[Pidgin] #11532: MSN SLP Call Spam

Pidgin trac at pidgin.im
Tue Mar 9 18:40:25 EST 2010 

#11532: MSN SLP Call Spam
-----------------------------------------+----------------------------------
 Reporter:  jmlsteele                    |     Owner:  khc  
     Type:  defect                       |    Status:  new  
Component:  MSN                          |   Version:  2.6.6
 Keywords:  SLP call switchboard msnslp  |  
-----------------------------------------+----------------------------------
 I've noticed recently that pidgin was using bandwidth for no apparent
 reason (about 10K/s for 3 second bursts every 5 seconds).

 I did a packet capture and saw that it was the same message more or less
 repeating itself over and over again.

 Here is what the pidgin debug log had to say (snipped for sanity of
 readers)
 {{{
 (07:51:11) msn: C: SB 002: USR 1 %MY_MSN% 1897716008.1617167.128180121
 (07:51:11) msn: S: SB 002: USR 1 OK %MY_MSN% %MY_MSN%
 (07:51:11) msn: C: SB 002: CAL 2 %FRIEND_MSN%
 (07:51:11) msn: S: SB 002: CAL 2 RINGING 1897716008
 (07:51:12) msn: S: SB 002: JOI %FRIEND_MSN% %FRIEND_NAME% 2789003372
 (07:51:12) msn: Processing queue
 (07:51:12) msn: Sending message
 (07:51:12) msn: C: SB 002: MSG 3 D 866
 (07:51:12) msn: switchboard send msg..
 (07:51:12) msn: C: SB 002: MSG 4 U 98
 (07:51:12) msn: S: SB 002: NAK 3
 (07:51:12) msn: switchboard send msg..
 (07:51:12) msn: C: SB 002: MSG 5 D 866
 (07:51:12) msn: S: SB 002: NAK 5
 ...SNIP...
 (07:56:11) msn: switchboard send msg..
 (07:56:11) msn: C: SB 002: MSG 1502 D 866
 (07:56:11) msn: S: SB 002: NAK 1502
 (07:56:11) msn: switchboard send msg..
 (07:56:11) msn: C: SB 002: MSG 1503 D 866
 (07:56:11) msn: C: SB 002: OUT
 (07:56:11) msn: destroy httpconn (049B1888)
 (07:56:50) msn: C: NS 000: PNG
 (07:56:50) msn: S: NS 000: QNG 45
 (07:57:06) msn: S: NS 000: FLN %FRIEND_MSN% 1 0
 (07:57:06) blist: Updating buddy status for %FRIEND_MSN% (MSN)
 (07:57:06) blist: Updating buddy status for %FRIEND_MSN% (MSN)
 }}}

 It sent 1500 messages in the span of ~5 minutes, using ~1.5MB of
 bandwidth.  I've noticed this about 6 times now, and it seems to happen
 right after I start pidgin, and then sporadically afterward.  I've also
 seen 2 different friend's accounts be "targeted".

 The Message that it is sending is as follows: (personal information
 removed, Base54 also altered to remove email address)
 {{{
 MSG 3 D 867
 MIME-Version: 1.0
 Content-Type: application/x-msnmsgrp2p
 P2P-Dest: %FRIEND_MSN%

 ....M............................M..............INVITE
 MSNMSGR:%FRIEND_MSN% MSNSLP/1.0
 To: <msnmsgr:%FRIEND_MSN%>
 From: <msnmsgr:%MY_MSN%>
 Via: MSNSLP/1.0/TLP ;branch={5A2D551E-416F-1235-11AA-204F4A1D8F98}
 CSeq: 0
 Call-ID: {264D23EC-3FB7-1CC4-12FC-37FA52CC6C02}
 Max-Forwards: 0
 Content-Type: application/x-msnmsgr-sessionreqbody
 Content-Length: 328

 EUF-GUID: {A4268EEC-FEC5-49E5-95C3-F126696BDBF6}
 SessionID: 28149
 AppID: 1
 Context:
 PG1zbm9iaiBDcmVhdG9yPSIlRlJJRU5EX01TTiUiIFNpemU9IjIzNzkzIiBUeXBlPSIzIiBMb2NhdGlvbj0iMCIgRnJpZW5kbHk9ImFnQmhBSG9BZWdBZ0FHZ0FZUUJ1QUdRQWN3QUFBQT09IiBTSEExRD0ibHp2VVZjUlkxNTBCRFk5eWZhZGJ6MDFERTVvPSIvPg==

 .....
 }}}

 The Base64 encoded context field decodes to:
 {{{
 <msnobj Creator="%FRIEND_MSN%" Size="23793" Type="3" Location="0"
 Friendly="agBhAHoAegAgAGgAYQBuAGQAcwAAAA=="
 SHA1D="lzvUVcRY150BDY9yfadbz01DE5o="/>
 }}}

-- 
Ticket URL: <http://developer.pidgin.im/ticket/11532>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list