In recent months, security researchers, hackers, and other dwellers of the cyber-criminal underground have noticed an uptick in XMPP (formerly Jabber) spam.

At the bottom of the vast majority of these messages is a service named XSender (XSNDR) that provides rentable XMPP spam slots for anyone looking to peddle legal or illegal products.

Their website, available on the unindexed Deep Web, is extremely minimal, with just two sections, one describing the service, and one listing the prices.

XSender site

XSender prices

Based on the number of spam messages your reporter and many others have received, the prices seem to be both fair and affordable.

Below is just a small collection of the types of spam we've been receiving in the past few months.

Exobot spam

Mirai spam

Avalanche spam

Madness DDoS spam

Vendetta spam

XSender spam

Bleeping Computer has reached out to the service's creators, a group of hackers known as Overload. The group's spokesperson declined to say what they exactly do, but he said: "we don't rob a banks and don't write malware."

XSender launched over a year ago

According to the group, XSender started as a side project over a year ago. "It was a service made on the knees," Overload said, referring to an Eastern European expression about objects made in haste.

"We started Jabber spam only to advertise our own services," he said, "some time later we starting receiving advertising requests from 'friends'."

The team didn't have any long-term plan for their service, and even admitted that they themselves didn't think it was a "real good project."

That's why the group also added a section on the XSender site for classic inbox (email) spamming, and also focused their efforts on another project they declined to name.

XSender inbox spam

Unlike email spam, access to XSender's XMPP spam lists has been something that some people have actively sought after, from hackers to security researchers, many who reached out to your reporter after posting various screenshots on Twitter.

Security researchers working in threat intelligence want on the lists to gather info on cyber-criminals and their "new products," while hackers want on the lists to know what's new on the market.

Bleeping Computer has asked Overload on how they add manage their XMPP address lists.

"We get our list from all sources: public parsing, parsing from thematic sites (like Exploit.in, Crimes.ws), SQL dumps (like Jabbim server and HackForums), but most valuable is Jabber contacts from hijacked Jabber accounts," said Overload, who also added that the XSender spam lists are now over 2 million unique IDs.

99% of customers work in cyber-crime

As for their customers, the XSender crew says that 99% of their clients work in cyber-crime. "We denied drug sellers to advert," the Overload spokesperson said.

"Big services who need to get new customers permanently become our regular clients," our contact said. "Some clients use our spam once or two - when starting their services."

"Now we have 8 regular clients for the Month fee ($1,200/month) out of 10 available slots," he added.

Group now has competition

But competition is ramping up, according to the group's spokesperson. "Too many [expletive] spammers who send unlimited messages in a day," the group said, adding that they only send one spam message per XMPP ID per day, as a golden rule.

The downside of this new competition is the fact that some of the spammed people are starting to get annoyed, and all of a sudden, XMPP spam has become true spam.

The result, as the Overload team says, is that users are configuring XMPP clients to block all messages from people not in their contact list.

To combat these blocks, and other hurdles, the group says it's working on a way to defeat XMPP authorization and XMPP CAPTCHA systems that are sometimes used to protect both users and servers.

Grammar and spelling have been corrected at Overload's request.