XMPP Service Operators - 2022-11-04

> y'all use a security focused memory allocator on your servers? Sapotaceae, what's the point?

They can directly mitigate many forms of double free, use after free, write after free, and invalid free which are common vulnerabilities

That's a strange way to write "RiiR"

Sapotaceae, can yoou explain why those are problems?

if i understand it correctly, this is memory leaking confidential data due to not zeroing before use correct?

isn't it the program's fault for not deallocating memory after it's done with it not the memory allocator?

any real world benefit from say, running prosody with glibc malloc vs ottomalloc?

I tried changing the default malloc system-wide before

on a linux system

ended up with weird segmentation faults

but most programs did accept a new malloc, and some had noticable performance improvements from sqitching say, qbittorrent from glibc malloc to jemalloc

i know that openbsd uses ottomalloc system wide

are there any security focused mallocs in the debian repositories?

freebsd repositories?

libhardenedmallouc has little effect on increasing prosody's memory usage

my guess is that's probably because prosody doesn't make a bunch of small allocations

but on other things like gettys it brings the resident usage from less than 1mb to 2-3 mb

also interesting is that every process hardenedmalloc is used with reports a 12T virtual memory usage

moparisthebest, weird segmentation faults are exactly the goal, when a (C) program is not using the allocated memory correctly, instead of silently continuing operations in a corrupted state or potentially leaking data, it will crash properly.

nuegia.net, *

I understand

thankyou

Of course, once you get a segfault, you should investigate into it, debug out why it happens and in which situation, and then report it or even fix it.

Similar to asan, ubsan, valgrind, etc., it can be a tool which helps make fewer C mistakes.

I'll be testing libhardened_malloc with prosody and biboumi

If anybody is interested in the results let me know

The devs of these two projects most likely.

A

N

That was informative 🙂 (well not the last two posts)

Have others noticed a recent uptake in spam?

No, what kind of spam?

short messages that appear to poll for activity

I had one message recently asking if I was free for a chat. It wasn't clearly spam, but it wasn't clearly not, so I just ignored it

from accounts on xmpp.jp, jabber.de, im.apinc.org, yourdata.forsale, 0day.im, for a cursory look.

Haven't received anything else

The spam run very clearly started on October 20

is jabber.de operated by someone that we know in the community?

Guus, im.apinc.org is handled by us, could you give me (in private perhaps) the list of JIDs that have been spamming you?

Now and in the future, any spam message originating from our domains is an instant ban.

will do, tx

i've not had that spam but I have had russian bots asking for a job

and just repeating the same sentence in russian over and over again in mucs

Happened in some of mu mucs here too. And still happening as of this morning

msavoritias, what domain is it coming from?

The one from a few days ago conversations.im Not sure about the one today. Not a mod there

My #1 ingress spam domain is chinwag.im but it's got the most messages per flagged account

exploit.im has the most bots, with 1 message each

but it doesn't look like more spam than earlier, total 13k spam messages in the last 2 weeks

I wonder if the people spamming realize how much time it takes out of all of us and how visible they are

when we have these 'waves' to deal with

chinwag is on my list too.

The admin has been contacted? hes from australia and should be reachable

the emus are currently fighing over him between the spiders

^^

neat

emus, can you send me his contact details?

Never underestimate an Emu. You Will Lose. https://en.wikipedia.org/wiki/Emu_War

Done!

nuegia.net: that's called an "externality" in economic theory.

XD

This is a list of domains that I received spam from, for which I don't have admin contacts. If anyone recognizes a domain as their own (or knows how to get in contact with an admin), I appreciate a message. https://pastebin.com/Y0XjUW9a

blabber.im should be offline

Guus: 404.city admin was here yesterday, as usual to complain on something that was not "perfect" creep.im admin was around, I can try and ping them if you PM me some accounts that spammed

Hey folks, this is weird I've been showing as connected to operators but seen no messages since October 28. If anyone's got a list of Chinwag accounts dropping spam please mail it to admin@chinwag.im and I'll nuke them immediately

mike, I just sent you a subscription request

I had a few that I spotted a while back that activated and started spamming, they were all registered back in 2018. I figured someone was burning old reserves and had run out

Guus: possibly wrong ID

404 also says this email for abuse support@404.city

5 of july is this info@5july.org

My published abuse contact info should show mailto:admin@chinwag.im I do monitor that.

Interesting that there is even the CCC xmpp server in there

msavoritias: but the ccc server is a probllem for years alreaady

Ah wasnt aware 😅

Oh, I messed up a timestamp when generating that list of offending domains. The still have accounts that spam, but I didn't limit that to the last 2 weeks or so.

This is the list of domains that had accounts that _recently_ spammed: https://pastebin.com/Wc8S6iFD

Yeah confirmed at least one more reactivated that's been dormant since 2018. This spammer is very patient.

I'm guessing that there are lists of credentials for accounts-to-be-used-for-spam floating around.

For sure.

mike: no yearly cleanup of inactive accounts?

Not if they have ever been used. I only sweep registered but never logged into.

If someone only has something to say every ten years, that's fine. Given there's rarely any way to contact out of band and warn of upcoming deletion I'm very adverse to it.

Actually deleting accounts is problematic anyway, better to lock or tombstone them

definitely.