Re: [Operators] Rosters flood

[Peter Viskup]

On 09/07/2010 05:59 AM, Evgeniy Khramtsov wrote:
Recently our SPAM filter on jabber.ru detected massive flood targeted 
users rosters. Sample spam jids:

40tman_rullezz_1z2...@gornyak.net
40tman_rullezz_ezz0054...@highsecure.ru
40tman_rullezz_zum6...@jabber.zs1.wroc.pl
40tman_rullezz_m8m...@deshalbfrei.org
40tman_rullezz_am...@jabber.ozerki.net
40tman_rullezz_on5b...@codingteam.net
40tman_rullezz_fi...@gornyak.net
40tman_rullezz_csb26...@jabba.mgw.pl
40tman_rullezz_5wra...@jabbers.org.ru
40tman_rullezz_59tv8w...@jabber.zs1.wroc.pl
40tman_rullezz_ii...@dominion.dn.ua
...

A complete list of JIDs: http://kuku.jabber.ru/~xram/40tman.log
Sorted by servers: http://kuku.jabber.ru/~xram/40tman-servers.log

Any idea how to fight against this?


I have evidence of these '40tman_rullez' accounts being created on 
jabber.sk server for last weeks.
Most of connections of '40tman_rullez' accounts are made from IPs 
188.168.78.102, 188.168.78.162, 81.177.33.11...

But there are also others e.g.:
ws_conference_jabber_ru41odk...@jabber.sk
Most of connections of 'ws_conference_jabber_ru' accounts are made from 
IPs 109.169.251.0, 82.146.63.108, 95.67.179.109...

All listed IPs are registered in Russia.
These accounts are probably causing also the increased network 
utilization on our server (4Mb/s in peaks).

Let me know if any other information could help you to find the way how 
to fight against this. Do you have any recommendation how to prevent 
these accounts to be created on our server? I do not like to implement 
CAPTCHA nor filtering IPs.

Regards,
--
Peter Viskup
xmpp: sku...@jabber.sk