Modern XMPP project discussion - 2025-11-06

Most xmpp servers require for web registration only for one reason: to show a Captcha (from Google or CF). In general these captchas are probably just working by an IP or browser tracking because AI captcha solvers existing for decade. Is any discussion on abandon this practice? Maybe the Modern XMPP can put a recommendation to at least not use external Captchas and ideally abandon the internal self generated too. To avoid spam it can be used some internal server rules like limit messages for new accounts. Is this a proper place to ask such questions or I better to send an email to dev list? It's not related to a protocol but more about ecosystem

Another problem that I noticed is that many servers aren't available for web clients i.e. ConverseJS.org. Many users just don't want to install anything and use web instead. Can we add a recommendation to enable web compliance for servers? I'm going to ask server admins to enable this but it would be great if this was publicly discussed and formalized as a recommendation. I don't see much of security issues with this except of some XSS attack that may create some load on a server.

The current main issues with open registration servers are not solved by captchas nor registration limits.

The main issue is ban evasion, and invite based registration is probably the best solution against that.

For the other problem, well that's mostly by design.

You can enable it via XEP-0156 of course, and webclients like Movim circumvent the issue entirely.

But as long as you need to put in a password directly, a 3rd party webclient is a massive security issue.

The only real solution to that is passwordless logins.

There is some movement on that with Oauth2 support server side, but so far there is no support in webclients for it.

But imho the best option would be to link webclients to a mobile client.

So that to log in you need to approve it in a different client.

There is XEP-0070 which I believe can be repurposed for this, but little actual efforts are being put into this sadly.

Thank you. What does it mean the "ban evasion".

Some accounts gets banned by a server or channel and makes a new account to do the same abuse again.

There is a well known troll that basically does that every 5 minutes to avoid being banned.

I see. I think that this again can be solved by some rules, we just need more of them. And even after them all it still will be some bots but this is kind of natural for internet. If I'll receive one spam message in a month that won't be a big problem for me.

Same for the web clients: even if now enable just a few well known clients just by a domain name that would satisfy almost all users.

I'm looking now from the regular users perspective and currently joining the XMPP is too complicated or annoying

> I see. I think that this again can be solved by some rules, we just need more of them. And even after them all it still will be some bots but this is kind of natural for internet. If I'll receive one spam message in a month that won't be a big problem for me. I don't see how such rules could prevent that. The signups look identical to normal sign-ups. ↺

> Same for the web clients: even if now enable just a few well known clients just by a domain name that would satisfy almost all users. as I said, this is perfectly possible with XEP-0156 (and some CORS headers if you want to limit access to certain domains), but server admins chose to not want this. ↺

it is better for server admins to host their own webclients IMHO

on a side note: the existing compliance checker by the conversations.im team does afaik check for XEP-0156, but does so in an incomplete way, makeing server admins believe they have configured it correctly when in fact they have still unresolved CORS issues.

sadly the java library behind that compliance checker has become unmaintained and the compliance checker in general is unmaintained.

it would be nice if someone would pick it up again.

The limits may be: add up to 5 contacts in a first day, join two rooms. On any spam report block the account. Likely the spam reporting is now available

Hm. Someone new that wants to try everything likely wants to join a lot of rooms.

I just realized that the providers.xmpp.net may require the web compliance for A servers. This may motivate server admins to enable it. But again, it should be recommended first with list of spam prevention techniques

yeah, that sounds like a massive PITA for real new users

Web client or not is unrelated to spam, isn't it?

yes, seperate line of discussion

I consider a scenario when my family members or friends joining a public server. In a first day it should be just enough of limits for them.

Such limits needs to be developed by someone who knows

if would be better if that public server supported invitations that you can send your family members

the support is already there with Prosody, and for Ejabberd it is WIP

Does joining by an invitation requires to pass a Captcha? If not then again it may be abused by spamers. In general these captchas are something that makes it difficult to register for usual users

It would be great if someone can review the process because it looks like no one pays attention to the registration. Probably server admins just enable the captcha because they don't think on implications

no it does not, but it is limited to a single account usually, so it wouldn't work for spammers

this is a topic of continued debate in the xmpp ecosystem and not something people do not pay attention to.

the problem is rather that there are widely diverging opinions

Thank you. I hope this will be solved eventually