Google Begins Blocking Third-Party Jabber Invites

New submitter kxra writes "Do you have a federated jabber instant messaging account that never gets responses from Google accounts anymore? Or do you have a Gmail account that a friend has been unable to invite from their 3rd party Jabber account? The Free Software Foundation reports, 'Google users can still send subscription requests to contacts whose accounts are hosted elsewhere. But they cannot accept incoming requests. This change is akin to Google no longer accepting incoming e-mail for @gmail.com addresses from non-Google domains.' This sounds like something Facebook would try in order to gain even tighter control over the network, but they never even federated their Jabber service to begin with. According to a public mailing list conversation, Google is doing this as a lazy way to handle a spam problem."

No Subject

[Anonymous Coward]

This is great because I keep receiving spam invites on one of my GMail accounts.

Re:No Subject

[asavage]

Yeah this is good news. I had to disable google talk invitation notifications on my phone as I was getting spam notifications daily.

Re:

[Anonymous Coward]

Google is doing this as a lazy way to handle a spam problem.

I'll be happy to learn a non lazy way to stop spam from domains you don't control. I'm not an expert in XMPP, but this sounds much like graylisting from SMTP: if your server has a high spam ratio, I will throttle you until the ratio drops. As long as Google has implemented per domain limits, and still accepts requests from non-spammy domains, it looks legit.

Re:

[Technician]

I've not had a spam problem with Gtalk or my SIP account with a Google Talk gateway. This means that I can't pick up my VOIP phone anymore and speed dial a Gtalk user.

This has very little impact as there are very few who have Gtalk and not Skype. I can call and be called with the Skype gateway instead.

Instructions:

To call from ippi to Skype, dial "skype_username@skype.ippi.com" then start the call

I guess calling Gtalk users may be broken now.

Instructions:

To call from ippi to Gtalk, dial "google_username@g

Re:

[beelsebob]

Haha, the great and mighty google who can do no wrong strikes an enormous blow against a standardised protocol, and against open communication, and slashdot's response is "this is great".

Fucking hypocrites.

Re:

[Anonymous Coward]

"And neither do most people" - And this is based on what statistically valid research?

Let me put it another way: Those who know enough about computers to know that Google chat is based on Jabber, will care. Those who don't, won't, but they should. Having 30 different chat systems is obviously annoying and inefficient. We have *one* email system, where people have different domains but they work between each other - and this works very well in most ways. Jabber allows a similar system. In fact, I use t

Just wait...

[daitengu]

Countdown to those with bad reading comprehension wondering why the story isn't about Google not accepting e-mail from non-@gmail.com accounts.

Re:Just wait...

[Hatta]

What's the significant difference? Isn't refusing jabber messages from non-google account just as bad, and bad for the same reasons, as refusing email from non-google accounts?

Re:

[hawguy]

What's the significant difference? Isn't refusing jabber messages from non-google account just as bad, and bad for the same reasons, as refusing email from non-google accounts?

The significant difference between blocking email and blocking jabber requests is that when you find that your jabber request is blocked, you can ask the person on the Google side to send you a request from their end, and from then on you can communicate with them.

It's kind of like if Google silently blocked external emails and the most reliable way to make sure your message got through would be to ask the recipient to add you to their address book. Oh wait, they already do that.

Re:Just wait...

[Hatta]

The significant difference between blocking email and blocking jabber requests is that when you find that your jabber request is blocked, you can ask the person on the Google side to send you a request from their end, and from then on you can communicate with them.

What happens if everyone implements this policy of denying all foreign requests?

Re:

[kasperd]

What happens if everyone implements this policy of denying all foreign requests?

If it is done in a sensible way, you will still be able to communicate, as long as both parties invite each other.

Re:

[Hatta]

This still requires some sort of coordination before the fact through a secondary communication channel. Can you imagine if the post office and phone company worked that way? There has to be a better solution.

Friend codes

[tepples]

Multiplayer on Nintendo video game consoles already works this way: nobody can communicate unless players have exchanged friend codes out of band. In fact, some games such as Animal Crossing series don't allow play with strangers at all.

Re:

[bragr]

Getting someone's mailing address, email address, or jabber address requires a secondary communication channel anyway. When is the last time you emailed someone to find out what their email address what?

Re:

[hawguy]

This still requires some sort of coordination before the fact through a secondary communication channel. Can you imagine if the post office and phone company worked that way? There has to be a better solution.

I'm imagining the phone company working that way, and it sounds like a good way to get rid of the unsolicited telemarketing calls. If the only callers that can reach me are ones that I've shared my phone number with through some other communication channel, then I wouldn't get any unsolicitied telemarketing calls.

Worse than the telemarkers...apparently the guy that used to have my number had some problems with paying bills, I still get calls from creditors looking for him. I've had this number for 2 years n

Re:

[aztracker1]

I was getting 8-10 recruiter calls a day at my old cell number about 2 years ago, I dropped it, and got a new number... feel sorry for the guy that got my old #

Re:

[AvitarX]

Google treats chat that way now though. When they started circles, they stopped auto adding, and limited chat to people in your circles I believe (i forget the specifics, but it got stricter).

Re:

[kasperd]

This still requires some sort of coordination before the fact through a secondary communication channel.

That's still better than not being able to communicate at all. Most of the time you only want to chat with people who you have exchanged emails with beforehand anyway.

Re:

[DragonWriter]

What's the significant difference? Isn't refusing jabber messages from non-google account just as bad, and bad for the same reasons, as refusing email from non-google accounts?

It might be, if XMPP's level adoption and central role in online interaction were equivalent to email's. As its not, it might arguably be bad for the same reason (if you don't view the central role of email as part of the reason that it would be bad to do it for email), but its certainly not just as bad.

Re:

[rickb928]

My Google email account gets incoming email from non-@gmail.com accounts all the damned time. What the hell is the problem? Am I not supposed to get emaI from the rest of the Internet or something? am I missign something? Am I alone in here? IS ANYBODY LISTENING? DOES ANYONE CARE?

How the hell do I contact Google and get this fixed? None of the phone numbers work, and no one answers their email! Seriously!

Re:

[Mister Liberty]

That's in fact how my mind construed it for a moment.
Why?

Because the other day I put a filter on my non-gmail domain mailbox
to send a copy from that mailbox to my gmail account, esp. so I
could read the mail from my tablet, while being away.

Then, for some mails coming in, I read those on the gmail account
from the desktop PC (to see if the filter was working).

Now, I noticed that having read them on the PC, the copies for some
reason never arrived in my gmail mailbox on my tablet, or I should
say, were totally u

Google has been quite evil this week

[Meditato]

1. Banning ad-blocker apps from the Google Play App store

2. Banning jabber invites

3. Killing Google Reader

They're too big to need to play nice with anyone.

Re:Google has been quite evil this week

[recoiledsnake]

You forgot them killing the open standard CalDAV support and replacing with their proprietary Calendar API.

http://www.zdnet.com/google-do-what-you-want-with-reader-but-dont-kill-caldav-7000012628/ [zdnet.com]

Re:

[LordLimecat]

If you make a case to them that Calendar API doesnt meet your needs, they will give you a whitelisted account which has access to it.

Apparently too depreciating services and APs is evil. Of course, that would include basically every software maintainer out there...

Re:

[sdsucks]

LOL, thanks. Was waiting for that.

Weren't you just harping on last month about how great Google is great at supporting open standards? Or was that another member of the "Righteous Google Defense Club"?

Re:

[LordLimecat]

Im part of the "lets stop the slashdot knee-jerk mindless bashing" club. Google gets flak for doing things that they do better than all of their competitors, its absurd.

I see complaints about google privacy, while they are the ONLY major search provider doing SSL by default, and they quickly switched to RC4 in response to a CBC vulnerability.
I see complaints about their gmail in-email scanning, when all of their competitors currently or very recently did the same. At least google lets you opt out.
I see co

Re:

[LordLimecat]

AES-CBC has a number of known vulnerabilities, and in certain circumstances RC4 can be more secure (in the sense that theres fewer known real-world attacks on it).

My understanding is that It is considered worrying because it is quite fast and that leads to concern that there may be flaws in it or easy cracks, but so far its held up OK.

Certainly after a number of recent attacks, the recommendation was to switch to RC4.

Re:

[Bert64]

RC4 also has known weaknesses, there was a story just this week:
http://yro.slashdot.org/story/13/03/14/1839239/cryptographers-break-commonly-used-rc4-cipher [slashdot.org]

Re:

[LordLimecat]

Right, but as this occurred AFTER google switched to RC4 all those months ago, its silly to claim it was bad security to do so; and seeing as this vulnerability relies on the exact same message being sent with the same key ~a billion times, its fairly minor to work around.

Re:

[sdsucks]

Waaaah panty boy.

I'm not on any high horse - as I've said repeatedly, I stopped using Google services about a year ago now.

Are you sure you're not paid for this? You must have spent hours today defending their dickish move.

Re:

[Richy_T]

Quite often those services *were* being offered by non-Google companies until Google bought them up.

I'm sad for what they did to deja-news

Re:

[sdsucks]

Son, I'm a shill for myself and that's about it.

Does it shock you that I don't pledge allegiance to any large corporation?

Re:

[Intrepid imaginaut]

Google is a marketing company. That they've gotten the traditionally anti-marketing geek contingent on side just means they are a very good marketing company.

Re:

[TheRaven64]

Google stock is down 7.24 on yesterday and down 24.3 since two weeks ago, so how's that working out for you?

Re:Google has been quite evil this week

[LordLimecat]

Apparently, its evil to decide that its no longer worth providing a free service that youve provided for years, and giving your users several months to take an export of their data.

Likewise, apparently its evil to stop allowing users to host apps which undermine your core businesses on your freely provided marketplace.

Of course, given that you never offered a free RSS reader or marketplace to begin with, wouldnt that make you more evil than Google?

Re:Google has been quite evil this week

[LordLimecat]

1) As they dont pay for Google Reader or Play market, thats irrelevant.
2) So once someone offers a free service, you demand that they offer it forever? Sounds reasonable.
3) Yes, I was remarking on how you can go to www.dataliberation.org in the next several MONTHS and get your data out. Have you ever tried getting your data out of AOL or Hotmail or someone else's systems? It tends to be a royal PITA. Never with Google, they always have at LEAST a CSV export.

But if you want to be both a beggar AND a chooser, dont let me stop you.

Re:

[aztracker1]

They never gave an option to pay for Reader... now migrated to NewsBlur (paid account, and since they stopped the free account signup (temporarily), it's actually usable... I'm really afraid that Google Voice will be next, without a paid option there.. I'd pay $25-50/year for google voice. I'm paying $24/year for newsblur. Without iGoogle, and Reader, I have very little reason to use google at all... My homepage is google for iGoogle... I was considering changing my homepage to Reader, since that is abou

Re:

[LordLimecat]

Not really; I used Live Mesh for a few months till they discontinued it and while i was certainly disappointed (as there is no comparable solution out there), I dont blame Microsoft for having provided that service.

Likewise I use Microsoft's antivirus, and if they choose to discontinue that too, I think it would be foolish but im not going to get "angry" at them as if they owed it to me. They owe me the things I pay for, and when they fail to deliver on THOSE, then I get annoyed.

Re:

[lemur3]

"How much evil must we do in order to do good? We have certain ideals, certain responsibilities. Recognize that at times you will have to engage in evil, but minimize it."

-ROBERT S. McNAMARA

http://www.errolmorris.com/film/fow_transcript.html [errolmorris.com]

Re:

[russotto]

"How much evil must we do in order to do good? We have certain ideals, certain responsibilities. Recognize that at times you will have to engage in evil, but minimize it."

-ROBERT S. McNAMARA

Architect of the US involvement in Vietnam. Who next, Dick Cheney?

Re:

[andymadigan]

What percentage of e-mail sent to you is spam?

Percentages aren't useful when talking about spam.

TFS last sentence untrue

[DragonWriter]

According to a public mailing list conversation, Google is doing this as a lazy way to handle a spam problem.

Nothing in that conversation says that Google is doing this (not actually blocking all foreign invites, but sharply limiting the number from each foreign domain) as a lazy way to handle a spam problem; that conversation points to an extremely large spam invite problem, and discusses potentially needing to do it if the operators of the federated domains from which the spam is originating cannot address the problem. It also addresses some of the steps taken by operators of those domains to address the problem (as of the most recent message I can find, it also seems like those methods have not yet been dealt with the problem.)

It very much sounds like the goal is to deal with the problem with the other service operators, but to take immediate steps to stem the flow of spam until an acceptable resolution is attained. The author of TFS may think this is "lazy", but it is not accurate to attribute that description to the email thread.

Re:TFS last sentence untrue

[Anonymous Coward]

Posting AC for obvious reasons.

I run the helpdesk for a medium-sized email service (~350,000 users) that also provides federated XMPP service. We've had users complaining for several days that they while they can IM users at Google Talk, they can't request presence notifications (e.g. requesting to see if a buddy is online, away, etc.). They're able to chat with Google Talk users but can't see if they're online or not, which is a major issue. We've been really annoyed as we thought it was an issue on our end and assumed that Google knew what it was doing when it came to operating large-scale XMPP service.

It's wasted a lot of our admin time and resulted in frustrated users.

It's one thing to do a temporary ban of servers that are emitting gobs of spam or spammy invites, but it's a different thing to start blocking basic XMPP functions like requesting authorization for presence notifications. It's even more of an entirely different thing to block auth requests from the entire internet.

Re:

[dacarr]

What you said, DragonWriter. I have my doubts that this is a lazy way out - more a way of stopping it until a better answer is found.

Re:TFS last sentence untrue

[johnsu01]

I know it says rate-limiting, but from our logs, the accepted rate appears to be 0. We don't have that many users; certainly not enough to trigger a rate limit in the scope of the kind of rate they would be worried about. And while we did not say "lazy" in the original article, but rather expressed our sympathies for having to grapple with the spam problem, this is not an acceptable solution. As other commenters are pointing out, this is essentially shifting the burden to much smaller entities, who now have to respond to their users' complaints. If Google would publicly describe the problem, and the scope of it, and publicly explain what they are *actually* doing, then the rest of us could help find a solution. Right now, this definitely looks like "easiest way out for us, broader principle of federation and workloads of other entities be damned."

Re:

[DragonWriter]

And while we did not say "lazy" in the original article, but rather expressed our sympathies for having to grapple with the spam problem, this is not an acceptable solution.

I don't disagree with you that (presuming this is a solution rather than an interim damage control measure) that its not an acceptable solution. My issue was with the summary attributing the summary author's editorializing to the mailing list thread discussing the problem, rather than taking ownership of the editorializing (or, better,

Re:

[Anonymous Coward]

According to a public mailing list conversation, Google is doing this as a lazy way to handle a spam problem.

Nothing in that conversation says that Google is doing this (not actually blocking all foreign invites, but sharply limiting the number from each foreign domain) as a lazy way to handle a spam problem; that conversation points to an extremely large spam invite problem, and discusses potentially needing to do it if the operators of the federated domains from which the spam is originating cannot address the problem. It also addresses some of the steps taken by operators of those domains to address the problem (as of the most recent message I can find, it also seems like those methods have not yet been dealt with the problem.)

You're mistaken. Please read this thread:

http://mail.jabber.org/pipermail/operators/2013-March/001608.html [jabber.org]

Re:

[DragonWriter]

You're mistaken.

No, I'm not.

Please read this thread:

http://mail.jabber.org/pipermail/operators/2013-March/001608.html [jabber.org] [jabber.org]

I did. It, as I said before, doesn't say what TFS characterize it as saying (that its a lazy way of preventing spam). It does say its about preventing spam, and it does say that the current implementation is a part of a rapidly-evolving strategy. It also says that (from one side) its bad because some details of the way it has been implemented are not RFC-compliant, and (from the

Re:

[LordLimecat]

Finding "spammy users" has always been the chief problem with every fight against spam.

Re:

[DragonWriter]

That doesn't help if they're blocking invites from the entire internet, rather than just from spammy servers or users.

Actually, running your server is a step toward solving that, but not the whole solution. The other parts of the solution are [a] getting people to use your server rather than Google's, and [b] solving the spam problem that Google is addressing by some other, more federation-friendly, means.

Re:

[Hatta]

And what if you wish to speak with someone who uses Google's XMPP service?

Re:

[FireFury03]

And what if you wish to speak with someone who uses Google's XMPP service?

The same thing that happens if you want to email someone who's email provider is blocking all incoming emails - you tell them their service provider is being a dick and that they need to change to one of the many other service providers out there who aren't being almighty bellends....

Re:

[mccrew]

Sorry, but I have a full time job already. Don't need another one. :)

Re:

[TheRaven64]

Running an XMPP server doesn't take much effort. I've been running an eJabberd server for about 6 years and was running jabberd 1 before then. The original jabberd took a reasonable amount of configuration effort, but ejabberd (especially if you use mnesia) requires almost none: just install it, tell it your domain, and either enable in-band registration or manually add users. That's basically it. Pull in any security updates as they appear (your operating system's package manager should handle this) an

CAPTCHA

[ensignyu]

Maybe instead of silently dropping invitation requests, Google should send a rejection notice (regardless of whether the target Gmail account exists, to prevent probing) with a link to a CAPTCHA; completing the captcha would allow retrying the request.

Given their track record, I'd be surprised if Google bothers to implement this kind of non-lazy approach to re-enable interoperability, though.

Re:CAPTCHA

[ensignyu]

Just to be clear, I'm sure the engineers at Google are trying to do what they can do deal with the spam problem, as quickly as they can.

I'm just feeling cynical about Google's motives and actions after what they've done with Google Reader, CalDAV, etc. Yeah, they're a for-profit corporation, but it's disappointing how they seem to be moving away from open standards.

At this point, it seems like they're looking around and saying: "Hey, we have a proprietary solution, and an open solution, but it costs extra to maintain both. If we shut down the open solution, we save money and get extra lock-in too. It's win-win! -- for us, at least."

So I'm slightly worried that when a situation like this comes up, the managers at Google (or managers' managers, or wherever the directive is coming down from) are just going to say "do the minimum amount of work and get back to that other project we have you working on", where implementing solution that's good for the users is not a priority.

Email CAPTCHA

[DrYak]

Interestingly, that's exactly the policy implemented by one of my former university against email spam coming from a few large and very spammy IP blocks.
(I think these IP blocks were somewhere in China).
Very few users were actually communicating with them. But we got massive amount of spam coming from them.

The solution was to black list this IP range. But any rejected user got an answer asking a few very simple step (I don't remember if captcha was involved at all) to add his/her emitting address to a white