Google Begins Blocking Third-Party Jabber Invites

← Back to Stories (view on slashdot.org)

Google Begins Blocking Third-Party Jabber Invites

Posted by Soulskill on Friday March 15, 2013 @08:33AM from the you-don't-want-to-talk-to-those-people-anyway dept.

New submitter kxra writes "Do you have a federated jabber instant messaging account that never gets responses from Google accounts anymore? Or do you have a Gmail account that a friend has been unable to invite from their 3rd party Jabber account? The Free Software Foundation reports, 'Google users can still send subscription requests to contacts whose accounts are hosted elsewhere. But they cannot accept incoming requests. This change is akin to Google no longer accepting incoming e-mail for @gmail.com addresses from non-Google domains.' This sounds like something Facebook would try in order to gain even tighter control over the network, but they never even federated their Jabber service to begin with. According to a public mailing list conversation, Google is doing this as a lazy way to handle a spam problem."

50 of 92 comments (clear)

Min score:

Reason:

Sort:

No Subject by Anonymous Coward · 2013-03-15 08:36 · Score: 1, Insightful

This is great because I keep receiving spam invites on one of my GMail accounts.
1. Re:No Subject by asavage · 2013-03-15 08:53 · Score: 4, Insightful
  
  Yeah this is good news. I had to disable google talk invitation notifications on my phone as I was getting spam notifications daily.
2. Re:No Subject by Anonymous Coward · 2013-03-15 09:07 · Score: 1
  
  Google is doing this as a lazy way to handle a spam problem.
  I'll be happy to learn a non lazy way to stop spam from domains you don't control. I'm not an expert in XMPP, but this sounds much like graylisting from SMTP: if your server has a high spam ratio, I will throttle you until the ratio drops. As long as Google has implemented per domain limits, and still accepts requests from non-spammy domains, it looks legit.
3. Re:No Subject by beelsebob · 2013-03-15 10:34 · Score: 1, Troll
  
  Haha, the great and mighty google who can do no wrong strikes an enormous blow against a standardised protocol, and against open communication, and slashdot's response is "this is great".
  Fucking hypocrites.
4. Re:No Subject by Technician · 2013-03-15 15:18 · Score: 1
  
  I've not had a spam problem with Gtalk or my SIP account with a Google Talk gateway. This means that I can't pick up my VOIP phone anymore and speed dial a Gtalk user.
  This has very little impact as there are very few who have Gtalk and not Skype. I can call and be called with the Skype gateway instead.
  
  Instructions:
  To call from ippi to Skype, dial "skype_username@skype.ippi.com" then start the call
  I guess calling Gtalk users may be broken now.
  
  Instructions:
  To call from ippi to Gtalk, dial "google_username@gtalk.ippi.com" then start the call
  
  --
  The truth shall set you free!
5. Re:No Subject by Anonymous Coward · 2013-03-17 23:38 · Score: 1
  
  "And neither do most people" - And this is based on what statistically valid research?
  Let me put it another way: Those who know enough about computers to know that Google chat is based on Jabber, will care. Those who don't, won't, but they should. Having 30 different chat systems is obviously annoying and inefficient. We have *one* email system, where people have different domains but they work between each other - and this works very well in most ways. Jabber allows a similar system. In fact, I use this because, f.e. some of my customers have chat servers and my company has their own - but they can talk in-between, and to Gmail chat too!
  And, Slashdot is supposed to be a place for "news for nerds", which means by definition: "The kind of people who care about Jabber".
Just wait... by daitengu · 2013-03-15 08:39 · Score: 3, Insightful

Countdown to those with bad reading comprehension wondering why the story isn't about Google not accepting e-mail from non-@gmail.com accounts.
1. Re:Just wait... by Hatta · 2013-03-15 09:05 · Score: 4, Insightful
  
  What's the significant difference? Isn't refusing jabber messages from non-google account just as bad, and bad for the same reasons, as refusing email from non-google accounts?
  
  --
  Give me Classic Slashdot or give me death!
2. Re:Just wait... by Hatta · 2013-03-15 09:40 · Score: 4, Insightful
  
  The significant difference between blocking email and blocking jabber requests is that when you find that your jabber request is blocked, you can ask the person on the Google side to send you a request from their end, and from then on you can communicate with them.
  What happens if everyone implements this policy of denying all foreign requests?
  
  --
  Give me Classic Slashdot or give me death!
3. Re:Just wait... by kasperd · 2013-03-15 09:47 · Score: 1
  
  What happens if everyone implements this policy of denying all foreign requests?
  If it is done in a sensible way, you will still be able to communicate, as long as both parties invite each other.
  
  --
  
  Do you care about the security of your wireless mouse?
4. Re:Just wait... by Hatta · 2013-03-15 09:57 · Score: 1
  
  This still requires some sort of coordination before the fact through a secondary communication channel. Can you imagine if the post office and phone company worked that way? There has to be a better solution.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:Just wait... by bragr · 2013-03-15 10:32 · Score: 1
  
  Getting someone's mailing address, email address, or jabber address requires a secondary communication channel anyway. When is the last time you emailed someone to find out what their email address what?
6. Re:Just wait... by hawguy · 2013-03-15 10:35 · Score: 1
  
  This still requires some sort of coordination before the fact through a secondary communication channel. Can you imagine if the post office and phone company worked that way? There has to be a better solution.
  I'm imagining the phone company working that way, and it sounds like a good way to get rid of the unsolicited telemarketing calls. If the only callers that can reach me are ones that I've shared my phone number with through some other communication channel, then I wouldn't get any unsolicitied telemarketing calls.
  Worse than the telemarkers...apparently the guy that used to have my number had some problems with paying bills, I still get calls from creditors looking for him. I've had this number for 2 years now, maybe he's still giving it out.
  It might make it harder for some people to reach me, but I turn my phone off at night due to too many early morning calls and often silence and ignore the phone when it rings, so it's already harder for some people to reach me, even people that I want to reach me.
7. Re:Just wait... by Mister+Liberty · 2013-03-15 10:41 · Score: 1
  
  That's in fact how my mind construed it for a moment.
  Why?
  Because the other day I put a filter on my non-gmail domain mailbox
  to send a copy from that mailbox to my gmail account, esp. so I
  could read the mail from my tablet, while being away.
  Then, for some mails coming in, I read those on the gmail account
  from the desktop PC (to see if the filter was working).
  Now, I noticed that having read them on the PC, the copies for some
  reason never arrived in my gmail mailbox on my tablet, or I should
  say, were totally unavailable and absent there, not in trash either.
  Which leads me to this question:
  Does gmail discard messages that were already read from a
  different connection (assuming the tablet service has some slack
  compared to the desktop PC delivery)?
8. Re:Just wait... by DragonWriter · 2013-03-15 11:14 · Score: 1
  
  What's the significant difference? Isn't refusing jabber messages from non-google account just as bad, and bad for the same reasons, as refusing email from non-google accounts?
  It might be, if XMPP's level adoption and central role in online interaction were equivalent to email's. As its not, it might arguably be bad for the same reason (if you don't view the central role of email as part of the reason that it would be bad to do it for email), but its certainly not just as bad.
9. Re:Just wait... by aztracker1 · 2013-03-15 14:55 · Score: 1
  
  I was getting 8-10 recruiter calls a day at my old cell number about 2 years ago, I dropped it, and got a new number... feel sorry for the guy that got my old #
  
  --
  Michael J. Ryan - tracker1.info
10. Re:Just wait... by AvitarX · 2013-03-15 14:59 · Score: 1
  
  Google treats chat that way now though. When they started circles, they stopped auto adding, and limited chat to people in your circles I believe (i forget the specifics, but it got stricter).
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
11. Re:Just wait... by kasperd · 2013-03-15 22:22 · Score: 1
  
  This still requires some sort of coordination before the fact through a secondary communication channel.
  That's still better than not being able to communicate at all. Most of the time you only want to chat with people who you have exchanged emails with beforehand anyway.
  
  --
  
  Do you care about the security of your wireless mouse?
Google has been quite evil this week by Meditato · 2013-03-15 08:39 · Score: 5, Interesting

1. Banning ad-blocker apps from the Google Play App store
2. Banning jabber invites
3. Killing Google Reader
They're too big to need to play nice with anyone.
1. Re:Google has been quite evil this week by recoiledsnake · 2013-03-15 08:44 · Score: 5, Informative
  
  You forgot them killing the open standard CalDAV support and replacing with their proprietary Calendar API.
  http://www.zdnet.com/google-do-what-you-want-with-reader-but-dont-kill-caldav-7000012628/
  
  --
  This space for rent.
2. Re:Google has been quite evil this week by LordLimecat · 2013-03-15 09:18 · Score: 5, Insightful
  
  Apparently, its evil to decide that its no longer worth providing a free service that youve provided for years, and giving your users several months to take an export of their data.
  Likewise, apparently its evil to stop allowing users to host apps which undermine your core businesses on your freely provided marketplace.
  Of course, given that you never offered a free RSS reader or marketplace to begin with, wouldnt that make you more evil than Google?
3. Re:Google has been quite evil this week by LordLimecat · 2013-03-15 09:20 · Score: 1
  
  If you make a case to them that Calendar API doesnt meet your needs, they will give you a whitelisted account which has access to it.
  Apparently too depreciating services and APs is evil. Of course, that would include basically every software maintainer out there...
4. Re:Google has been quite evil this week by lemur3 · 2013-03-15 09:35 · Score: 1
  
  "How much evil must we do in order to do good? We have certain ideals, certain responsibilities. Recognize that at times you will have to engage in evil, but minimize it."
  -ROBERT S. McNAMARA
  http://www.errolmorris.com/film/fow_transcript.html
5. Re:Google has been quite evil this week by LordLimecat · 2013-03-15 10:15 · Score: 4, Insightful
  
  1) As they dont pay for Google Reader or Play market, thats irrelevant.
  2) So once someone offers a free service, you demand that they offer it forever? Sounds reasonable.
  3) Yes, I was remarking on how you can go to www.dataliberation.org in the next several MONTHS and get your data out. Have you ever tried getting your data out of AOL or Hotmail or someone else's systems? It tends to be a royal PITA. Never with Google, they always have at LEAST a CSV export.
  But if you want to be both a beggar AND a chooser, dont let me stop you.
6. Re:Google has been quite evil this week by LordLimecat · 2013-03-15 10:55 · Score: 1
  
  AES-CBC has a number of known vulnerabilities, and in certain circumstances RC4 can be more secure (in the sense that theres fewer known real-world attacks on it).
  My understanding is that It is considered worrying because it is quite fast and that leads to concern that there may be flaws in it or easy cracks, but so far its held up OK.
  Certainly after a number of recent attacks, the recommendation was to switch to RC4.
7. Re:Google has been quite evil this week by aztracker1 · 2013-03-15 15:09 · Score: 1
  
  They never gave an option to pay for Reader... now migrated to NewsBlur (paid account, and since they stopped the free account signup (temporarily), it's actually usable... I'm really afraid that Google Voice will be next, without a paid option there.. I'd pay $25-50/year for google voice. I'm paying $24/year for newsblur. Without iGoogle, and Reader, I have very little reason to use google at all... My homepage is google for iGoogle... I was considering changing my homepage to Reader, since that is about 1/4 of what I use on iGoogle... now that that is gone.. well.. may as well move on for search too.
  
  --
  Michael J. Ryan - tracker1.info
8. Re:Google has been quite evil this week by russotto · 2013-03-15 15:17 · Score: 1
  
  "How much evil must we do in order to do good? We have certain ideals, certain responsibilities. Recognize that at times you will have to engage in evil, but minimize it."
  -ROBERT S. McNAMARA
  Architect of the US involvement in Vietnam. Who next, Dick Cheney?
9. Re:Google has been quite evil this week by sdsucks · 2013-03-15 16:00 · Score: 1
  
  Son, I'm a shill for myself and that's about it.
  Does it shock you that I don't pledge allegiance to any large corporation?
10. Re:Google has been quite evil this week by Bert64 · 2013-03-15 20:49 · Score: 1
  
  RC4 also has known weaknesses, there was a story just this week:
  http://yro.slashdot.org/story/13/03/14/1839239/cryptographers-break-commonly-used-rc4-cipher
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
11. Re:Google has been quite evil this week by LordLimecat · 2013-03-16 05:21 · Score: 1
  
  Right, but as this occurred AFTER google switched to RC4 all those months ago, its silly to claim it was bad security to do so; and seeing as this vulnerability relies on the exact same message being sent with the same key ~a billion times, its fairly minor to work around.
12. Re:Google has been quite evil this week by LordLimecat · 2013-03-16 05:29 · Score: 1
  
  Not really; I used Live Mesh for a few months till they discontinued it and while i was certainly disappointed (as there is no comparable solution out there), I dont blame Microsoft for having provided that service.
  Likewise I use Microsoft's antivirus, and if they choose to discontinue that too, I think it would be foolish but im not going to get "angry" at them as if they owed it to me. They owe me the things I pay for, and when they fail to deliver on THOSE, then I get annoyed.
13. Re:Google has been quite evil this week by Richy_T · 2013-03-16 07:22 · Score: 1
  
  Quite often those services *were* being offered by non-Google companies until Google bought them up.
  I'm sad for what they did to deja-news
TFS last sentence untrue by DragonWriter · 2013-03-15 08:48 · Score: 5, Insightful

According to a public mailing list conversation, Google is doing this as a lazy way to handle a spam problem.
Nothing in that conversation says that Google is doing this (not actually blocking all foreign invites, but sharply limiting the number from each foreign domain) as a lazy way to handle a spam problem; that conversation points to an extremely large spam invite problem, and discusses potentially needing to do it if the operators of the federated domains from which the spam is originating cannot address the problem. It also addresses some of the steps taken by operators of those domains to address the problem (as of the most recent message I can find, it also seems like those methods have not yet been dealt with the problem.)
It very much sounds like the goal is to deal with the problem with the other service operators, but to take immediate steps to stem the flow of spam until an acceptable resolution is attained. The author of TFS may think this is "lazy", but it is not accurate to attribute that description to the email thread.
1. Re:TFS last sentence untrue by Anonymous Coward · 2013-03-15 08:59 · Score: 5, Interesting
  
  Posting AC for obvious reasons.
  I run the helpdesk for a medium-sized email service (~350,000 users) that also provides federated XMPP service. We've had users complaining for several days that they while they can IM users at Google Talk, they can't request presence notifications (e.g. requesting to see if a buddy is online, away, etc.). They're able to chat with Google Talk users but can't see if they're online or not, which is a major issue. We've been really annoyed as we thought it was an issue on our end and assumed that Google knew what it was doing when it came to operating large-scale XMPP service.
  It's wasted a lot of our admin time and resulted in frustrated users.
  It's one thing to do a temporary ban of servers that are emitting gobs of spam or spammy invites, but it's a different thing to start blocking basic XMPP functions like requesting authorization for presence notifications. It's even more of an entirely different thing to block auth requests from the entire internet.
2. Re:TFS last sentence untrue by johnsu01 · 2013-03-15 09:15 · Score: 5, Informative
  
  I know it says rate-limiting, but from our logs, the accepted rate appears to be 0. We don't have that many users; certainly not enough to trigger a rate limit in the scope of the kind of rate they would be worried about. And while we did not say "lazy" in the original article, but rather expressed our sympathies for having to grapple with the spam problem, this is not an acceptable solution. As other commenters are pointing out, this is essentially shifting the burden to much smaller entities, who now have to respond to their users' complaints. If Google would publicly describe the problem, and the scope of it, and publicly explain what they are *actually* doing, then the rest of us could help find a solution. Right now, this definitely looks like "easiest way out for us, broader principle of federation and workloads of other entities be damned."
3. Re:TFS last sentence untrue by DragonWriter · 2013-03-15 09:23 · Score: 1
  
  And while we did not say "lazy" in the original article, but rather expressed our sympathies for having to grapple with the spam problem, this is not an acceptable solution.
  
  I don't disagree with you that (presuming this is a solution rather than an interim damage control measure) that its not an acceptable solution. My issue was with the summary attributing the summary author's editorializing to the mailing list thread discussing the problem, rather than taking ownership of the editorializing (or, better, leaving the editorializing out entirely and letting readers form their own conclusions.)
4. Re:TFS last sentence untrue by Anonymous Coward · 2013-03-15 09:27 · Score: 1
  
  According to a public mailing list conversation, Google is doing this as a lazy way to handle a spam problem.
  Nothing in that conversation says that Google is doing this (not actually blocking all foreign invites, but sharply limiting the number from each foreign domain) as a lazy way to handle a spam problem; that conversation points to an extremely large spam invite problem, and discusses potentially needing to do it if the operators of the federated domains from which the spam is originating cannot address the problem. It also addresses some of the steps taken by operators of those domains to address the problem (as of the most recent message I can find, it also seems like those methods have not yet been dealt with the problem.)
  You're mistaken. Please read this thread:
  http://mail.jabber.org/pipermail/operators/2013-March/001608.html
5. Re:TFS last sentence untrue by DragonWriter · 2013-03-15 11:23 · Score: 1
  
  You're mistaken.
  No, I'm not.
  
  Please read this thread:
  http://mail.jabber.org/pipermail/operators/2013-March/001608.html [jabber.org]
  I did. It, as I said before, doesn't say what TFS characterize it as saying (that its a lazy way of preventing spam). It does say its about preventing spam, and it does say that the current implementation is a part of a rapidly-evolving strategy. It also says that (from one side) its bad because some details of the way it has been implemented are not RFC-compliant, and (from the other) that the non-RFC-compliant elements are going to be addressed in the very near term.
CAPTCHA by ensignyu · 2013-03-15 09:02 · Score: 5, Interesting

Maybe instead of silently dropping invitation requests, Google should send a rejection notice (regardless of whether the target Gmail account exists, to prevent probing) with a link to a CAPTCHA; completing the captcha would allow retrying the request.
Given their track record, I'd be surprised if Google bothers to implement this kind of non-lazy approach to re-enable interoperability, though.
1. Re:CAPTCHA by ensignyu · 2013-03-15 09:36 · Score: 5, Insightful
  
  Just to be clear, I'm sure the engineers at Google are trying to do what they can do deal with the spam problem, as quickly as they can.
  I'm just feeling cynical about Google's motives and actions after what they've done with Google Reader, CalDAV, etc. Yeah, they're a for-profit corporation, but it's disappointing how they seem to be moving away from open standards.
  At this point, it seems like they're looking around and saying: "Hey, we have a proprietary solution, and an open solution, but it costs extra to maintain both. If we shut down the open solution, we save money and get extra lock-in too. It's win-win! -- for us, at least."
  So I'm slightly worried that when a situation like this comes up, the managers at Google (or managers' managers, or wherever the directive is coming down from) are just going to say "do the minimum amount of work and get back to that other project we have you working on", where implementing solution that's good for the users is not a priority.
Re:Just Run Your Own XMPP Server by Hatta · 2013-03-15 09:07 · Score: 2

And what if you wish to speak with someone who uses Google's XMPP service?

--
Give me Classic Slashdot or give me death!
Re:Just Run Your Own XMPP Server by LordLimecat · 2013-03-15 09:23 · Score: 1

Finding "spammy users" has always been the chief problem with every fight against spam.
Re:Just Run Your Own XMPP Server by DragonWriter · 2013-03-15 09:25 · Score: 1

That doesn't help if they're blocking invites from the entire internet, rather than just from spammy servers or users.
Actually, running your server is a step toward solving that, but not the whole solution. The other parts of the solution are [a] getting people to use your server rather than Google's, and [b] solving the spam problem that Google is addressing by some other, more federation-friendly, means.
Re:Just Run Your Own XMPP Server by mccrew · 2013-03-15 09:39 · Score: 1

Sorry, but I have a full time job already. Don't need another one. :)

--
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
Friend codes by tepples · 2013-03-15 10:07 · Score: 1

Multiplayer on Nintendo video game consoles already works this way: nobody can communicate unless players have exchanged friend codes out of band. In fact, some games such as Animal Crossing series don't allow play with strangers at all.
Re:Just Run Your Own XMPP Server by FireFury03 · 2013-03-15 21:10 · Score: 1

And what if you wish to speak with someone who uses Google's XMPP service?
The same thing that happens if you want to email someone who's email provider is blocking all incoming emails - you tell them their service provider is being a dick and that they need to change to one of the many other service providers out there who aren't being almighty bellends....

--
http://blog.nexusuk.org
Re:Evil makes money by TheRaven64 · 2013-03-16 01:02 · Score: 1

Google stock is down 7.24 on yesterday and down 24.3 since two weeks ago, so how's that working out for you?

--
I am TheRaven on Soylent News
Re:Just Run Your Own XMPP Server by TheRaven64 · 2013-03-16 01:06 · Score: 1

Running an XMPP server doesn't take much effort. I've been running an eJabberd server for about 6 years and was running jabberd 1 before then. The original jabberd took a reasonable amount of configuration effort, but ejabberd (especially if you use mnesia) requires almost none: just install it, tell it your domain, and either enable in-band registration or manually add users. That's basically it. Pull in any security updates as they appear (your operating system's package manager should handle this) and you're good. It's no harder than running a mail server.

--
I am TheRaven on Soylent News
Re:Not as terrible as you might think. by andymadigan · 2013-03-17 16:18 · Score: 1

What percentage of e-mail sent to you is spam?

Percentages aren't useful when talking about spam.

--
The right to protest the State is more sacred than the State.
Email CAPTCHA by DrYak · 2013-03-20 07:38 · Score: 1

Interestingly, that's exactly the policy implemented by one of my former university against email spam coming from a few large and very spammy IP blocks.
(I think these IP blocks were somewhere in China).
Very few users were actually communicating with them. But we got massive amount of spam coming from them.
The solution was to black list this IP range. But any rejected user got an answer asking a few very simple step (I don't remember if captcha was involved at all) to add his/her emitting address to a whitelist.
The solution worked: the few user communicating from within this range were still able to communicate, while at the same time the spam was drastically reduced.
So google might try doing the same with federated XMPP invite:
- if only one side (= the foreign) has sent a request to the other
- and the invite comes from a spammy source
- first ask a captcha before forwarding the invite to the users' client.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]