I think I see the cause of the issue. Siskin tries to fetch VCard to present it to you when you are opening this window and until it gets the response it presents a "limited" view with a limited set of actions. I'll try to address that in the next beta build. This would be problematic. Within XMPP people try to drop requirements or support for privacy lists as they are complicated. For sure we could use it to block domains on the server-side, but this could interact with the simple blocking command which does not support domain-level blocking (blocked domains would not be visible in the UI). 3 & 4. Bulk handling is problematic. It requires a lot of boilerplate code to display waiting presence requests (those are only displayed as notifications). It would be easier to add bulk handling to conversations (as we already have a list of them).

Right now, I wonder if a simpler for this would work. Instead of dealing with presence subscription requests and opened conversations, I could add an item in the long-press menu on the opened conversations named "Block all from this domain". It would be displayed for any conversation in which the participant is not on your roster. The result of tapping this item, would be blocking all jids from the same domain on which you pressed for which conversations are opened and people are not in your roster. Additionally, I would drop presence subscription notifications from them.

Here is how it would work:

1. Long-tap on any conversation with a person not on your list
2. Select the option "Mark all conversations from this domain as spam"
3. Client would search for all opened conversations with users of this domain (which are not "in the roster").
4. Client would block then using simple command blocking (all those jids - not the domain itself).
5. Client would drop all presence subscription requests for blocked jids.

I think that this would fairy simplify blocking those users and getting rid of the spam. What do you think?

I was also thinking about a way to report spammers from the UI to the server, so that we could gather a list of spammers in the Tigase database and then decide, ie. to block the whole domain using ad-hoc.

Comment from @wojtek

I'm not sure that it would be the best way - one could simply get frustrated and use option "block all from domain" and it would also block a valid contact that we had conversation earlier.

What's more - I think there is something wrong if Artur is getting so much spam subscriptions - I don't remember last time I got spam or sub request so maybe it would require tweaking to tigase-spam? Adding option to report spam to tigase-spam would be helpful. Possibly not generating application notification for sub requests (only for messages) would help here (then sub requests would be displayed below the list without drawing to much attention)?

Bulk action on contact list would also be helpful.

I've clarified with Wojtek, that I've suggested to block only JIDs which opened chats with you and they are NOT in your roster. With that, this solution while not good seems reasonable.

@kobit In the meantime, I've notified administrators and the company hosting domain default.rs about this server sending spam.

According to https://github.com/JabberSPAM/blacklist/issues/7, this server was taken down in 2019 due to the same issue.

@kobit We also do have https://github.com/tigase/tigase-server/blob/master/src/main/groovy/tigase/admin/UserDomainFilter.groovy, so we could just ban default.rs from connecting to tigase.org

OK, I responded on 1dev to this. It is tempting for me to just block default.rs, 0day.la, 0nl1ne.at but then we would loose opportunity to implement good and automated or semi-automated ways to handle spam. Let's not block them for now.

@kobit I think this was implemented recently already (blocking whole domains). Do we need anything else? or can we close this task?

Right now, I am NOT getting ANY spam anymore. I guess this is thanks to domains blocking. Whatever reason, I can use my XMPP accounts again and I can get online. So, as for me, we do not need to do anything else and the task can be closed.