Project

General

Profile

Actions

tickets #166865

open

Defederate matrix.org homeserver from openSUSE Matrix Homeserver

Added by sfalken@cloverleaf-linux.org 3 months ago. Updated 3 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Category:
IRC and Matrix
Target version:
-
Start date:
2024-09-16
Due date:
% Done:

0%

Estimated time:

Description

We're currently going through a wave of spammers posting child
pornography related images to the openSUSE Matrix server.

All of these accounts are originating with matrix.org

They've been hitting other opensource projects as well recently.

I would like to ask for the defederation of matrix.org, until such time
as they can start moderating their instance, and responding to reports.

I'm aware this will eliminate a connection to the largest matrix
instance out there, but this is really untenable. Right now, the
moderators are staying on top of it, but some of this stuff is still
sneaking through, until a moderator can deal with it. And none of us
can be here 24/7.

Actions #1

Updated by crameleon 3 months ago

  • Category set to IRC and Matrix
  • Status changed from New to Resolved
  • Assignee set to crameleon
  • Private changed from Yes to No

Hi,

summarizing what we already discussed in #opensuse-admin:

If someone knows about a more satisfactory solution (other than making matrix.opensuse.org completely private/non-federated), please let me know.

Best,
Georg

Actions #2

Updated by ph03nix 3 months ago

Synapse supports banning servers on a per-room basis via room ACLs, See "Banning servers from rooms (Server ACLs)" in https://matrix.org/docs/older/moderation/. This cannot be done via the Element UI, but the page documents how this can be done via development tools.

Actions #3

Updated by RorySys 3 months ago · Edited

Hi,

I wanted to raise a few points:

  • matrix.org is not a major source of spam in this incident (from rough memory maths, m.org only accounts for 10% or less of accounts)
  • Blocklisting matrix.org in Synapse is kind of pointless:
    • It breaks existing DMs, non-opensuse rooms
    • it does not stop matrix.org from sending messages at all, and they will still happily arive on opensuse.org, but only delayed but someone else sending a message
    • it makes m.o.o blind to matrix.org traffic -> m.o.o moderators cannot respond to events originating from matrix.org
  • Similarly, using Server ACLs has flaws aswell:
    • These are executed at network layer, not event authorisation
    • -> Only takes one server in the room not execting server ACLs or missing the ACL event to leak matrix.org events back into the room

@ph03nix: matrix.org is currently ACLed in all official openSUSE rooms, but this decision may be reverted upon further discussion, regarding these points

Regards,
Emma [it/its] @ Rory& (matrix:u/emma:rory.gay)

Actions #4

Updated by sfalken@cloverleaf-linux.org 3 months ago · Edited

RorySys wrote in #note-3:

Hi,

I wanted to raise a few points:

  • matrix.org is not a major source of spam in this incident (from rough memory maths, m.org only accounts for 10% or less of accounts)

Granted, but they've been a repeated problem of spam/trolling in general, for a long time.

  • Blocklisting matrix.org in Synapse is kind of pointless:
    • It breaks existing DMs, non-opensuse rooms
    • it does not stop matrix.org from sending messages at all, and they will still happily arive on opensuse.org, but only delayed but someone else sending a message
    • it makes m.o.o blind to matrix.org traffic -> m.o.o moderators cannot respond to events originating from matrix.org
  • Similarly, using Server ACLs has flaws aswell:
    • These are executed at network layer, not event authorisation
    • -> Only takes one server in the room not execting server ACLs or missing the ACL event to leak matrix.org events back into the room

@ph03nix: matrix.org is currently ACLed in all official openSUSE rooms, but this decision may be reverted upon further discussion, regarding these points

Absolutely, this doesn't need be permanent, and it's fairly obvious that Synapse (and other servers based on the Matrix specification) don't handle this sort of issue well, and the tools are inadequate at best. That being said, matrix.org is (I think) the largest entrypoint for people to Matrix as a platform, and keeping it "blocked" just isn't really something workable long term.

Unfortunately, it looks like this is a problem we're going to need to figure out to handle ourselves, as the platform itself doesn't offer the tools other platforms do, as near as I can tell. And we just don't have enough people to be able to manually moderate all of this stuff, with the existing tools.

Actions #5

Updated by RorySys 3 months ago · Edited

Historically, fair, but I am slowly working to put together some tooling to help with that.
Additionally, some moderator load is already being reduced by usage of Draupnir (enforcing bans over the entire space), and a reputable, shared banlist.

More automation, within reason, would always be nice to have. I hope I'll have something maybe by the end of the week?

Edit: I wonder if it might be useful to re-open this ticket as a tracking/discussion hub?

Actions #6

Updated by crameleon 3 months ago

  • Status changed from Resolved to In Progress
  • Assignee deleted (crameleon)

Fair, also I have to drop the temporary changes again soon (or write them permanently, but as they're not really working well, I rather not). We can keep the ticket until we have a proper solution.

Actions #7

Updated by RorySys 3 months ago · Edited

When you drop them from the Synapse level, what do you propose we do with the room-level blocks ("Server ACLs", applied via Draupnir)?
Alternatively, would it be a better idea to block invites from matrix.org (via reverse proxy), or rather technically: block invites to rooms created by matrix.org by matching against it in the federated invite route?

Actions #8

Updated by crameleon 3 months ago

Those can equally stay until we have a satisfactory solution, they are not affected by me applying our machine configurations (Synapse, firewall, ..).
I guess, but is joining of matrix.org rooms a problem?

Actions #9

Updated by RorySys 3 months ago

With the spam now having moved to federated room invites, I suggest we disable those.
As far as I'm aware, the best way to do so is to mask ~ /_matrix/federation/v2/invite/ in the reverse proxy.

@crameleon is this something that could reasonably be implemented as a temporary measure?

Actions #10

Updated by crameleon 3 months ago

Yes, we can either do it on the frontend HAProxy or on the backend nginx. The former should be the most efficient, I will prepare a patch.

Actions #11

Updated by sfalken@cloverleaf-linux.org 3 months ago

Once this change is made, we can remove the blacklist on matrix.org, most likely

Actions #12

Updated by crameleon 3 months ago

What should we return for requests to ^/_matrix/federation/v2/invite/.*? 503 sounds reasonable, but could be misinterpreted as an unwanted outage. 403?

Actions #13

Updated by sfalken@cloverleaf-linux.org 3 months ago

crameleon wrote in #note-12:

What should we return for requests to ^/_matrix/federation/v2/invite/.*? 503 sounds reasonable, but could be misinterpreted as an unwanted outage. 403?

Yeah, 403 would work fine.

Actions #16

Updated by sfalken@cloverleaf-linux.org 3 months ago

@crameleon can you make a followup post to the Project-ML, just for completeness, and let folks know that the block has been removed?

Actions #17

Updated by RorySys 3 months ago

@sfalken@cloverleaf-linux.org worth noting the room level defederation in public rooms is still active.

Actions #18

Updated by RorySys 3 months ago

matrix.org has been un-ACLed due to this causing the matrix.org side of rooms to appear completely unmoderated. This probably deserves a ML post?

Actions #20

Updated by crameleon 3 months ago

Note that the proxy rule is still in place.

Actions

Also available in: Atom PDF