[Operators] Source of the JIDs being spammed? -- Re: Suspicion of Jabbim services being hacked

casper casper at systemli.org
Thu Dec 31 12:12:55 UTC 2015


I suspect vjud-search is also a problem in this context.

> but sometimes you want to say something to someone once without giving them
> all your presence. And spammers will likely turn to spamming with
> subscription requests instead, as reported by Google a
> couple of years ago.

I think this will not be possible in the long term. All modern
messengers are doing it differently. Requiring proof-of-work for a
subscription would certainly be a good idea, but break the current protocol.

casper // systemli.org

On 30.12.2015 22:19, Jan Pinkas wrote:
> Hi Kim,
> its not look like we are only one source of data... From Jabbim leaked
> users table from ejabberd database... Not rosters of our users. And spam
> was received too to newest accounts and my testing accounts.
> 
> 1. Maybe more servers was hacked (and hack was not reported)
> 2. Some web pages crawler check not only for emails but maybe too for
> SRV records crawled "e-mail addresses"
> 
> Example: zash at zash.se <mailto:zash at zash.se>
> 
> zash.se <http://zash.se/> dns info:
> 
>    IP address(es) - 85.11.25.66
> 
>    XMPP server - sphyrna.zash.se:5269 <http://sphyrna.zash.se:5269/>
> 
>    XMPP client - sphyrna.zash.se:5222 <http://sphyrna.zash.se:5222/>
> 
> Hey, this is JID.
> 
> 
> 3.  Generating JIDs from dictionaries, servers not reporting error, if
> address exist and server supports offline messages.
> 
> Problem is one: Bad guys from Russia are using XMPP. And this type of
> (actual) spam wave have good CTR.
> 
> Best regards,
> Pinky, Jabbim
> 
> 2015-12-23 18:10 GMT+01:00 Kim Alvefur <zash at zash.se <mailto:zash at zash.se>>:
> 
>     On 2014-12-19 15:24, Peter Viskup wrote:
>     > Hi all,
>     > thought it would be interesting to the audience of this mailinglist.
>     >
>     > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
>     >
>     > Best regards,
>     >
> 
>     Someone suggested that JIDs leaked in this incident might be what fueled
>     the recent directed spam wave. I had actually forgotten this thread, but
>     found it again after some searching.
> 
>     The original thread went on to discuss SCRAM for password security, but
>     gave no thought to what else of value might have leaked. Since everyone
>     seems to have been hit by spam, even people who don't have their JIDs
>     posted on wiki.xmpp.org <http://wiki.xmpp.org>, some kind of
>     compromise seems very likely, and
>     the jabbim one might be it (or at least one possible source).
> 
>     So what can we do?  I suspect anything that has any effect will come at
>     a price.
> 
>     We could start requiring presence subscriptions for sending messages,
>     which would decrease the value of just having a large list of JIDs, but
>     sometimes you want to say something to someone once without giving them
>     all your presence.  And spammers will likely turn to spamming with
>     subscription requests instead, as reported by Google a couple of
>     years ago.
> 
>     --
>     Kim "Zash" Alvefur
> 
> 


More information about the Operators mailing list