[Operators] Source of the JIDs being spammed? -- Re: Suspicion of Jabbim services being hacked

Jan Pinkas pinkas at humboldtec.cz
Wed Dec 30 21:19:42 UTC 2015


Hi Kim,
its not look like we are only one source of data... From Jabbim leaked
users table from ejabberd database... Not rosters of our users. And spam
was received too to newest accounts and my testing accounts.

1. Maybe more servers was hacked (and hack was not reported)
2. Some web pages crawler check not only for emails but maybe too for SRV
records crawled "e-mail addresses"

Example: zash at zash.se

zash.se dns info:

   IP address(es) - 85.11.25.66

   XMPP server - sphyrna.zash.se:5269

   XMPP client - sphyrna.zash.se:5222
Hey, this is JID.


3.  Generating JIDs from dictionaries, servers not reporting error, if
address exist and server supports offline messages.

Problem is one: Bad guys from Russia are using XMPP. And this type of
(actual) spam wave have good CTR.

Best regards,
Pinky, Jabbim

2015-12-23 18:10 GMT+01:00 Kim Alvefur <zash at zash.se>:

> On 2014-12-19 15:24, Peter Viskup wrote:
> > Hi all,
> > thought it would be interesting to the audience of this mailinglist.
> >
> > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> >
> > Best regards,
> >
>
> Someone suggested that JIDs leaked in this incident might be what fueled
> the recent directed spam wave. I had actually forgotten this thread, but
> found it again after some searching.
>
> The original thread went on to discuss SCRAM for password security, but
> gave no thought to what else of value might have leaked. Since everyone
> seems to have been hit by spam, even people who don't have their JIDs
> posted on wiki.xmpp.org, some kind of compromise seems very likely, and
> the jabbim one might be it (or at least one possible source).
>
> So what can we do?  I suspect anything that has any effect will come at
> a price.
>
> We could start requiring presence subscriptions for sending messages,
> which would decrease the value of just having a large list of JIDs, but
> sometimes you want to say something to someone once without giving them
> all your presence.  And spammers will likely turn to spamming with
> subscription requests instead, as reported by Google a couple of years ago.
>
> --
> Kim "Zash" Alvefur
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151230/68e0a47b/attachment.html>


More information about the Operators mailing list