Hi Kim, its not look like we are only one source of data... From Jabbim leaked users table from ejabberd database... Not rosters of our users. And spam was received too to newest accounts and my testing accounts.
1. Maybe more servers was hacked (and hack was not reported) 2. Some web pages crawler check not only for emails but maybe too for SRV records crawled "e-mail addresses" Example: [email protected] zash.se dns info: IP address(es) - 85.11.25.66 XMPP server - sphyrna.zash.se:5269 XMPP client - sphyrna.zash.se:5222 Hey, this is JID. 3. Generating JIDs from dictionaries, servers not reporting error, if address exist and server supports offline messages. Problem is one: Bad guys from Russia are using XMPP. And this type of (actual) spam wave have good CTR. Best regards, Pinky, Jabbim 2015-12-23 18:10 GMT+01:00 Kim Alvefur <[email protected]>: > On 2014-12-19 15:24, Peter Viskup wrote: > > Hi all, > > thought it would be interesting to the audience of this mailinglist. > > > > http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html > > > > Best regards, > > > > Someone suggested that JIDs leaked in this incident might be what fueled > the recent directed spam wave. I had actually forgotten this thread, but > found it again after some searching. > > The original thread went on to discuss SCRAM for password security, but > gave no thought to what else of value might have leaked. Since everyone > seems to have been hit by spam, even people who don't have their JIDs > posted on wiki.xmpp.org, some kind of compromise seems very likely, and > the jabbim one might be it (or at least one possible source). > > So what can we do? I suspect anything that has any effect will come at > a price. > > We could start requiring presence subscriptions for sending messages, > which would decrease the value of just having a large list of JIDs, but > sometimes you want to say something to someone once without giving them > all your presence. And spammers will likely turn to spamming with > subscription requests instead, as reported by Google a couple of years ago. > > -- > Kim "Zash" Alvefur > >
