XMPP - Roster Subscription Explaination - xmpp

Consider I've 2 users Alice and Bob on my Jabber Server. To add into the rosters with subscription as both, I need to do the following steps:
Alice sends a subscription request to Bob.
When Bob receives the request, he approves it.
Bob may also be interested in Alice's presence, so he subscribes to her.
And Alice needs to approve Bob's request.
BUT
Now consider, Bob was not on the server, i.e. he is unregistered and Alice tries to add him into her roster.
Following are the steps which will take place:
Alice sends a subscription request to Bob.
Bob, being unregistered, didnt receive the request.
Alice->Bob subscription set as None.
Process ends Here.
Now, Bob got himself registered. How would Alice get to know that Bob got himself registered and she needs to send the subscription request again OR How would Bob pushes a notification to every user who added him into his/her roster? Which XEP/Ejabberd Module handles this?
We debugged Whatsapp and got to know that, in this case, Bob pushes a notification to all those users who added him in their rosters.

Well the way I see it's more like, which type of configuration do you employ as several scenarios come into factoring when setting up your environment. Here are a few ways I know such things might turn out.
The server in question plays a key role in connecting Xmpp clients, in a situation such as the on the Internet DNS servers play a prominent role in interconnecting clients, so if Bob was not registered at the time Alice sent a request, he might have a caching service that records all interconnection service, and when he becomes registered and he has an Xmpp service that auto-discovers peers on the network(like I said this would be user specific), but there has to be some type of user setting involved in the discovery process; his service would then pull all past requests from the cache and depending on time limits be able to retrieve Alice's request and then he can respond. This is more from a philosophical perspective. But if you are a developer , you can write plugins for all the described scenario above. If you need some more technical parameters we can talk about that such as the type of discovery method you want to write on Bobs server , the type of caching engine you might want to put on Bobs network and how to plug it into his Jabber server etc, this was just my own two cents. Just consider the situation somewhat similar as having a packet collector and retrieving offline messages when you log in, but in this case it would encompass the Jabber server and the packet collector would be the caching service engine you plug in to your server.
If it were a LAN, it might be a little more difficult to be as dynamic as retrieving host records and all inter-connectivity issues, but the plausible solution I can muster is to have a preemption of all available contacts, or better still operate withing a specific sub-net.

Related

Is create a HTTP GET Request to domain for detect disposable mail is a bad concept?

Disposable Mail in this term is a temporary mail server, that mostly work for 15 minutes to 1 hour for doing send and receive mail service. The problem is when we create a free service for new registered user in a website or apps, people keep creating email using disposable mail. This is really bad.
So, I create a simple request to the domain with only HTTP GET Request. When it breaks or return as not reached the server, this domain will detected as temp mail.
As long as I am trying to block disposable mail using this scenario,, this still looks good. I have blocked many disposable email without creating a list of it. And every domain that passed the GET Request test is truly a real mail.
Is this a good concept? is there domain from real email provider that fail on a GET Request?
No, you should not use this signal to outright block emails. There are cases where domains host email for honest individuals, but have no website. An apparent example at the time of writing is #campbell.id. Let's look at this in some more technical detail:
To receive mail, a domain must have an MX DNS record and an SMTP server behind it.
To handle an HTTP GET request, a domain must have an A DNS record (or a CNAME leading to an A, or a AAAA for ipv6, you get the idea), and an HTTP server behind it.
You've found correlations in which short lived, disposable email domains often do #1 but not #2, while "legitimate" email domains often do both #1 and #2. However this is not required nor guaranteed, and "legitimate" domains which do only #1 and not #2 exist. Vanity domains like #campbell.id above offer some good examples, where people may want a nice looking, personal email address (so do #1) but not care to host a personal website (so don't do #2). There are likely many others, and not only limited to vanity domains.
While you should not use this signal to outright block emails, it could still be used as one in a set of signals where others exist that can offset it. Tuning and maintaining such a system to get good results easily becomes a job in its own though, so consider using an existing service rather than building your own. (Upollo is one I happen to be involved with).
Another approach for using a signal that is often but not always correct can be to trigger some additional verification or followup instead of outright blocking users. However you want to be quite confident, which I don't think you can be with this one signal, or else it becomes unfairly onerous for a specific subset of legitimate users.

Allow customers to send from their own domain in a SAAS application

I'm currently running a SAAS application and mails are being sent from our application using Mailjet.
Some of the larger customers have been asking to allow the emails to be sent from their domain (e.g. info#largehotel.com) instead of our system (notifications#saasapp.com).
Are there any initial pointers I will need to look at? I'm guessing they will need to add our SPF records to their SPF records too and that they will need add a DKIM key that we generate for them to add to their records too? Then do some validation on them on the DNS level and mark them as validated?
I have some understanding to have customers run their own domain against our SAAS domain but a bit lost on the sending from their email domain requirement.
First, for the record, my SaaS platform does this (vía option 2b). It’s an e-commerce marketplace and I need the receipts to be sent from the email address of the product seller, not from me (the marketplace)
You have two(ish) options
Send email through your client’s mail servers (instead of mailjet)
Verify the client’s domain on your Mailjet (or similar email) service
option 1
With option 1, you’ll need to ask your client’s IT team to setup a username and password for you to access their SMTP server. This is essentially just like them creating an email account for you to use. This may seem like the easiest path available for you, but there are potential pitfalls and disadvantages:
Doing this, you will lose the mail open/click/bounce tracking functionality you get with mailjet; because you’ll be using the company’s SMTP server instead.
If you’re sending out as a fairly common email address (eg info#your-client.com) the client may already have that account active on their mail servers. That would allow them to receive replies into the existing infrastructure but make them wary of the security issues with sharing a password to their mail server with you.
You might find that they don’t even have the ability to give you a username and password. Modern mail services don’t allow for SMTP access (which is what your web app will need); and security conscious companies require 2 factor authentication on mail accounts (which your web app can’t answer)
Option 2
For this, you will need to ask their IT team to configure some DNS records to prove to mailjet, and to the email recipient, that you’re allowed to send on behalf of your client.
You did this for your own domain when you first setup mailjet. See https://app.mailjet.com/support/how-to-add-a-sender-address,96.htm for what this involves, but it’s a case of asking the client to configure a DNS record.
That tells mailjet that you’re allowed to send on behalf of that domain; but you’ll also want the client to adjust their SPF and DKIM records so as the recipient of the emails knows to trust Mailjet’s servers with emails sent from your client’s domain name. Normally, recipients only trust email sent from your client’s mail server (which you have as option 1) and distrust email sent from SAAS providers.
You will (or should) have done this on mailjet for your own domain already as well. https://app.mailjet.com/docs/spf-dkim-guide
So for this, you’ll need your client to setup 3 DNS records.
If you go this way, you could setup a separate Mailjet account which they and you have access to. That way they ca see their dashboard directly and feel a sense of ownership and security around it. But you won’t be able to markup the price of it 😜
Conclusion
How important is the tracking? If you can’t lose that you need to go with option 2.
How technically savvy is the client? Are they going to be able to have those DNS records changed? Are they going to be (rightly) security conscious around giving you an account on their main mail sever.
Option 2 would be my preference. You might need to hold their hand through the DNS setup so get it configured on Mailjet (And ask about SPF in here to make sure you get it right) so you can provide them with clear instructions of the specific 3 DNS records to create/update.
Whatever approach you take make sure you’re talking to the right people at your clients side soon. Their marketing team may be keen to do this with you, but if their IT feels left out of the conversation they will be difficult to get on board when you need them to make the changes. Us IT folk can be grumpy and obstinate 😀
your web app
This is going to need some adjustment. You probably already store your Mailjet credentials in a file or environment variables; these might need to move these to a dB table so you can relate credentials with specific accounts. But we’d need more info on the web app to be able to speak more to that side of the challenge.
option 2b
just as a note instead of a real suggestion. Be aware that some email service provers allow the sending verification part to be done by sending an email to someone on that domain (eg admin#yourclient.com) and then allowing sending vía the API if the recipient clicks on the approve link on that email. But, even with that setup you still need the client to configure SPF and DKIM on their DNS, so the extra one record isn’t a big ask. AWS’s SES allows for this. This works for me; but I have different requirements around deliver ability, and a large number of non-tech users (as opposed to your one or two big clients)
you can ask your client to generate programmatic(app key/password) user for email need to use for example info#largehotel.com and some other info like (host:gmail, protocol: smtp,...) all basic info needed then in your saas retrieve all this info to create object with client info that you stored before to send email for the target (from developer prospective non network engineering )
The SPF is the most important think to do. In most cases you have to be very careful about the IP reputation, but since you are using Mailjet it's up to them to manage this part.
Be attentive to the overall quality of the email, text/image ratio... Also offers a text body version of the content and dont forget the unsubscribe link. Since you already send emails with your service, I guess it's points are already correct.

I am creating an email spammer, for an outstanding cause [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
In Cuba, web access is extremely censored, so I created a tool that allows more than 50,000 people to browse the Internet through email. Cubans send me an email with an URL in the subject line, and I email them back with the response. Read more at https://apretaste.com.
It was working like a charm, till the communist government of Cuba started blocking my emails. My solution was rotation.
I started with Amazon SES, and I was changing the domain each time it was blocked, but Amazon adds a header to all emails, and once they blocked the header no email from SES was able to reach Cuba any more. The same happened with Mailgun and others, they all add headers.
Currently I am creating Gmail accounts and sending via SMTP, but Google blocks me for no reason and only allows to send 100 emails a day per account. Also I can only create few emails using the same IP address/phone, so I was forced to use anonymous proxies and fake Chinese phones. Now I am fighting a war on two fronts.
An email can be blocked by three parameters: IP address, domain, and email address.
It will be terrific if I can set up my own Postfix server at a VPS that auto-rotates the IP address. Even better if I can simulate "gmail.com", to avoid purchasing a new domain every day.
All the intents to create what I call "the ultimate sender" just either reach the spam folder or add unwanted headers making it too easy to block. I feel exhausted. I hit a knowledge barrier here.
I know I am crossing to the dark side, but this is for a very good cause. Thousands count on this service as their only source of unbiased news, social network and to feel part of the 21st century.
Can you please help me implementing "the ultimate sender", or pointing to another solution that I may be missing?
I have a few suggestions for you.
The first one relies on The Onion Router also known as Tor.
Since you are crossing to the dark side, why not also take a look into the darknet?
Take a look at this list of Tor email providers. If you have your own email server that can be accessed through Tor, it becomes much harder for anybody to stop people from using this service. After all, Tor was developed to offer people uncensored access to the web.
You can read about Tor in detail here, it uses Onion Routing and this is how you would set up your server to use Tor.
Here is an example how you could use it:
The steps that involve the setup, receiving an URL request and sending back the reply are as follows:
Set up an email server.
Configure your email server to use Tor.
Publish the public service name. (e.g. "duskgytldkxiuqc6.onion")
Deploy a client that takes the service name and a URL, and let it send an email with a request to your server.
The client now waits for a reply.
You send a reply and the client receives it.
You can change your service name on a regular basis, but you need to make it accessible to those who will use this service.
Having an own email server means being able to control the email header.
Here is one example how you could make use of it:
Configure your email server so that it receives and recognizes
emails which contain the requested URLs.
Before you send a reply modify the email header so that it shows a random IP address and a random sender email address including a random domain name.
Send your reply.
Sending an email that way means that you cannot be replied back to. But since your reply already contains the requested information there is no need to.
I hope this helps.
Crowd source it.
Find a way that volunteers can send some emails for you. This is the only long term approach that I can think of. A simple web interface with mail to links would be be enough to get started although there are other potential problems with this approach too.
Because you are talking about low numbers of users, you could also use crowdsourcing to create the single email address per person approach. They can create an account on a specific set of email providers and give you the credentials. This would allow the single email per user approach or could be used to rotate through a large set of email accounts to send emails.
The simplest solution is perhaps to set up a local SMTP server on your own computer. You don't even need a server per se.
https://sourceforge.net/projects/winsmtpserver/
There are many other such applications. They are usually used to test SMTP functions during local development, but there is nothing against actually sending spam through them.
I know this would be quite a large task, but how about pairing the users with one or just a few emails so they always receive an email from that email.
I'd assume people wouldn't have more than 100 queries per day, if so they could start receiving them from a backup email
I'd imagine it would look less suspicious for them to appear to be in constant contact with one unique email rather than 50,000 being in contact with one
I know this would be a huge undertaking, but I feel like it solves your issue.
Since the users are willing to receive emails form you then your shouldn't be blocked.
When you mentioned you are getting block does it mean your mail is going in spam or is getting lost in between sending and receiving or it is getting bounced back??
My suggestion would be to setup your own mail server and follow as below:
-Get approx 25 or more ip to rotate. (IP is the most imp part which is tracked and is accountable for the reputation of your mail server)
Don't start sending emails in bulk from the word go it is better to gradullay increase the email volume so that mail server reputation nicely built
keep changing the format of the email often
encourage user to add yourself to there contact list
your best part is user are willing to receive emails from you and you would reply to revived email is the USP of yours but still i will recommend you to register for FBL so that you would know which user is reporting you as spam and you can remove him from your list and never send him email again.
using best practice to send emails like dkim, SPF, dmarc are also vital.
Hope my answer was of some help to you. If you need step by step guide to step up mail server let me know.
My friend, do you remember what made Hillary Clinton lose the last elections to Trump?
It was the "mail" affair. And what was it? People discovered she shared confidential information through a non-official, non-governmental email account (i.e., she used some Gmail, Yahoo or another of a kind). Until here, nothing new with direct relation to your matters. But there is an small particularity on this history, and this can put, maybe not a solution, but maybe a light on a new path you could follow: Clinton actually never sent those emails; the email account she used had the password shared and the communication between people (Clinton-someone) occurred only using the drafts of the account.
How? One side logs in and accesses the drafts folder. There he/she reads the last message and edits it, cutting and writing new data - then save the draft message. On the next turn, the other side of the communication line logs in and do the same. And so forth, so never really sending those messages, but instead just updating the drafts (this "Hillary" method does schooled people... Dilma Rousseff, impeached ex-president of Brazil, actually did this method down there in Brazil too).
So, maybe if you could establish a pact with your user that he/she doesn't delete the account's password, you could pass those information by this method - without "really" exchanging emails. Maybe a "parent" email account (some that could reset a lost password) could be useful too.
Alternative: aren't you able to contract a regular HTTP webserver? You could rely on FTP to publish data to your user, he/she asks for it and you publish a page with that content.
Salvi, have you tried something with Telnet? OK, we are talking here about a text-only environment, but if nothing more would rest in the future, this could be better than nothing. Maybe you could implement a podcast-like, or push-like service based on it. Look what people do with it with references to your walk on the dark side...
If in Windows, open your command prompt.
Type telnet and press Enter.
Type "o" without quotes and press Enter.
Type "towel.blinkenlights.nl" without the quotes and press Enter.

How does Google Talk replicate messages across devices?

I'm wondering how (official) GTalk clients manage to show all messages received - even if it was originally consumed by another client. For example: I'm logged into GTalk on gmail.com on my laptop and, at the same time, via the official GTalk app on my Android device. A friend sends me a message, which is displayed on both the gmail.com client and the Android client. (I think it's originally only forwarded to one of either clients, but the second client fetches the message later on)
I recently found out that there's a very similar XMPP feature, called Carbons. However, after a quick service discovery request Google's servers didn't advertise this feature. XEP-0313 and XEP-0136 look good too, but the servers don't advertise them either.
Possibly related question: Deliver Google Talk message to all logged in clients using XMPPPY
When you initiate a new chat then you should send the first message to the users bare Jid. This is what most clients are doing. When the GTalk server retrieves a chat message to a bare Jid it routes the message to all available resources. For all following messages in this conversation the clients normally pick up the Resource and send them to full Jids. The messages should not be replicated then.
Many other servers don't route message to bare Jids to all resources, but to the most available resource which is the client with the highest priority.
Here is a quote form the RFC:
If there is more than one resource with a non-negative presence priority then the
server MUST either
(a) deliver the message to the "most available" resource or
resources (according to the server's implementation-specific algorithm, e.g., treating
the resource or resources with the highest presence priority as "most available") or
(b) deliver the message to all of the non-negative resources.
XEP-0280 defines this. As I understand, it defines the mechanism to notify all the resources from same user when one of them sends a message to anyone. I mean, Alice/pda sends a message to Bob, so Alice/mobile and Alice/PC will receive a copy of the message sent be Alice/pda.
Hope it helps. I am currently looking for a server that implements this, and also for a client library. If not, I will implement it by myself in both jabberd2 and gloox xmpp library.
Cheers,

XMPP server-to-server - traffic optimization?

I'm working on a design for a xmpp chat solution which involves some servers and where at least one server is connected with serious bandwidth limitations.
Assuming, we have two servers A and B, some users 0..n connected to Server A and some conferences 0..m provided by Server B.
Now assume, some users enter a conference room and a message is sent to that room. Will
Server B send this message once to
Server A and Server A distributes it
to the users or will
Server B send this message to each individual user of Server A?
According to the protocol spec, XEP 045, multi-user chat messages are reflected independently to each participant. I can't tell on a brief read if it is legal to send them server-to-server without reflecting. However, it might be worth asking this question on an xmpp.org mailing list, where the experts tend to hang out.