Anti-abuse features need to improve (logging and access control)

Gandalf-the-Grey commented 7 years ago

Rocket.Chat need a way to deal with abuse

especially for instances with open registration.

Common use case scenario is a spammer that joins chat. He can easily spam channel(s) with random text, rendering it unusable. If moderators are around they can mute him or remove from channels they have under their control.

anti spam bots

Adding simple anti-spam functionality to the bot could help a lot with dealing with most common cases of spam / channel flooding. For example in eggdrop bot settings flood-chan 10:60 means that 10 messages from same user in 60 seconds are considered as spam. Such user could be automatically muted temporarily, or after hitting some other triggers (recurring mutes during 24h - permanently muted, or deactivated for further manual check)

In cases of some more serious abuse, such user can be deactivated. But that's not end of the story. For system when registration is open he or his bots would come back to spam even more. Currently there are no effective ways to fight against it. Other than "Manually Approve New Users" and "Blocked Domains List" first one doesn't solve the problem because it's very easy to create new "identity" second is easy to get around because of large amount of disposable e-mail services (we are currently blocking 1600 domains)

What else could help?

Good access logs

Good access logs containing user's IP addresses are essential not only for the purpose of anti-spam, but also for communication with law-enforcement and authorities example1 20170903 15:24:01 useraccountname user@emailfromregistration.com 12.34.56.78 registered an account example2 20170903 15:24:03 useraccountname user@emailfromregistration.com 12.34.56.78 logged in example3 20170903 15:24:04 useraccountname user@emailfromregistration.com 12.34.56.78 muted on #some_channel by somemoderator

IP address blacklist

Disallow registration from certain IPs / networks (already mentioned in RocketChat/Rocket.Chat#2885)

pfunks commented 7 years ago

The anti-spambot/anti-flood feature would be helpful for a real issue with the instance of rocket.chat I am an administrator on. It's too simple for a common script kiddie to cause a disruption.

The IP logging/banning issue is also something direly needed and as you can see from this issue made last year, not a new need either. https://github.com/RocketChat/Rocket.Chat/issues/5166

@engelgabriel commented in agreement. The internet isn't always a nice place and abuse mitigation is needed for any social app with easily-made accounts.

WebSavvyDude commented 7 years ago

I would like to add that even the removal options for moderators and admins are weak. Kicking a user out, he can just log right back in.

We need a feature that can ban by IP address. Very essential.

tlebris commented 6 years ago

No RocketChat instances are directly open on http or https on internet, there are always ( I hope ) Nginx or Apache in front, and a firewall. As this solid pieces of software handle the chaos of Internet, they are the most natural candidate to handle:

-Log analyse ( Nginx ) -Ban ( Nginx redirect to specific page ) -Packet drop ( FW )

There are plenty of tools that provide this kind of things, even if some are not that easy to set up. Websockets means HTTP logs via Nginx are less easy to catch, for sure. I understand it's not as easy as providing this actions via an admin panel and I understand only RocketChat can have access to aggregate informations such as "who, when, what". But still, it's much better to block anything you would block BEFORE it reach your app.

Just an opinion by the way.

Gandalf-the-Grey commented 6 years ago

@tlebris I thought that it would be fixed so fast that there's no point to reply, but since few months passed, here's my thoughts about it:

Log analyse (Nginx)

That's at lower level, you can get an idea about who fetched an avatar picture, not who did what on which channel from Nginx and if 1000 of them was from same /24

Ban (Nginx redirect to specific page)

Again, IPs unrelated to app events, so it's useless.

Packet drop (FW)

Same here, you don't have any useful data that can help you match IP addresses with abusers on chat.

RocketChat can have access to aggregate informations such as "who, when, what". But still, it's much better to block anything you would block BEFORE it reach your app.

That's the point, without getting info from Rocket.Chat about "who, when, what" I can do anything useful against abusers on a lower levels.

chatnl commented 6 years ago

I need this functionality also. I am using rocket chat as a public chatbox. Having no options to ban the IP of a user is waiting for a problem to happen. If I could at least have a log with the last used IP I could use IPtables to ban for the time being. As @Gandalf-the-Grey pointed out, we must have a way to relate the IP to an event on Rocket Chat or else it is useless.

NameTheJew commented 6 years ago

ANOTHER IP LOG SHILL.

WE DONT NOT WANT IP LOGS. IP Banning is USELESS in a world where most people have DYNAMIC IP addresses. Just see 4chan.org for an example of how useless this is. (Reboot device, new IP)

Flood control is fine.