tickets #166865
openDefederate matrix.org homeserver from openSUSE Matrix Homeserver
0%
Description
We're currently going through a wave of spammers posting child
pornography related images to the openSUSE Matrix server.
All of these accounts are originating with matrix.org
They've been hitting other opensource projects as well recently.
I would like to ask for the defederation of matrix.org, until such time
as they can start moderating their instance, and responding to reports.
I'm aware this will eliminate a connection to the largest matrix
instance out there, but this is really untenable. Right now, the
moderators are staying on top of it, but some of this stuff is still
sneaking through, until a moderator can deal with it. And none of us
can be here 24/7.
Updated by crameleon 2 months ago
- Category set to IRC and Matrix
- Status changed from New to Resolved
- Assignee set to crameleon
- Private changed from Yes to No
Hi,
summarizing what we already discussed in #opensuse-admin:
- the IP addresses behind matrix.org and matrix-federation.matrix.org have been added to the Synapse configuration
federation_ip_range_blacklistas well as to our global firewall blacklist - complete blacklisting/defederation of a specific homeserver seem to be not possible in Matrix: https://github.com/matrix-org/synapse/issues/3173#issuecomment-422082595
If someone knows about a more satisfactory solution (other than making matrix.opensuse.org completely private/non-federated), please let me know.
Best,
Georg
Updated by ph03nix 2 months ago
Synapse supports banning servers on a per-room basis via room ACLs, See "Banning servers from rooms (Server ACLs)" in https://matrix.org/docs/older/moderation/. This cannot be done via the Element UI, but the page documents how this can be done via development tools.
Updated by RorySys 2 months ago · Edited
Hi,
I wanted to raise a few points:
- matrix.org is not a major source of spam in this incident (from rough memory maths, m.org only accounts for 10% or less of accounts)
- Blocklisting matrix.org in Synapse is kind of pointless:
- It breaks existing DMs, non-opensuse rooms
- it does not stop matrix.org from sending messages at all, and they will still happily arive on opensuse.org, but only delayed but someone else sending a message
- it makes m.o.o blind to matrix.org traffic -> m.o.o moderators cannot respond to events originating from matrix.org
- Similarly, using Server ACLs has flaws aswell:
- These are executed at network layer, not event authorisation
- -> Only takes one server in the room not execting server ACLs or missing the ACL event to leak matrix.org events back into the room
@ph03nix: matrix.org is currently ACLed in all official openSUSE rooms, but this decision may be reverted upon further discussion, regarding these points
Regards,
Emma [it/its] @ Rory& (matrix:u/emma:rory.gay)
Updated by sfalken@cloverleaf-linux.org 2 months ago · Edited
RorySys wrote in #note-3:
Hi,
I wanted to raise a few points:
- matrix.org is not a major source of spam in this incident (from rough memory maths, m.org only accounts for 10% or less of accounts)
Granted, but they've been a repeated problem of spam/trolling in general, for a long time.
- Blocklisting matrix.org in Synapse is kind of pointless:
- It breaks existing DMs, non-opensuse rooms
- it does not stop matrix.org from sending messages at all, and they will still happily arive on opensuse.org, but only delayed but someone else sending a message
- it makes m.o.o blind to matrix.org traffic -> m.o.o moderators cannot respond to events originating from matrix.org
- Similarly, using Server ACLs has flaws aswell:
- These are executed at network layer, not event authorisation
- -> Only takes one server in the room not execting server ACLs or missing the ACL event to leak matrix.org events back into the room
@ph03nix: matrix.org is currently ACLed in all official openSUSE rooms, but this decision may be reverted upon further discussion, regarding these points
Absolutely, this doesn't need be permanent, and it's fairly obvious that Synapse (and other servers based on the Matrix specification) don't handle this sort of issue well, and the tools are inadequate at best. That being said, matrix.org is (I think) the largest entrypoint for people to Matrix as a platform, and keeping it "blocked" just isn't really something workable long term.
Unfortunately, it looks like this is a problem we're going to need to figure out to handle ourselves, as the platform itself doesn't offer the tools other platforms do, as near as I can tell. And we just don't have enough people to be able to manually moderate all of this stuff, with the existing tools.
Updated by RorySys 2 months ago · Edited
Historically, fair, but I am slowly working to put together some tooling to help with that.
Additionally, some moderator load is already being reduced by usage of Draupnir (enforcing bans over the entire space), and a reputable, shared banlist.
More automation, within reason, would always be nice to have. I hope I'll have something maybe by the end of the week?
Edit: I wonder if it might be useful to re-open this ticket as a tracking/discussion hub?
Updated by crameleon 2 months ago
- Status changed from Resolved to In Progress
- Assignee deleted (
crameleon)
Fair, also I have to drop the temporary changes again soon (or write them permanently, but as they're not really working well, I rather not). We can keep the ticket until we have a proper solution.
Updated by RorySys 2 months ago · Edited
When you drop them from the Synapse level, what do you propose we do with the room-level blocks ("Server ACLs", applied via Draupnir)?
Alternatively, would it be a better idea to block invites from matrix.org (via reverse proxy), or rather technically: block invites to rooms created by matrix.org by matching against it in the federated invite route?
Updated by RorySys 2 months ago
With the spam now having moved to federated room invites, I suggest we disable those.
As far as I'm aware, the best way to do so is to mask ~ /_matrix/federation/v2/invite/ in the reverse proxy.
@crameleon is this something that could reasonably be implemented as a temporary measure?
Updated by sfalken@cloverleaf-linux.org 2 months ago
Once this change is made, we can remove the blacklist on matrix.org, most likely
Updated by sfalken@cloverleaf-linux.org 2 months ago
crameleon wrote in #note-12:
What should we return for requests to
^/_matrix/federation/v2/invite/.*? 503 sounds reasonable, but could be misinterpreted as an unwanted outage. 403?
Yeah, 403 would work fine.
Updated by crameleon 2 months ago
Committed as https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/aaea775e8604920c76172bd0989d2be0edeeb431 and deployed. Changes in homeserver.yaml reverted.
Updated by sfalken@cloverleaf-linux.org about 2 months ago
@crameleon can you make a followup post to the Project-ML, just for completeness, and let folks know that the block has been removed?
Updated by RorySys about 2 months ago
@sfalken@cloverleaf-linux.org worth noting the room level defederation in public rooms is still active.
Updated by RorySys about 2 months ago
matrix.org has been un-ACLed due to this causing the matrix.org side of rooms to appear completely unmoderated. This probably deserves a ML post?
Updated by crameleon about 2 months ago
Note that the proxy rule is still in place.