On 11 November 2015 at 11:42, Georg Lukas <[email protected]> wrote: > * Dave Cridland <[email protected]> [2015-11-11 08:58]: >> > What do you suggest to replace it with? >> [...] we need, I think, a mechanism which takes a potential new user >> through new account creation, and helps in configuring their client, >> and ideally works across multiple servers. > > And it needs to be as easy as WhatsApp. I don't see a mechanism that > will effectively prevent automatic registrations, that doesn't rely on > a scarce out-of-band resource like cellphone numbers. > > While spam is evil, it won't be solved by deprecating IBR, especially as > it will take many more years until all the servers out there have > adopted the new alternative.
+1. I don't think IBR is the problem. It's already extensible with various spam-prevention mechanisms. They aren't 100% effective (nothing ever will be, you know), but neither was jabber.org disabling IBR. jabber.org disabled IBR and still had a ridiculous rate of spam accounts being registered daily, despite a CAPTCHA. Deprecating IBR is not the solution (deprecating wide open IBR may well be, but I view this as a deployment policy issue). > I think we as a community must develop better mechanisms for spam > detection and prevention, maybe in the form of massive throttling of > incoming c2s and s2s message flows, maybe by improving our monitoring, > maybe by other means. > > I actually like Dave's suggestion from the other thread, to disallow > message sending from untrusted users. What about the following approach: Yes, that's one approach. The thing is, there are already many many ways to solve this that don't need any standardization. In fact, a standard approach of how to detect/prevent spam across the network will just make it easier for spammers to game. As a potential implementor of any such spam prevention in Prosody, the only thing I'm waiting for is more data. There's no point in guessing at how to solve a spam problem that we don't have (yet). It seems one may be emerging, or it's just one or two bad actors that will eventually disappear (that has happened before). So in summary, I'm against deprecating IBR and I'm against jumping the gun on standardizing anything (more than we already have, which is a fair bit) related to spam prevention. I'm in favour of (at this stage): experimentation, and an organized way to share and gather information on spam issues on the network. Right now this seems to be the operators mailing list, maybe we can do better but I think it's fine for now. Regards, Matthew
