[Operators] XMPP DDoS on yax.im today

Georg Lukas georg at op-co.de
Tue Aug 30 12:50:20 UTC 2016


Hello again,

first, thanks to everybody who contacted me off-list to resolve spam
issues.

A new DDoS is going on for two hours now, now from 155 different domains
(most of which are on yesterday's list). First I wondered if I should
publicize additional findings here, but apparently the spammers aren't
reading (or are ignorant idiots (or both)), so here it comes:

1. the accounts are registered via open proxies (all of the registration
   IPs I found so far are on proxies.dnsbl.sorbs.net, other RBLs are
   less optimal)

2. the accounts do not log in immediately after registration, they are
   registered in bulk and sit idle for multiple days before first use

3. as I don't log login IPs, I can't tell where the actual traffic comes
   from

4. because many account names follow a specific pattern, you can
   block/throttle outgoing traffic

For example, with prosody's mod_firewall I'm doing the following to
block excess outgoing traffic:

--- snip ---
::preroute

ORIGIN_MARKED: spammer (600s)
DROP.

%RATE normal: 10 (burst 5)

FROM: <<[a-z][a-z][a-z][a-z]*[._-]?[a-z][a-z][a-z][a-z]*[0-9][0-9][0-9][0-9][0-9]+>>@yax.im
LIMIT: normal
MARK_ORIGIN=spammer
--- snap ---
(the regex isn't 100% precise and the rule isn't too strict, but seems
to work sufficiently well)


Georg
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160830/2c0fc904/attachment.sig>


More information about the Operators mailing list