[Operators] Let's start some witch-hunt

Daniel Lawson daniel at meta.net.nz
Sun Jun 20 21:49:01 CDT 2010


Hi all

I run jabber.meta.net.nz, and I've just gotten round to investigating 
the sudden spike in registered users we had last month, and I found this 
thread (really should have been on this list already). We seem to have 
around 300 concurrent logins with maybe 900 or so accounts created.


I'm not 100% familiar with US phone numbers, but I'm pretty sure (based 
on some messages I've intercepted) that the first two numbers are phone 
numbers.

One of the messages we have observed (undelivered messages in ejabberd's 
spool table) had this as the content:

"if you wanna chat call me on xxx-xxx xxxx"  (where that number matches 
the first number in the body)

Other messages we've observed have content like the following:

"hey, wanna chat?"
"so this site how is it sorry I just clicked a pink circle randomly lol "
"I realize I don't know much about u cause u don't really have 
a profile up. But i'd like to get to know u better..."


makes it look very much like a dating/matchmaking app.

This gets us a bit closer - we probably have contact phone numbers for 
everyone running the app... just no idea who wrote it. If someone 
fancies a bit of phone-stalking, they could call one of those numbers 
and ask them what apps they're running on their phone... (I'm in NZ, and 
the wrong timezone, so it's not the easiest thing for me to arrange).

Although that might be a bit weird.



> I had 5,000 accounts registered on chatmask.com and about 1,000
> concurrent logins after which the server would block them. Banned all of
> them but they continue to try and log in but have stopped creating
> accounts. I personally think it is not a bot but some type of free
> messaging application as I captured some of the traffic and all it was
> is messages like this:
>
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:2
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:0:what's up cutie
>
> All of the connections seem to send a keep alive message of 1 or 0 every
> second and after a while they connect to another account on the server
> and exchange messages or another server.
>
> I can see the accounts have been created on the following servers:
> jabber.linux.it
> jabber.cc
> jabber.no
> jabber.meta.net.nz
>
> I suggest someone try to send messages to the accounts they have logged
> in and see if they can get a response from the users so we can find out
> what app it is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100621/a383f9f6/attachment.htm>


More information about the Operators mailing list