Hi, Maybe we should think about some antispam feature for XMPP.
Like RBL but for for pattern [email protected] or so, or public ban list where admins can submit information to inform others? Regards. -- Marcin Gondek / Drixter http://fido.e-utp.net/ AS56662 -----Original Message----- From: Operators [mailto:[email protected]] On Behalf Of Georg Lukas Sent: Tuesday, August 30, 2016 2:50 PM To: [email protected] Subject: Re: [Operators] XMPP DDoS on yax.im today Hello again, first, thanks to everybody who contacted me off-list to resolve spam issues. A new DDoS is going on for two hours now, now from 155 different domains (most of which are on yesterday's list). First I wondered if I should publicize additional findings here, but apparently the spammers aren't reading (or are ignorant idiots (or both)), so here it comes: 1. the accounts are registered via open proxies (all of the registration IPs I found so far are on proxies.dnsbl.sorbs.net, other RBLs are less optimal) 2. the accounts do not log in immediately after registration, they are registered in bulk and sit idle for multiple days before first use 3. as I don't log login IPs, I can't tell where the actual traffic comes from 4. because many account names follow a specific pattern, you can block/throttle outgoing traffic For example, with prosody's mod_firewall I'm doing the following to block excess outgoing traffic: --- snip --- ::preroute ORIGIN_MARKED: spammer (600s) DROP. %RATE normal: 10 (burst 5) FROM: <<[a-z][a-z][a-z][a-z]*[._-]?[a-z][a-z][a-z][a-z]*[0-9][0-9][0-9][0-9][0-9]+>>@yax.im LIMIT: normal MARK_ORIGIN=spammer --- snap --- (the regex isn't 100% precise and the rule isn't too strict, but seems to work sufficiently well) Georg -- || http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? || ++ IRCnet OFTC OPN ||_________________________________________________||
