Dear Peter, Martin, Hal and the rest,
On 06/15/2010 11:31 PM, Peter Schwindt wrote:
> Martin (of hot-chilli.*) was the first to publicly (on jadmin-ML, about
> 2 weeks ago) mention a bunch of weird registrations. The accounts to be
> considered all look nearly the same: A posix timestamp + ("LOP" or
> "LMC") + server part (i.e. [email protected]). And there
> were lots of them. Right now I (administering jabber.ccc.de) see about
> 1k of them on my server.
>
> I did some serious sniffing, look at some IPs, contacted Jeroen (of
> 12jabber.com and others) yesterday since I saw that some of the (bot?
> mmorpg?) accounts were talking to likewise accounts on his servers and
> later the day I compiled all the information I knew and put it on the
> jabber.ccc.de weblog (http://web.jabber.ccc.de/?p=183, unfortunately in
> German, if you need a translation I can provide it).I had a similar incident recently, which I also investigated together with Martin. I operate a j2j transport (very few users) and noticed up to 50 messages/sec. All they did was join certain nimbuzz chatrooms and post hundreds of (very long, UTF-8 heavy) messages at the same time. Martin and me (and some other operator I don't remember that gave us hints) found out that this was some Indonesian network, but the purpose of it is still unclear. The abuse stopped when we disallowed local requests, but I am sure (tried several times) that everything will be back up as soon as I re-enable it. This wasn't harmful (to our server, at least) in any way, but I guess it shows pretty well that we (all of us) have a problem we should take care of. greetings, Mati PS: I checked my server and it seems free of the accounts Peter Schwindt and Martin have. -- I only read plain text mail! I prefer pgp|gpg signed & encrypted mails!
signature.asc
Description: OpenPGP digital signature
