[Operators] Rosters flood

Peter Viskup skupko.sk at gmail.com
Tue Sep 7 22:36:11 CST 2010


On 09/07/2010 05:59 AM, Evgeniy Khramtsov wrote:
> Recently our SPAM filter on jabber.ru detected massive flood targeted 
> users rosters. Sample spam jids:
>
> 40tman_rullezz_1z2m6g at gornyak.net
> 40tman_rullezz_ezz00545se at highsecure.ru
> 40tman_rullezz_zum6y31 at jabber.zs1.wroc.pl
> 40tman_rullezz_m8mlc9 at deshalbfrei.org
> 40tman_rullezz_am5oi at jabber.ozerki.net
> 40tman_rullezz_on5b7o3 at codingteam.net
> 40tman_rullezz_fi0p6 at gornyak.net
> 40tman_rullezz_csb26vy_ at jabba.mgw.pl
> 40tman_rullezz_5wracfj at jabbers.org.ru
> 40tman_rullezz_59tv8wpfn at jabber.zs1.wroc.pl
> 40tman_rullezz_iiy13 at dominion.dn.ua
> ...
>
> A complete list of JIDs: http://kuku.jabber.ru/~xram/40tman.log
> Sorted by servers: http://kuku.jabber.ru/~xram/40tman-servers.log
>
> Any idea how to fight against this?
>

I have evidence of these '40tman_rullez' accounts being created on 
jabber.sk server for last weeks.
Most of connections of '40tman_rullez' accounts are made from IPs 
188.168.78.102, 188.168.78.162, 81.177.33.11...

But there are also others e.g.:
ws_conference_jabber_ru41odk__n at jabber.sk
Most of connections of 'ws_conference_jabber_ru' accounts are made from 
IPs 109.169.251.0, 82.146.63.108, 95.67.179.109...

All listed IPs are registered in Russia.
These accounts are probably causing also the increased network 
utilization on our server (4Mb/s in peaks).

Let me know if any other information could help you to find the way how 
to fight against this. Do you have any recommendation how to prevent 
these accounts to be created on our server? I do not like to implement 
CAPTCHA nor filtering IPs.

Regards,
--
Peter Viskup
xmpp: skupko at jabber.sk


More information about the Operators mailing list