[Operators] Rosters flood
skupko.sk at gmail.com
Tue Sep 7 22:36:11 CST 2010
On 09/07/2010 05:59 AM, Evgeniy Khramtsov wrote:
> Recently our SPAM filter on jabber.ru detected massive flood targeted
> users rosters. Sample spam jids:
> 40tman_rullezz_1z2m6g at gornyak.net
> 40tman_rullezz_ezz00545se at highsecure.ru
> 40tman_rullezz_zum6y31 at jabber.zs1.wroc.pl
> 40tman_rullezz_m8mlc9 at deshalbfrei.org
> 40tman_rullezz_am5oi at jabber.ozerki.net
> 40tman_rullezz_on5b7o3 at codingteam.net
> 40tman_rullezz_fi0p6 at gornyak.net
> 40tman_rullezz_csb26vy_ at jabba.mgw.pl
> 40tman_rullezz_5wracfj at jabbers.org.ru
> 40tman_rullezz_59tv8wpfn at jabber.zs1.wroc.pl
> 40tman_rullezz_iiy13 at dominion.dn.ua
> A complete list of JIDs: http://kuku.jabber.ru/~xram/40tman.log
> Sorted by servers: http://kuku.jabber.ru/~xram/40tman-servers.log
> Any idea how to fight against this?
I have evidence of these '40tman_rullez' accounts being created on
jabber.sk server for last weeks.
Most of connections of '40tman_rullez' accounts are made from IPs
184.108.40.206, 220.127.116.11, 18.104.22.168...
But there are also others e.g.:
ws_conference_jabber_ru41odk__n at jabber.sk
Most of connections of 'ws_conference_jabber_ru' accounts are made from
IPs 22.214.171.124, 126.96.36.199, 188.8.131.52...
All listed IPs are registered in Russia.
These accounts are probably causing also the increased network
utilization on our server (4Mb/s in peaks).
Let me know if any other information could help you to find the way how
to fight against this. Do you have any recommendation how to prevent
these accounts to be created on our server? I do not like to implement
CAPTCHA nor filtering IPs.
xmpp: skupko at jabber.sk
More information about the Operators