiki/Open_mail_relay) for how to 93 | handle them. There are many alternative [DNS-based blacklists](https://en.wikipedia.org/wiki/DNSBL) 94 | that identify open relays, proxy servers, Tor exit nodes or even dial-up 95 | networks. The operators of these lists have documented their policies for 96 | addition and for removal of IP addresses, allowing a server operator to choose 97 | the most appropriate blacklist. Most email providers will reject messages 98 | sent from open relays, based on one of those lists. 99 | 100 | Creating the framework for such lists is the mid-term goal of the Spam 101 | Fighting Manifesto. 102 | 103 | ## Client-side Spam Blocking 104 | 105 | The Manifesto for Freedom's main point is "Spam can be mitigated via 106 | client-side entirely", but this does not scale well, and most people are 107 | not technically competent enough to solve the spam problem on their own. 108 | 109 | Some clients provide plug-ins to block messages from strangers, to ask them to 110 | solve a captcha or to perform some other task to prove they are not a spam 111 | bot. However, these mechanisms need to be set up by the user (which is often 112 | complex, and requires that the user knows about the plug-in in the first 113 | place). Furthermore, they break down if the user is connected with multiple 114 | clients (should their friend solve a captcha for each client? What if the 115 | clients deploy different mechanisms? What if their favorite mobile client does 116 | not have any anti-spam plug-ins at all?). 117 | 118 | On the other hand, having server-centralized spam protection works really 119 | well, because it's easy to detect message patterns and to apply and adopt 120 | block lists. 121 | 122 | 123 | ## Access over Tor 124 | 125 | The most controversial requirement of the Spam Fighting Manifesto is this: 126 | 127 | * Monitor and review registrations from IP addresses with bad reputation (open 128 | proxy servers, Tor exit nodes), OR enforce additional checks on those users, 129 | for example by requesting a CAPTCHA or verifying the user's phone number. 130 | 131 | Blocking of Tor users and requiring phone numbers is obviously the end of the 132 | privacy for all Jabber users with a legitimate interest in anonymity. Some 133 | server operators already consider recording of IP addresses as a privacy 134 | violation. 135 | 136 | However, there are multiple reasons why this requirement was made: 137 | 138 | 1. Almost all spam bots registered on the author's server came from open 139 | proxies and Tor exit nodes, worsening the signal-to-noise ratio. From a 140 | purely pragmatic position, it makes sense to apply additional scrutiny to 141 | them. 142 | 143 | 2. Operating a server that's well suitable for anonymous users is much more 144 | than just allowing users to connect via Tor. You also need to have good data 145 | hygiene, encrypted storage and proper physical access control. Otherwise, 146 | the roster and communication meta-data of your Tor users might leak enough 147 | information to get them identified and decapitated. 148 | If you care deeply enough about those things to not endanger people who 149 | must rely on Tor for their anonymity, it is not too much to assume that you 150 | can also detect and block spammers on your server in a timely fashion, 151 | without recording whatever data is against your policy. The Manifesto is 152 | written for "normal" administrators, running a server for the general 153 | public. They might actually have different trade-offs than you, like e.g. 154 | not to have their users spammed. 155 | 156 | 3. The Manifesto doesn't *forbid* access via Tor, it merely asks to 157 | monitor and review registrations, or to enforce additional checks. So it 158 | would be perfectly compliant to provide other means of ensuring that no 159 | spam is sent out. Ideas for alternative solutions are: 160 | 161 | * limit the number of pending subscription requests + unsolicited messages 162 | for accounts registered via Tor to 3 per day. Flag them if they attempt 163 | to exceed that by a large amount. 164 | 165 | * Prevent Tor accounts from communicating with external servers. 166 | 167 | * Ask Tor accounts to join your support MUC where you can un-flag them 168 | manually. 169 | 170 | 171 | ## On Requiring Phone Numbers 172 | 173 | Asking for the phone number is merely one example of how to implement 174 | anti-spam safeguards, not a binding requirement of the Manifesto. For a mobile 175 | messenger it might make sense to bind the user identity to a phone number 176 | anyway - this would allow easy password recovery and provide sensible limits 177 | on the number of per-user accounts, because phone numbers cost real money. 178 | 179 | For desktop messengers, it might make more sense to use some cloud account 180 | instead of a phone number, however [prices on those](https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/) 181 | [vary significantly](https://buyaccs.com/en/). 182 | 183 | --------------------------------------------------------------------------------