[Operators] XMPP DDoS on yax.im today
drixter at e-utp.net
Wed Aug 31 15:11:36 UTC 2016
The provided information then should be exchanged between trusted people, like admins on that mailing list.
The blackholing is better word than RBL-alike.
I'll think about it.
Marcin Gondek / Drixter
From: Rafal Zawadzki [mailto:bluszcz at bluszcz.net]
Sent: Wednesday, August 31, 2016 5:05 PM
To: Marcin Gondek <drixter at e-utp.net>
Cc: XMPP Operators Group <operators at xmpp.org>
Subject: Re: [Operators] XMPP DDoS on yax.im today
I am also getting spam about russian silk road. Maybe some spamassasing / bogofilter alike solution?
I was considering for a moment block all non ascii - cyrylica messages, but this sounds too thick
Marcin Gondek – Wed., 31. August 2016 17:00
> Maybe we should think about some antispam feature for XMPP.
> Like RBL but for for pattern user at domain.tld or so, or public ban list where admins can submit information to inform others?
> Marcin Gondek / Drixter
> -----Original Message-----
> From: Operators [mailto:operators-bounces at xmpp.org] On Behalf Of Georg Lukas
> Sent: Tuesday, August 30, 2016 2:50 PM
> To: operators at xmpp.org
> Subject: Re: [Operators] XMPP DDoS on yax.im today
> Hello again,
> first, thanks to everybody who contacted me off-list to resolve spam issues.
> A new DDoS is going on for two hours now, now from 155 different domains (most of which are on yesterday's list). First I wondered if I should publicize additional findings here, but apparently the spammers aren't reading (or are ignorant idiots (or both)), so here it comes:
> 1. the accounts are registered via open proxies (all of the registration
> IPs I found so far are on proxies.dnsbl.sorbs.net, other RBLs are
> less optimal)
> 2. the accounts do not log in immediately after registration, they are
> registered in bulk and sit idle for multiple days before first use
> 3. as I don't log login IPs, I can't tell where the actual traffic comes
> 4. because many account names follow a specific pattern, you can
> block/throttle outgoing traffic
> For example, with prosody's mod_firewall I'm doing the following to block excess outgoing traffic:
> --- snip ---
> ORIGIN_MARKED: spammer (600s)
> %RATE normal: 10 (burst 5)
> FROM: <<[a-z][a-z][a-z][a-z]*[._-]?[a-z][a-z][a-z][a-z]*[0-9][0-9][0-9][0-9][0-9]+>>@yax.im
> LIMIT: normal
> --- snap ---
> (the regex isn't 100% precise and the rule isn't too strict, but seems to work sufficiently well)
> || op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++
> || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ ||
> || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? ||
> ++ IRCnet OFTC OPN ||_________________________________________________||
More information about the Operators