[Operators] Let's start some witch-hunt
mati at fsinf.at
Tue Jun 15 16:52:03 CDT 2010
Dear Peter, Martin, Hal and the rest,
On 06/15/2010 11:31 PM, Peter Schwindt wrote:
> Martin (of hot-chilli.*) was the first to publicly (on jadmin-ML, about
> 2 weeks ago) mention a bunch of weird registrations. The accounts to be
> considered all look nearly the same: A posix timestamp + ("LOP" or
> "LMC") + server part (i.e. 1275746522321lmc at jabber.ccc.de). And there
> were lots of them. Right now I (administering jabber.ccc.de) see about
> 1k of them on my server.
> I did some serious sniffing, look at some IPs, contacted Jeroen (of
> 12jabber.com and others) yesterday since I saw that some of the (bot?
> mmorpg?) accounts were talking to likewise accounts on his servers and
> later the day I compiled all the information I knew and put it on the
> jabber.ccc.de weblog (http://web.jabber.ccc.de/?p=183, unfortunately in
> German, if you need a translation I can provide it).
I had a similar incident recently, which I also investigated together
with Martin. I operate a j2j transport (very few users) and noticed up
to 50 messages/sec. All they did was join certain nimbuzz chatrooms and
post hundreds of (very long, UTF-8 heavy) messages at the same time.
Martin and me (and some other operator I don't remember that gave us
hints) found out that this was some Indonesian network, but the purpose
of it is still unclear.
The abuse stopped when we disallowed local requests, but I am sure
(tried several times) that everything will be back up as soon as I
This wasn't harmful (to our server, at least) in any way, but I guess it
shows pretty well that we (all of us) have a problem we should take care of.
PS: I checked my server and it seems free of the accounts Peter Schwindt
and Martin have.
I only read plain text mail! I prefer pgp|gpg signed & encrypted mails!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: OpenPGP digital signature
More information about the Operators