-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/20/12 10:19 AM, Jonas Ådahl wrote: > On Mon, Feb 20, 2012 at 5:51 PM, Mathias Ertl <[email protected]> > wrote: >> Jonas, >> >> On 2012-02-20 17:41, Jonas Ådahl wrote: >>> Today my server was bombarded with thousands of subscription >>> requests from various different XMPP domains[0] resulting in it >>> crashing. Also with these requests came identical messages[1]. >>> All of the accounts looks like [random characters]@domain.com >>> such as [email protected]. Seems like all of the >>> requests were directed at one user. >> >> Is it possible to draw up a list of accounts that took part in >> the attack and send those accounts to the corresponding >> server-admins, at least if they are known? >> > > Sadly no. I removed some files in order to get my gajim up and > running, and did not make any backups. Anyhow, for what I could > tell all of the accounts were 20 character long and consisted only > of random a-z and 0-9 characters. I put a very small portion of > the accounts here: http://pastebin.com/b0NrDAEL that I recovered > from my gajim message log. The list should be more like 6-7000 long > instead of 54 however, but that's all I could find now.
Sorry to hear about this attack. This is yet more incentive for me to finish working on the Incident Reporting spec: http://xmpp.org/extensions/xep-0268.html I would bet that all of the domains involved allow in-band registration (IBR), probably without CAPTCHAs. IMHO we need to think about controlling IBR more carefully. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9EAoEACgkQNL8k5A2w/vxOTwCg7KyuBsIU0Xn6gMN491EIIqfp EZ8An32KDdpOIVgk8A3xMGm6j6Fini/3 =69ow -----END PGP SIGNATURE-----
