1:1 Bridge bot detected directly using matrix.org

[Zarthus]

(12:17:27) -OperServ- Match:  enick_37!~snoonetch@2001:470:1af1:107::191 @_snoonet_ChanServ:matrix.org
(12:17:27) -OperServ- Match:  enick_732!~snoonetni@2001:470:1af1:107::192 @_snoonet_NickServ:matrix.org
(12:17:27) -OperServ- Match:  M_snoonet_Global!~snoonetgl@2001:470:1af1:107::193 @_snoonet_Global:matrix.org
(12:17:27) -OperServ- Match:  PurpleVorlonIRC!~snoonetpu@2001:470:1af1:107::190 @_snoonet_PurpleVorlon:matrix.org
(12:17:27) -OperServ- Match:  snoonet-irc!~snoonet-i@2001:470:1af1:107::18f @snoonet-irc:matrix.org

When you talk with one of them:

(11:26:25) -> *enick_732* help
(11:26:36) -snoonet-irc- You've joined a Matrix room which is bridged to the IRC network 'ipv6-irc.snoonet.org', where you are now connected as M_espernet_Zarthus[m]. This room shows any errors or status messages from IRC, as well as letting you control the connection. Type !help for more information
(11:26:37) -snoonet-irc- Connecting to the IRC network 'ipv6-irc.snoonet.org' as M_espernet_Zarthus[m]...
(11:26:38) -snoonet-irc- You've been connected to the IRC network 'ipv6-irc.snoonet.org' as M_espernet_Zarthus[m]. User modes +R have been set.
(11:26:39) -enick_732- Your nickname is not registered. To register it, use: /msg NickServ REGISTER password email
(11:26:40) -M_snoonet_Global- [Logon News - Dec 17 14:47:17 2016 CET] Snoonet is partnered with Private Internet Access! Make sure to keep secure by connecting to our secure port irc.snoonet.org:6697 and for best security, use a VPN Service! www.privateinternetaccess.com
(11:26:40) -M_snoonet_Global- [Logon News - May 23 17:33:02 2018 CEST] By connecting and using the Snoonet IRC network you consent to our privacy policy located at https://snoonet.org/privacy-policy
(11:26:41) -enick_732- NickServ allows you to register a nickname and
(11:26:42) -enick_732- prevent others from using it. The following
(11:26:43) -enick_732- commands allow for registration and maintenance of
(11:26:44) -enick_732- nicknames; to use them, type /msg NickServ command.
(11:26:44) -enick_732- For more information on a specific command, type
(11:26:45) -enick_732- /msg NickServ HELP command.
(11:26:46) -enick_732-     CONFIRM        Confirm a passcode
(11:26:46) -enick_732-     GHOST          Regains control of your nick
(11:26:47) -enick_732-     GROUP          Join a group
(11:26:48) -enick_732-     HELP           Displays this list and give information about commands
(11:26:48) -enick_732-     IDENTIFY       Identify yourself with your password
(11:26:49) -enick_732-     INFO           Displays information about a given nickname
(11:26:50) -enick_732-     RECOVER        Regains control of your nick
(11:26:50) -enick_732-     REGISTER       Register a nickname
(11:26:51) -enick_732-     RESETPASS      Helps you reset lost passwords
(11:26:52) -enick_732-     STATUS         Returns the owner status of the given nickname
(11:26:52) -enick_732-  
(11:26:53) -enick_732- Accounts that are not used anymore are subject to
(11:26:54) -enick_732- the automatic expiration, i.e. they will be deleted
(11:26:55) -enick_732- after 9999 days if not used.
(11:26:55) -enick_732-  
(11:26:56) -enick_732- NOTICE: This service is intended to provide a way for
(11:26:57) -enick_732- IRC users to ensure their identity is not compromised.
(11:26:57) -enick_732- It is NOT intended to facilitate "stealing" of
(11:26:58) -enick_732- nicknames or other malicious actions. Abuse of NickServ
(11:26:59) -enick_732- will result in, at minimum, loss of the abused
(11:26:59) -enick_732- nickname(s).

This relates to https://github.com/matrix-org/matrix-appservice-irc/issues/510 - but is even more dangerous because it indicates Matrix allows bot accounts on their main service, completely free of registration, and that's even more embarassing.

What's worse is that this mimics and entire ircd; there's spam limitations and it's asking me to register. Proxying a service is a horrible idea and we've banned it on accounts of phishing. But this kind of thing should not be possible in the first place.

cc @ara4n - as you've dealt with my previous ticket.

[Zarthus]

It seems to be a service running this piece of code: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/lib/bridge/MatrixHandler.js

The commands are identical.

[A-UNDERSCORE-D]

Confirming this issue from Snoonet's side, where we have Hackint's nickserv bridged:

[12:00:08] <A_Dragon> help
[12:00:13] -enick_220- Welcome to HackINT, A_DragonIRC|m! Here on HackINT, we provide services to enable the registration of nicknames and channels! For details, type /msg NickServ help and /msg ChanServ help.
[12:16:04] <A_Dragon> help
[12:16:09] -enick_220- ***** NickServ Help *****
[12:16:10] -enick_220- NickServ allows users to 'register' a nickname, and stop
[12:16:10] -enick_220- others from using that nick. NickServ allows the owner of a
[12:16:11] -enick_220- nickname to disconnect a user from the network that is using
[12:16:12] -enick_220- their nickname.
[12:16:12] -enick_220- If a registered nick is not used by the owner for 365 days,
[12:16:16] -enick_220- NickServ will drop the nickname, allowing it to be reregistered.
[12:16:17] -enick_220-  
[12:16:17] -enick_220- For more information on a command, type:
[12:16:18] -enick_220- /msg NickServ help <command>
[12:16:19] -enick_220- For a verbose listing of all commands, type:
[12:16:19] -enick_220- /msg NickServ help commands
[12:16:20] -enick_220-  
[12:16:21] -enick_220- The following commands are available:
[12:16:21] -enick_220- GHOST           Reclaims use of a nickname.
[12:16:22] -enick_220- IDENTIFY        Identifies to services for a nickname.
[12:16:23] -enick_220- INFO            Displays information on registrations.
[12:16:24] -enick_220- LISTCHANS       Lists channels that you have access to.
[12:16:24] -enick_220- REGISTER        Registers a nickname.
[12:16:25] -enick_220- RELEASE         Releases a services enforcer.
[12:16:26] -enick_220- SENDPASS        Email registration passwords.
[12:16:26] -enick_220-  
[12:16:27] -enick_220- Other commands: ACC, CERT, DROP, HELP, LISTGROUPS, LOGOUT, 
[12:16:28] -enick_220-                 REGAIN, SETPASS, STATUS, TAXONOMY, VERIFY
[12:16:28] -enick_220- ***** End of Help *****
[12:16:29] -enick_220- If you're having trouble or you need some additional help, you may want to join the help channel #hackint or visit the help webpage http://www.hackint.org/services

Lagtime on messages due to snoonet fakelag

[Zarthus]

There's more than just snoonet involved here; I've seen references to freenode, mozilla, and hackint as well. (all of the bridges seem to use a nick like $network-irc for the initial bridge connection (e.g. @espernet-irc:matrix.org, @snoonet-irc:matrix.org), and it develops from there (with patterns like @_snoonet_Zarthus:matrix.org)

[A-UNDERSCORE-D]

Additionally, freenode's chanserv is bridged to Snoonet

[A-UNDERSCORE-D]

After further checking, mozilla, oftc, appservice, and espernet are connected to snoonet in the manner described above by @Zarthus

[ara4n]

hi all - thanks for flagging this; it looks like someone has bridged a room irc<->matrix<->irc, causing any bots on the matrix side which represent the respective irc bridges to also get bridged. we are out of the loop this weekend but can jump on this on monday and figure out how to stop doublebridging for networks who don’t want their channels linked to other servers.

[ara4n]

(we've been investigating this today; will report back once we have a plan)

[Zarthus]

@ara4n, howdy! Do you happen to have any updates regarding this matter? (not asking for a direct solution, but I wonder if you've been able to identify any possible paths for a good long-term solution.)

[A-UNDERSCORE-D]

@ara4n This is still an issue, do you have any updates?

[Zarthus]

On our network I'm also observing gitter<->matrix<->irc..

This is getting quite embarrassing and I'm not sure if the effort is really worth keeping matrix around for.

[Half-Shot]

FYI we have started progress on blocking this with https://github.com/matrix-org/matrix-appservice-irc/pull/669 . Individual bridges can be configured to disallow sharing rooms with other bridges they collide with.

For existing rooms, I'd like to work with folks to gracefully unbridge them so we don't suddenly cut off communities, but also try to cut back on the behaviour.

[ara4n]

@Zarthus we've almost finished sorting this (as per half-shot's PR)

[Zarthus]

@ara4n, @Half-Shot - It looks like the PR was merged, can this issue be closed or is there still work to do?

Thank you for taking care Half-Shot :)