powered by Jive Software

OpenFire 4.0.2 in-band registration users not showing (spam)

Noticed some s2s sessions to servers we don’t usually talk to. Some dark-web related.

We have in-band registration enabled.

Turned on archiving of messages and the thing that sends admin a message when a user registers.

Lo and behold I start to see activity:

A new user with the username ‘urkwresy66lpu6’ just registered.

A new user with the username ‘309xyungivwpfi’ just registered.

Shortly thereafter s2s sessions appear so they are sending messages out!

Now what I found interesting was

  1. Only a small number of these accounts ever show up in my user list. (Users/Groups -> Users -> User Summary)

  2. While they are registering and sending messages out I do not see them in Sessions -> Active Sessions -> Client Sessions

I turned on message archiving and notice they do not use OTR and they seem to be sending spam or notifications out about some kind of Russian Silk Road TOR site.

Russian SilkRoad / rusilkusru6f57uw.onion- классика криминального рынка в современном исполнении. Забудьте ВСЕ, что Вы видели раньше.

Нужно решить вопрос с должниками, наказать вредителей? - Есть криминальные услуги.

Нужен поддельный документ? - вам в раздел поддельные документы.

Кардинг. Хакинг. Классика ПАВ - амфетамин и его разновидности, шишки, гашиш, бомы, LSD, cocaine и другое.


My Qs:

  1. How can someone do in-band registration and not show in user-list or have a session showing ?

  2. Is there a plugin or mechanism we can use to say “if a user sends a message with keyword xyz lock his account” ?

Can’t answer 1) as i can see users, when i register them with a client and also see sessions. Maybe they are deleting their accounts after sending messages (not sure if some clients can actually delete their account from the server). Or maybe it is s2s related.

  1. There is no such plugin.

For anyone who stumbles upon this thread through google or whatever:

There is an explanation now.

XSender: The Source of All the Recent XMPP Spam | DarknetPages

1 Like