Hi, The provided information then should be exchanged between trusted people, like admins on that mailing list.
The blackholing is better word than RBL-alike. I'll think about it. Regards. -- Marcin Gondek / Drixter http://fido.e-utp.net/ AS56662 -----Original Message----- From: Rafal Zawadzki [mailto:[email protected]] Sent: Wednesday, August 31, 2016 5:05 PM To: Marcin Gondek <[email protected]> Cc: XMPP Operators Group <[email protected]> Subject: Re: [Operators] XMPP DDoS on yax.im today I am also getting spam about russian silk road. Maybe some spamassasing / bogofilter alike solution? I was considering for a moment block all non ascii - cyrylica messages, but this sounds too thick Marcin Gondek – Wed., 31. August 2016 17:00 > Hi, > > Maybe we should think about some antispam feature for XMPP. > > Like RBL but for for pattern [email protected] or so, or public ban list where > admins can submit information to inform others? > > Regards. > > > -- > Marcin Gondek / Drixter > fido.e-utp.net/ > AS56662 > > -----Original Message----- > From: Operators [mailto:[email protected]] On Behalf Of Georg Lukas > Sent: Tuesday, August 30, 2016 2:50 PM > To: [email protected] > Subject: Re: [Operators] XMPP DDoS on yax.im today > > Hello again, > > first, thanks to everybody who contacted me off-list to resolve spam issues. > > A new DDoS is going on for two hours now, now from 155 different domains > (most of which are on yesterday's list). First I wondered if I should > publicize additional findings here, but apparently the spammers aren't > reading (or are ignorant idiots (or both)), so here it comes: > > 1. the accounts are registered via open proxies (all of the registration > IPs I found so far are on proxies.dnsbl.sorbs.net, other RBLs are > less optimal) > > 2. the accounts do not log in immediately after registration, they are > registered in bulk and sit idle for multiple days before first use > > 3. as I don't log login IPs, I can't tell where the actual traffic comes > from > > 4. because many account names follow a specific pattern, you can > block/throttle outgoing traffic > > For example, with prosody's mod_firewall I'm doing the following to block > excess outgoing traffic: > > --- snip --- > ::preroute > > ORIGIN_MARKED: spammer (600s) > DROP. > > %RATE normal: 10 (burst 5) > > FROM: > <<[a-z][a-z][a-z][a-z]*[._-]?[a-z][a-z][a-z][a-z]*[0-9][0-9][0-9][0-9][0-9]+>>@yax.im > LIMIT: normal > MARK_ORIGIN=spammer > --- snap --- > (the regex isn't 100% precise and the rule isn't too strict, but seems to > work sufficiently well) > > > Georg > -- > || op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ > || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || > || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? || > ++ IRCnet OFTC OPN ||_________________________________________________|| >
