[Operators] Update on spammy invites

Maxim Ignatenko gelraen.ua at gmail.com
Thu Mar 21 14:03:58 UTC 2013


On 21 March 2013 13:44, Jesse Thompson <jesse.thompson at doit.wisc.edu> wrote:
> On 3/20/2013 6:09 PM, Peter Viskup wrote:
>> Did anybody performed some investigation and proved which servers are
>> used for these attacks and if all of them are IBR-enabled? I'm not aware
>> of anybody - didn't see list of the servers.
>
> Apparently not.

jabber.kiev.ua have IBR enabled and protected by CAPTCHA. But spam
accounts was registered through web-interface (also protected by
CAPTCHA). And it doesn't looked like they was fully automated: low
rate (one account in 2-3 minutes) and coming form only one IP (in case
of automated registrations I would expect them to come from different
IP and at much higher rate). And after blocking that one IP they
continued form another IP, like someone just switched to another
proxy.

Another pattern I noted: each spambot added exactly 300 gmail users to
it's roster.

-- 
Best regards,
Maxim


More information about the Operators mailing list