As it stands, XMPP.is does not support “The Jabber Spam Fighting Manifesto” for various reasons. It stands in the way of those looking for anonymity/privacy, and spam can be easily mitigated client-side. Certain measures should NOT be applied server-side. The decision to block incoming requests, messages, notices should be left entirely up to the user. Push development for more anti-spam plugins! The notion of blocking all servers that do not comply with the policy is silly. XMPP should not function like email, and there is no need to build RBLs like mail servers commonly use. If you do not want to receive spam, simply do not accept all incoming messages from people that you do not authorize to communicate with. Blocking servers and users server-side is dangerous and breaks XMPP federation. It centralizes. And it creates the potential for censorship.
In the next part of this post we’ll go over the different policies for this manifesto.
Provide an abuse contact according to XEP-0157: Contact Addresses for XMPP Services and react to incoming abuse reports in a timely fashion.
— We will fully abide by this and support for XEP-0157 has been added in our config in the latest commit.
Limit the number of new user registrations per IP address and hour.
— We may support this in some fashion, at least the per hour part.. Although this seems too strict, it could hinder those using Tor or VPNs from registering (assuming multiple users use the same exit point). Limiting the amount of registrations per IP would prevent many from signing up.
Monitor and review registrations from IP addresses with bad reputation (open proxy servers, Tor exit nodes), or enforce additional checks on those users, like a CAPTCHA or a valid phone number.
— We absolutely do not support the first part. We do not restrict registration based on an IP addresses reputation, and will not. Ever.. A CAPTCHA is necessary however, and we have implemented this (a simple one) some time ago. We will never ask for or require a phone number, that’s just silly..
Throttle the traffic from local clients, especially unsolicited subscription requests and messages.
— We already do this in some fashion with mod_limits. It’s 100% necessary to stop huge DDoS by spam attacks. We’ve witnessed several cases where offline messages can be abused, and mod_limits has helped a lot. However, unsolicited actions can be mitigated client-side.
Example of plugin to mitigate spam: github.com/cockroach/pidgin-privacy-please
Archived link of the manifesto: archive.fo/kVobO