[Operators] XMPP DDoS on yax.im today

Marcin Gondek drixter at e-utp.net
Wed Aug 31 14:59:23 UTC 2016 

Hi,

Maybe we should think about some antispam feature for XMPP.

Like RBL but for for pattern user at domain.tld or so, or public ban list where admins can submit information to inform others?

Regards.


-- 
Marcin Gondek / Drixter
http://fido.e-utp.net/
AS56662

-----Original Message-----
From: Operators [mailto:operators-bounces at xmpp.org] On Behalf Of Georg Lukas
Sent: Tuesday, August 30, 2016 2:50 PM
To: operators at xmpp.org
Subject: Re: [Operators] XMPP DDoS on yax.im today

Hello again,

first, thanks to everybody who contacted me off-list to resolve spam issues.

A new DDoS is going on for two hours now, now from 155 different domains (most of which are on yesterday's list). First I wondered if I should publicize additional findings here, but apparently the spammers aren't reading (or are ignorant idiots (or both)), so here it comes:

1. the accounts are registered via open proxies (all of the registration
   IPs I found so far are on proxies.dnsbl.sorbs.net, other RBLs are
   less optimal)

2. the accounts do not log in immediately after registration, they are
   registered in bulk and sit idle for multiple days before first use

3. as I don't log login IPs, I can't tell where the actual traffic comes
   from

4. because many account names follow a specific pattern, you can
   block/throttle outgoing traffic

For example, with prosody's mod_firewall I'm doing the following to block excess outgoing traffic:

--- snip ---
::preroute

ORIGIN_MARKED: spammer (600s)
DROP.

%RATE normal: 10 (burst 5)

FROM: <<[a-z][a-z][a-z][a-z]*[._-]?[a-z][a-z][a-z][a-z]*[0-9][0-9][0-9][0-9][0-9]+>>@yax.im
LIMIT: normal
MARK_ORIGIN=spammer
--- snap ---
(the regex isn't 100% precise and the rule isn't too strict, but seems to work sufficiently well)


Georg
-- 
|| http://op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
|| gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
|| Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
++ IRCnet OFTC OPN ||_________________________________________________||

More information about the Operators mailing list