Hi everybody.

I have recently been hit by some MSN messenger spammers. Here is what happens. On my buddy list I have some buddies who havent signed on for a long time. For example, my dad is one of my buddies. However, he has switched to AIM a long time ago, and does not use his MSN IM account anymore. Recently, I saw him sign on, and I started getting messeges from "him" in French or some other language. Also, a similar thing to some of my other buddies who did not sign on for a long time. Now, I know there were real people behind this, not just spambots, because the first time this happened, I thought they were my real buddies to whom i talked before. I started talking to them, and they played along for a while pretending to be the poeple who I thought they were. Eventually when I realized that they were fake, I blocked them, and changed my trillian options (I use trillian, and gaim when in linux) so only the people on my list could contact me.

What happened? Do you think that the people who have not signed on for a long time had their accounts taken over? OR did their accounts expire, and were taken over by the other users (who coincidently all were spammers). What do you think? I am also an expert in troublshooting worms, hijacks, and other nasties. Want to know what other experts here think.


Hmm, It could be a virus. I would suspect the expired account, if I thought that your accounts can expire, I don't think they do. I think I am going to lean toward a virus. If you don't know how to read HJT logs, and if you want to see if there is anything in there, I will be happy to take a look at for you.

I actually ran HJT before posting, and did not find anything suspicious. I know the spam was done by real people, because when I was talking to them they carried on a conversation. There is no way some clever program could have been talking to me the way it was talking.

What puzzles me is how did those spammers managed to mask as my buddies. By the way, I know my dad's password (i created an account for him). I tried to sign in as my dad using him password, and it now says password invalid. This seems to support the expiration theory, BUT if thats not the case, did the somebody hack their accounts? Btw, I don't know if MSN IM accounts expire. I found somebody with the similar incident right here:


If it's been a real long time, it's very possible that msn closed the account, and then someone re-opened it. I know for sure that if you don't log in for a long time, MSN will deactivate the account, and then you have to manually re-activate. Also, if you look into the Msn Messenger Protocol, a little crafty programming can allow you to log in with an account you already have, and in some parts of the protocol, Masquerade as another user. In this example:

MSG bob@passport.com Bob 89\r\n
MIME-Version: 1.0\r\n
Content-Type: text/x-msmsgscontrol\r\n
TypingUser: bob@passport.com\r\n\r\n

Which is also found in the above linked reference, it would be really easy to change the parameter in the MSG command, or the typinguser command. I do a lot of network programming (with sockets), and this is not only possible, but feasible. While I'm sure this is a rarity, and most likely (in my opinion) not the culprit of your situation, it is very possible. I think that the account expired, and was re-opened with someone else....

Wow, good find comatose. :)

Good find, I second that. I think that is MSN IM would let the accounts expire just like that, it would be disturbing. I mean imagine all the impersonations, frauds, and privacy violations that would occur? I mean a person x sends something to person y, however, it is being recieved by person z. OUTRAGE!!!