[Operators] XMPP DDoS on yax.im today

Marcin Gondek drixter at e-utp.net
Wed Aug 31 15:11:36 UTC 2016


Hi,

The provided information then should be exchanged between trusted people, like admins on that mailing list.

The blackholing is better word than RBL-alike.

I'll think about it.

Regards.


-- 
Marcin Gondek / Drixter
http://fido.e-utp.net/
AS56662

-----Original Message-----
From: Rafal Zawadzki [mailto:bluszcz at bluszcz.net] 
Sent: Wednesday, August 31, 2016 5:05 PM
To: Marcin Gondek <drixter at e-utp.net>
Cc: XMPP Operators Group <operators at xmpp.org>
Subject: Re: [Operators] XMPP DDoS on yax.im today


I am also getting spam about russian silk road. Maybe some spamassasing / bogofilter alike solution?

I was considering for a moment block all non ascii - cyrylica messages, but this sounds too thick


Marcin Gondek – Wed., 31. August 2016 17:00
> Hi,
> 
> Maybe we should think about some antispam feature for XMPP.
> 
> Like RBL but for for pattern user at domain.tld or so, or public ban list where admins can submit information to inform others?
> 
> Regards.
> 
> 
> -- 
> Marcin Gondek / Drixter
> fido.e-utp.net/
> AS56662
> 
> -----Original Message-----
> From: Operators [mailto:operators-bounces at xmpp.org] On Behalf Of Georg Lukas
> Sent: Tuesday, August 30, 2016 2:50 PM
> To: operators at xmpp.org
> Subject: Re: [Operators] XMPP DDoS on yax.im today
> 
> Hello again,
> 
> first, thanks to everybody who contacted me off-list to resolve spam issues.
> 
> A new DDoS is going on for two hours now, now from 155 different domains (most of which are on yesterday's list). First I wondered if I should publicize additional findings here, but apparently the spammers aren't reading (or are ignorant idiots (or both)), so here it comes:
> 
> 1. the accounts are registered via open proxies (all of the registration
>    IPs I found so far are on proxies.dnsbl.sorbs.net, other RBLs are
>    less optimal)
> 
> 2. the accounts do not log in immediately after registration, they are
>    registered in bulk and sit idle for multiple days before first use
> 
> 3. as I don't log login IPs, I can't tell where the actual traffic comes
>    from
> 
> 4. because many account names follow a specific pattern, you can
>    block/throttle outgoing traffic
> 
> For example, with prosody's mod_firewall I'm doing the following to block excess outgoing traffic:
> 
> --- snip ---
> ::preroute
> 
> ORIGIN_MARKED: spammer (600s)
> DROP.
> 
> %RATE normal: 10 (burst 5)
> 
> FROM: <<[a-z][a-z][a-z][a-z]*[._-]?[a-z][a-z][a-z][a-z]*[0-9][0-9][0-9][0-9][0-9]+>>@yax.im
> LIMIT: normal
> MARK_ORIGIN=spammer
> --- snap ---
> (the regex isn't 100% precise and the rule isn't too strict, but seems to work sufficiently well)
> 
> 
> Georg
> -- 
> || op-co.de ++  GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N  ++
> || gpg: 0x962FD2DE ||  o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+  ||
> || Ge0rG: euIRCnet ||  X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y?   ||
> ++ IRCnet OFTC OPN ||_________________________________________________||
> 


More information about the Operators mailing list