[Operators] Rosters flood

Nikolaus Polak nik at linuxlovers.at
Wed Sep 8 08:30:01 CST 2010


Hi, 

just wanted to say that for now it seems servers like mine can not be targeted by this bot, perhaps until the "nice guy" reads this: I have only 2 domains with iq:register allowed (linuxlovers.at / 0nl1ne.at), which need both DNS SRV lookup to find my xmpp service - could it be that only DNS IN-A reachable servers are (by these two persons, and for now) targeted? 

regards, 
Nik 

----- Ursprüngliche Mail -----


Von: "Peter Viskup" <skupko.sk at gmail.com> 
An: "XMPP Operators Group" <operators at xmpp.org> 
Gesendet: Mittwoch, 8. September 2010 10:14:41 
Betreff: Re: [Operators] Rosters flood 


Small correction in regexp: 

"^(40tman_rullez|ws_conference_jabber_ru)" 
and the name in access rule should be jabber_sk_bad_users of course. 

On Wed, Sep 8, 2010 at 9:47 AM, Peter Viskup < skupko.sk @ gmail.com > wrote: 



I configured restriction for account creation based on regexp and filter these account names. 

I think administrators of other affected jabber servers should follow this approach. 


{acl, jabber_sk_bad_users, {user_regexp, "^[40tman_rullez,ws_conference_jabber_ru]", " jabber.sk "}}. 
{access, register_jabber_sk, [{deny, bad_users}, {allow, all}]}. 
I will remove all existing 40tman_rullez and ws_conference_jabber_ru accounts on jabber.sk that these will not be used any more. 



Regards, 
-- 
Peter Viskup 
xmpp: skupko at jabber.sk 




On Wed, Sep 8, 2010 at 6:39 AM, Evgeniy Khramtsov < xramtsov at gmail.com > wrote: 



08.09.2010 08:36, Peter Viskup wrote: 


I have evidence of these '40tman_rullez' accounts being created on jabber.sk server for last weeks. 
Most of connections of '40tman_rullez' accounts are made from IPs 188.168.78.102, 188.168.78.162, 81.177.33.11... 

But there are also others e.g.: 
ws_conference_jabber_ru41odk__n at jabber.sk 
Most of connections of 'ws_conference_jabber_ru' accounts are made from IPs 109.169.251.0, 82.146.63.108, 95.67.179.109... 


Thank you for the info! 




All listed IPs are registered in Russia. 
These accounts are probably causing also the increased network utilization on our server (4Mb/s in peaks). 

Let me know if any other information could help you to find the way how to fight against this. Do you have any recommendation how to prevent these accounts to be created on our server? I do not like to implement CAPTCHA nor filtering IPs. 


The only way I know is to disable iq:register and provide web-based registration only (with CAPTCHA). Well, of course, as Yann said, it is possible to improve in-band registration modules to support CAPTCHA, but there are too little clients supporting it. Also the good approach is to register one account per one confirmation email. My bad, but we don't have such feature on jabber.ru :( Seems like it is the time to implement it... 



-- 
Regards, 
Evgeniy Khramtsov, ProcessOne. 
xmpp:xram at jabber.ru . 






-- 


-- 
Nikolaus Polak - http://nplog.0nl1ne.at - smtp&xmpp: nik at linuxlovers.at 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100908/d9bae3f2/attachment.htm>


More information about the Operators mailing list