Re: [Operators] Let's start some witch-hunt

Sun, 20 Jun 2010 19:49:40 -0700 

Hi all
I run jabber.meta.net.nz, and I've just gotten round to investigating the sudden spike in registered users we had last month, and I found this thread (really should have been on this list already). We seem to have around 300 concurrent logins with maybe 900 or so accounts created. 



I'm not 100% familiar with US phone numbers, but I'm pretty sure (based 
on some messages I've intercepted) that the first two numbers are phone 
numbers.



One of the messages we have observed (undelivered messages in ejabberd's 
spool table) had this as the content:



"if you wanna chat call me on xxx-xxx xxxx"  (where that number matches 
the first number in the body)


Other messages we've observed have content like the following:

"hey, wanna chat?"
"so this site how is it sorry I just clicked a pink circle randomly lol "

"I realize I don't know much about u cause u don't really have 
a profile up. But i'd like to get to know u better..."



makes it look very much like a dating/matchmaking app.


This gets us a bit closer - we probably have contact phone numbers for 
everyone running the app... just no idea who wrote it. If someone 
fancies a bit of phone-stalking, they could call one of those numbers 
and ask them what apps they're running on their phone... (I'm in NZ, and 
the wrong timezone, so it's not the easiest thing for me to arrange).


Although that might be a bit weird.




I had 5,000 accounts registered on chatmask.com and about 1,000
concurrent logins after which the server would block them. Banned all of
them but they continue to try and log in but have stopped creating
accounts. I personally think it is not a bot but some type of free
messaging application as I captured some of the traffic and all it was
is messages like this:

[9:05 AM]       1273938324173lmc:       8017038491:8016548939:2
[9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
[9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
[9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
[9:05 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up cutie

All of the connections seem to send a keep alive message of 1 or 0 every
second and after a while they connect to another account on the server
and exchange messages or another server.

I can see the accounts have been created on the following servers:
jabber.linux.it
jabber.cc
jabber.no
jabber.meta.net.nz

I suggest someone try to send messages to the accounts they have logged
in and see if they can get a response from the users so we can find out
what app it is.























					Reply via email to