Amazon-owned video streaming site Twitch is taking a scorched earth approach in an effort to find out who is behind a “malicious spam bot”. The bots flood streamers’ public chats with offensive, repetitive messages that have sometimes rendered their channels “unusable.”
Twitch says the bots posted an average of 34 messages per minute as of Feb. 24, bombing some channels at up to 700 per minute. Twitch says the attacks are “undermining its brand” – so far it has reached about 1,000 channels with more than 150,000 spam messages that are racist and homophobic. Other posts, which were no match for Twitch’s AutoMod tool to prevent such attacks, have related to sexual harassment and provoking child sex.
Twitch, which considers itself the “leading video platform and community for gamers,” says it traced the attacks to Chatsurge.net, which offers spambot attacks for sale. From there, Twitch researchers believe the culprit is associated with the email address of email@example.com and a Shaw Communications IP address of 188.8.131.52 in Coquitlam, British Columbia. In addition, Twitch believes a PayPal account is linked to the email firstname.lastname@example.org, court documents show.
Twitch said in a petition (PDF) to British Columbia courts last week that it “cannot find any additional identifying information.” The site wants the court to order the release of a huge amount of information.
For starters, Twitch wants Shaw to produce any identifying information about the customer associated with the 184.108.40.206 IP address. Twitch also wants an order for PayPal to hand over identifying information “from the customer associated with Chatsurge.net, email@example.com or firstname.lastname@example.org.”
As for the web optimization service Cloudflare, in which the lawsuit alleges that Chatsurge.net is a customer, Twitch wants Clouflare to expose identifying information related to that alleged relationship. Twitch makes the same request to WhoisPrivacy and WhoisGuard to disclose ownership of the Chatsurge.net domain, in addition to the Dongcorp.org domain. The domain Dongcorp.org refers to a contact email address on the Chatsurge homepage.
In addition, Twitch claims that all of these companies are “involved in the spam bot attacks,” including WhoisPrivacy and WhoisGuard because they “provide the perpetrator with a means of wearing the cloak of anonymity to commit this malicious behavior.”
Twitch said it spent hundreds of hours investigating the attacks.
In the course of the investigation, Twitch also found that the attacker was broadcasting himself while working on his bot software. Very shortly after the broadcast, Chatsurge.net was updated to offer that software. The attacker was associated with a Shaw IP address, 220.127.116.11. This IP address is located in Coquitlam, BC, Canada, and the perpetrator of the spambot attacks is believed to be in the same location as this IP address.
The PayPal account associated with Chatsurge.net uses the email address email@example.com.
Twitch says it is entitled to the information, among other things, because the person behind the spam bots is violating the company’s terms of service.