XMPP Service Operators - 2020-09-21

  1. Ellenor Malik

    new spmamer

  2. Ellenor Malik

    jessieb@draugr.de

  3. tom

    fcrazytapok@conversations.im OTR spam

  4. tom

    I've noticed a pattern too

  5. tom

    They send two roster requests over several days before sending the OTR spam

  6. tom

    You don't have to accept them

  7. Ge0rG

    interesting

  8. Ge0rG

    any other visible patterns?

  9. tom

    The names

  10. Ge0rG

    random letter + wordlist item?

  11. tom

    They appear to be (although I haven't had enough spam to tell for sure if this is definitive or not yet) ascii constisting of a word and a couple random letters

  12. tom

    But always US-ASCII

  13. tom

    And at least one word

  14. Ge0rG

    Well, most JIDs consist of US-ASCII

  15. tom

    Yeah but the spam is in RU/EN

  16. Ge0rG

    Are there any pattern that can be used to differentiate them from real users?

  17. tom

    So you'd think they'd also have a cyrllic name

  18. Ge0rG

    I have many russian users on my server, but most of them also use latin names

  19. tom

    I don't think I can give you any more differentiateable patterns yet Ge0rG

  20. Ge0rG

    I'd also take raw XML ;)

  21. tom

    Oh

  22. Ge0rG

    Unfortunately, the spammers didn't spam me yet.

  23. tom

    Well I'll be sure to capture that next time

  24. jonas’

    I prefer cooked XML over raw

  25. tom

    But

  26. Ge0rG

    jonas’: watch out, or I'll serve you some vegan JSON

  27. jonas’

    Ge0rG, JSON can’t be vegan

  28. jonas’

    too much suffering associated with JSON

  29. tom

    When I send out the abuse reports to other operators, it's usually the case I hear back random IPs opened thousands of accounts a while ago

  30. tom

    And just now started becoming active

  31. Ge0rG

    tom: that's the usual pattern.

  32. tom

    And the operator is able to remove the accounts based on a bunch being registered in a timeframe

  33. Ge0rG

    tom: https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/ has helped significantly

  34. Ellenor Malik

    I prefer beef and onion json

  35. Ellenor Malik

    which is less suffery than the vegan json i,ve eaten

  36. tom

    Well if that's the case maybe we could look at honeypotting new accounts after they dramticlly exceed normal new user rates

  37. tom

    As in

  38. tom

    Don't cancel them just capture the XML and pretend success

  39. Ge0rG

    I prefer not to silently blackhole new accounts, as there can always be false positives.

  40. tom

    Ge0rG: can you add my jid as a member to the yax.im spamfighting chat?

  41. tom

    I tried joinging but it was members only

  42. tom

    I need an invite

  43. tom

    Ge0rG: do you know what kind of captcha the spammer is talking about?

  44. tom

    The one he claims he can bypass

  45. tom

    Bypassing google recaptcha is hella easy and there are services for that

  46. tom

    But I was wondering if maybe there was a monoculture of captchas in the XMPP fedisphere

  47. tom

    And that's why bypassing was so effective, or he/she was talking out of their ass

  48. tom

    » ** 2020-09-21 » [02:47:01] <fcrazytapok@conversations.im> Реклама по Jabber / Advert on » Jabber » » [RU] Представляем новый сервис рекламы по Jabber! » Вы увидели это сообщение? Значит и десятки тысяч других пользователей » увидят ваше! » » Более 500 000 АКТИВНЫХ пользователей в базе: » - из открытых тем на форумах » - из дампов форумов всех тематик » » Собственное ПО для рассылки: » - обход капчи на стороне клиента и сервера » - поддержка OTR шифрования клиента и сервера » » Более детально здесь: http://gg.gg/m3a3u » » ---------------------------------------------------------- » » [EN] Introducing a new Jabber advertising service! » Did you see this message? This means that tens of thousands of other » users will see yours! » » More than 500,000 ACTIVE users in the database: » - from open topics on forums » - from forums' dumps » » Own software for mailing: » - bypass captcha on client and server side » - OTR client and server encryption support » » More details here: http://gg.gg/m3a3u »

  49. tom

    You know

  50. tom

    This same message is repeating every time

  51. tom

    How resistant exactly is OTR to crypanalysis

  52. jonas’

    very

  53. tom

    Well

  54. tom

    What about size

  55. jonas’

    size?

  56. jonas’

    you need to do a full OTR handshake before message contents are exchanged

  57. tom

    If you have a known plaintext can you infer if the ciphertext is the plaintext by looking at the size of the packet?

  58. jonas’

    for the handshake to succeed, you’d have to have key material which can recover the plaintext anyways

  59. tom

    No i'm not talking about reading the message

  60. jonas’

    but messages will not be sent before you could read them

  61. tom

    The spammer send the EXACT same message every time

  62. jonas’

    you cannot send (useful) OTR messages before the handshake is complete

  63. tom

    I'm wondering if you looked at the SIZE of the OTR ciphertext, if it was very similar or the same each time this message is sent

  64. jonas’

    for that you’d first need actual cipheretxt

  65. jonas’

    to get actual ciphertext, the handshake must have succeeded

  66. jonas’

    the "same" message you’re seeing is probably just the first message of the handshake

  67. tom

    I've seen encrypted voice systems fall over because people could pretty accurately guess words by looking at the packet size of an encrypted compressed VoIP stream

  68. tom

    (looking at your SiLK codec)

  69. jonas’

    classic compression-before-encryption problem.

  70. jonas’

    but that’s also completely unrelated to OTR