[Operators] Source of the JIDs being spammed? -- Re: Suspicion of Jabbim services being hacked

Jan Pinkas pinkas at humboldtec.cz
Thu Dec 31 14:39:52 UTC 2015


Hi Casper, yes. And maybe hacked accounts rosters was downloaded. In russia
was malware active for stealing XMPP passwords in many clients (Psi,
Miranda, Pidgin...). And we have problem with brute force password
cracking, but we slow this type of attack on loadbalancers (fail2ban).

Best regards,
pinky, Jabbim

2015-12-31 13:12 GMT+01:00 casper <casper at systemli.org>:

> I suspect vjud-search is also a problem in this context.
>
> > but sometimes you want to say something to someone once without giving
> them
> > all your presence. And spammers will likely turn to spamming with
> > subscription requests instead, as reported by Google a
> > couple of years ago.
>
> I think this will not be possible in the long term. All modern
> messengers are doing it differently. Requiring proof-of-work for a
> subscription would certainly be a good idea, but break the current
> protocol.
>
> casper // systemli.org
>
> On 30.12.2015 22:19, Jan Pinkas wrote:
> > Hi Kim,
> > its not look like we are only one source of data... From Jabbim leaked
> > users table from ejabberd database... Not rosters of our users. And spam
> > was received too to newest accounts and my testing accounts.
> >
> > 1. Maybe more servers was hacked (and hack was not reported)
> > 2. Some web pages crawler check not only for emails but maybe too for
> > SRV records crawled "e-mail addresses"
> >
> > Example: zash at zash.se <mailto:zash at zash.se>
> >
> > zash.se <http://zash.se/> dns info:
> >
> >    IP address(es) - 85.11.25.66
> >
> >    XMPP server - sphyrna.zash.se:5269 <http://sphyrna.zash.se:5269/>
> >
> >    XMPP client - sphyrna.zash.se:5222 <http://sphyrna.zash.se:5222/>
> >
> > Hey, this is JID.
> >
> >
> > 3.  Generating JIDs from dictionaries, servers not reporting error, if
> > address exist and server supports offline messages.
> >
> > Problem is one: Bad guys from Russia are using XMPP. And this type of
> > (actual) spam wave have good CTR.
> >
> > Best regards,
> > Pinky, Jabbim
> >
> > 2015-12-23 18:10 GMT+01:00 Kim Alvefur <zash at zash.se <mailto:
> zash at zash.se>>:
> >
> >     On 2014-12-19 15:24, Peter Viskup wrote:
> >     > Hi all,
> >     > thought it would be interesting to the audience of this
> mailinglist.
> >     >
> >     >
> http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
> >     >
> >     > Best regards,
> >     >
> >
> >     Someone suggested that JIDs leaked in this incident might be what
> fueled
> >     the recent directed spam wave. I had actually forgotten this thread,
> but
> >     found it again after some searching.
> >
> >     The original thread went on to discuss SCRAM for password security,
> but
> >     gave no thought to what else of value might have leaked. Since
> everyone
> >     seems to have been hit by spam, even people who don't have their JIDs
> >     posted on wiki.xmpp.org <http://wiki.xmpp.org>, some kind of
> >     compromise seems very likely, and
> >     the jabbim one might be it (or at least one possible source).
> >
> >     So what can we do?  I suspect anything that has any effect will come
> at
> >     a price.
> >
> >     We could start requiring presence subscriptions for sending messages,
> >     which would decrease the value of just having a large list of JIDs,
> but
> >     sometimes you want to say something to someone once without giving
> them
> >     all your presence.  And spammers will likely turn to spamming with
> >     subscription requests instead, as reported by Google a couple of
> >     years ago.
> >
> >     --
> >     Kim "Zash" Alvefur
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151231/b30b7921/attachment.html>


More information about the Operators mailing list