On 21 March 2013 13:44, Jesse Thompson <jesse.thomp...@doit.wisc.edu> wrote: > On 3/20/2013 6:09 PM, Peter Viskup wrote: >> Did anybody performed some investigation and proved which servers are >> used for these attacks and if all of them are IBR-enabled? I'm not aware >> of anybody - didn't see list of the servers. > > Apparently not.
jabber.kiev.ua have IBR enabled and protected by CAPTCHA. But spam accounts was registered through web-interface (also protected by CAPTCHA). And it doesn't looked like they was fully automated: low rate (one account in 2-3 minutes) and coming form only one IP (in case of automated registrations I would expect them to come from different IP and at much higher rate). And after blocking that one IP they continued form another IP, like someone just switched to another proxy. Another pattern I noted: each spambot added exactly 300 gmail users to it's roster. -- Best regards, Maxim
