Chinese Hunting Chinese Over POP3 In Fjord Country

Yes, you read that right: There is a coordinated effort in progress to steal Chinese-sounding users' mail, targeting machines at the opposite end of the Eurasian landmass (and probably elsewhere).

More specifically, here at bsdly.net we've been seeing attempts at logging in to the pop3 mail retrieval service using usernames that sound distinctively like Chinese names, and the attempts originate almost exclusively from Chinese networks.

This table lists the user names and corresponding real life names attempted so far:

Name	Username
Chen Qiang	chenqiang
Fa Dum	fadum
Gao Dang	gaodang
Gao Di	gaodi
Gao Guan	gaoguan
Gao Hei	gaohei
Gao Hua	gaohua
Gao Liu	gaoliu
Gao Yang	gaoyang
Gao Zhang	gaozhang
He An	hean
He Biao	hebiao
He Bing	hebing
He Chang	hechuang
He Chao	hechao
He Chen	hechen
He Cheng	hecheng
He Chun	hechun
He Cong	hecong
He Da	heda
He Di	hedi
He Die	hedie
He Ding	heding
He Dong	hedong
He Duo	heduo
He Fa	hefa
He Ging	heqing
He Guo	heguo
He Han	hehan
He Hao	hehao
He Heng	heheng
He Hui	hehui
He Jia	hejia
He Jian	hejian
He Jiang	hejiang
He Jie	hejie
He Jin	hejin
He Juan	hejuan
He Kai	hekai
He Kan	hekan
He Kong	hekong
He La	hela
He Le	hele
He Leng	heleng
He Li	heli
He Lian	helian
He Lie	helie
He Mu	hemu
He Niang	heniang
He Quan	hequan
He Ran	heran
He Sha	hesha
He Shan	heshan
He Shi	heshi
He Si	hesi
He Song	hesong
He Xiao	hexiao
He Yao	heyao
He Yi	heyi
He Yin	heyin
He Yu	heyu
He Yun	heyun
He Zeng	hezeng
He Zeng	hezhan
He Zhang	hezhangxxxx
He Zhe	hezhe
He Zheng	hezheng
He Zhi	hezhi
He Zhong	hezhong
He Zhuang	hezhuang
Li An	lian
Li Biao	libiao
Li Bin	libin
Li Bo	libo
Li Cheng	licheng
Li Chi	lichi
Li Chong	lichong
Li Chuang	lichuang
Li Chun	lichun
Li Da	lida
Li Deng	lideng
Li Di	lidi
Li Die	lidie
Li Ding	liding
Li Dong	lidong
Li Duo	liduo
Li Fa	lifa
Li Fang	lifang
Li Fen	lifen
Li Feng	lifeng
Li Gang	ligang
Li Gao	ligao
Li Guan	liguan
Li Guang	liguang
Li Hai	lihai
Li Ka	lika
Li Kai	likai
Li La	lila
Li Le	lile
Li Lei	lilei
Li Lin	lilin
Li Ling	liling
Li Liu	liliu
Li Long	lilong
Li Man	liman
Li Mei	limei
Li Mu	limu
Li Neng	lineng
Li Niang	liniang
Li Peng	lipeng
Li Pian	lipian
Li Qian	liqian
Li Qu	liqu
Li Rang	lirang
Li Ren	liren
Li Ru	liru
Li Sha	lisha
Li Shi	lishi
Li Shuai	lishuai
Li Shun	lishun
Li Si	lisi
Li Song	lisong
Li Tao	litao
Li Teng	liteng
Li Tian	litian
Li Ting	liting
Li Wang	liwang
Li Wei	liwei
Li Wen	liwen
Li Xiang	lixiang
Li Xing	lixing
Li Xiu	lixiu
Li Ying	liying
Li You	liyou
Li Ze	lize
Li Zeng	lizeng
Li Zheng	lizheng
Li Zhong	lizhong
Li Zhu	lizhu
Li Zhuang	lizhuang
Li Zhuo	lizhuo
Liang Min	liangmin
Liang Ming	liangming
Liang Qiang	liangqiang
Liang Rui	liangrui
Lin Chen	linchen
Lin Cheng	lincheng
Lin He	linhe
Lin Hua	linhua
Lin Huang	linhuang
Lin Neng	linneng
Lin Pian	linpian
Lin Qu	linqu
Lin Ru	linru
Lin Zhang	linzhang
Liu Bin	liubin
Liu Duo	liuduo
Liu Fang	liufang
Liu Han	liuhan
Liu Hao	liuhao
Liu Heng	liuheng
Liu Hong	liuhong
Liu Hui	liuhui
Liu Jia	liujia
Liu Jiang	liujiang
Liu Jiao	liujiao
Liu Ju	liuju
Liu Juan	liujuan
Liu Kai	liukai
Liu Kan	liukan
Liu Kang	liukang
Liu Ke	liuke
Liu Kong	liukong
Liu Lang	liulang
Liu Long	liulong
Liu Mu	liumu
Liu Nuo	liunuo
Liu Qin	liuqin
Liu Qing	liuqing
Liu Qiong	liuqiong
Liu Rong	liurong
Liu Sen	liusen
Liu Sha	liusha
Liu Shun	liushun
Liu Si	liusi
Liu Tian	liutian
Liu Wang	liuwang
Liu Wei	liuwei
Liu Xia	liuxia
Liu Xiu	liuxiu
Liu Yao	liuyao
Liu Yi	liuyi
Liu Ying	liuying
Liu Yu	liuyu
Liu Yuan	liuyuan
Liu Yun	liuyun
Liu Zhen	liuzhen
Liu Zheng	liuzheng
Liu Zhi	liuzhi
Liu Zun	liuzun
Lou Liu	luoliu
Lu Huang	lihuang
Luo Chang	luochuang
Luo Chen	luochen
Luo Cheng	luocheng
Luo Deng	luochi
Luo Deng	luodeng
Luo Di	luodi
Luo Dian	luodian
Luo Gao	luogao
Luo Guai	luoguai
Luo Hang	luohuang
Luo Hua	luohua
Luo Lie	luolie
Luo Neng	luoneng
Luo Pian	luopian
Luo Qi	luoqi
Luo Qin	luoqin
Luo Qing	luoqing
Luo Qu	luoqu
Luo Rong	luorong
Luo Ru	luoru
Luo Rui	luorui
Luo Shuang	luoshuang
Luo Ting	luoting
Luo Tong	luotong
Luo Wang	luowang
Luo Wei	luowei
Luo Yang	luoyang
Luo Ze	luoze
Song Chen	songchen
Song Cheng	songcheng
Song Chuang	songchuang
Song Da	songda
Song Deng	songdeng
Song Dian	songdian
Song Die	songdie
Song Fei	songfei
Song Fen	songfen
Song Gang	songgang
Song Gao	songgao
Song Guai	songguai
Song Guan	songguan
Song Guo	songguo
Song Hai	songhai
Song Han	songhan
Song Hang	songhang
Song He	songhe
Song Hei	songhei
Song Heng	songheng
Song Hu	songhu
Song Hua	songhua
Song Jia	songjia
Song Jiao	songjiao
Song Jie	songjie
Song Jin	songjin
Song Jing	songjing
Song Ka	songka
Song Kan	songkan
Song Kang	songkang
Song Kong	songkong
Song Lan	songlan
Song Le	songle
Song Lei	songlei
Song Lian	songlian
Song Liang	songliang
Song Liang	songliao
Song Liang	songliang
Song Liao	songliao
Song Lin	songlin
Song Liu	songliu
Song Meng	songmeng
Song Ming	songming
Song Mu	songmu
Song Nan	songnan
Song Neng	songneng
Song Ning	songning
Song Pian	songpian
Song Pin	songpin
Song Qi	songqi
Song Qiang	songqiang
Song Qing	songqing
Song Qiu	songqiu
Song Ran	songran
Song Rong	songrong
Song Rui	songrui
Song Sha	songsha
Song Shuai	songshuai
Song Shuang	songshuang
Song Song	songsong
Song Song Jun	songsongjun
Song Tao	songtao
Song Teng	songteng
Song Wang	songwang
Song Wei	songwei
Song Xi	songxi
Song Xia	songxia
Song Xiu	songxiu
Song Ya	songya
Song Yang	songyang
Song Yong	songyong
Song You	songyou
Song Yuan	songyuan
Song Yue	songyue
Song Yun	songyun
Song Zhe	songzhe
Song Zhen	songzhen
Song Zheng	songzheng
Song Zhuang	songzhuang
Tan Qian	tangqian
Tang Bing	tangbing
Tang Chi	tangchi
Tang Chong	tangchong
Tang Chuang	tangchuang
Tang Cong	tangcong
Tang Di	tangdi
Tang Dian	tangdian
Tang Duo	tangduo
Tang Fa	tangfa
Tang Fan	tangfan
Tang Fang	tangfang
Tang Fei	tangfei
Tang Fen	tangfen
Tang Feng	tangfeng
Tang Gang	tanggang
Tang Guai	tangguai
Tang Guan	tangguan
Tang Guang	tangguang
Tang Guo	tangguo
Tang Han	tanghan
Tang Hao	tanghao
Tang Hei	tanghei
Tang Heng	tangheng
Tang Hong	tanghong
Tang Hu	tanghu
Tang Hui	tanghui
Tang Jie	tangjie
Tang Jin	tangjin
Tang Jing	tangjing
Tang Ju	tangju
Tang Ka	tangka
Tang Kai	tangkai
Tang Kan	tangkan
Tang Kang	tangkang
Tang Ke	tangke
Tang Kong	tangkong
Tang La	tangla
Tang Lang	tanglang
Tang Le	tangle
Tang Leng	tangleng
Tang Li	tangli
Tang Lian	tanglian
Tang Lie	tanglie
Tang Lin	tanglin
Tang Ling	tangling
Tang Liu	tangliu
Tang Long	tanglong
Tang Mei	tangmei
Tang Mo	tangmo
Tang Mu	tangmu
Tang Neng	tangneng
Tang Niang	tangniang
Tang Nuo	tangnuo
Tang Peng	tangpeng
Tang Pian	tangpian
Tang Ping	tangping
Tang Qian	tangqian
Tang Qin	tangqin
Tang Qu	tangqu
Tang Quan	tangquan
Tang Quing	tangqing
Tang Rang	tangrang
Tang Ren	tangren
Tang Ru	tangru
Tang Ruan	tangruan
Tang Rui	tangrui
Tang Sen	tangsen
Tang Sha	tangsha
Tang Shan	tangshan
Tang Shi	tangshi
Tang Shun	tangshun
Tang Song	tangsong
Tang Tang Jun	tangtangjun
Tang Tao	tangtao
Tang Tian	tangtian
Tang Tian	tangyan
Tang Wei	tangwei
Tang Xi	tangxi
Tang Xia	tangxia
Tang Xing	tangxing
Tang Xiong	tangxiong
Tang Yan	tangyan
Tang Yang	tangyang
Tang Yao	tangyao
Tang Yi	tangyi
Tang Ying	tangying
Tang Yong	tangyong
Tang You	tangyou
Tang Yue	tangyue
Tang Yun	tangyun
Tang Ze	tangze
Tang Zeng	tangzeng
Tang Zhang	tangzhang
Tang Zhe	tangzhe
Tang Zhen	tangzhen
Tang Zun	tangzun
Xie An	xiean
Xie Bin	xiebin
Xie Bo	xiebo
Xie Chao	xiechao
Xie Cong	xiecong
Xie Da	xieda
Xie Di	xiedi
Xie Dian	xiedian
Xie Die	xiedie
Xie Ding	xieding
Xie Dong	xiedong
Xie Duo	xieduo
Xie Fang	xiefang
Xie Fei	xiefei
Xie Feng	xiefeng
Xie Gang	xiegang
Xie Gao	xiegao
Xie Guai	xieguai
Xie Guan	xieguan
Xie Hai	xiehai
Xie Hang	xiehang
Xie Heng	xieheng
Xie Heng	xieneng
Xie Heng	xieheng
Xie Heng	xieneng
Xie Hong	xiehong
Xie Hu	xiehu
Xie Hui	xiehui
Xie Jia	xiejia
Xie Jian	xiejian
Xie Jiang	xiejiang
Xie Jiao	xiejiao
Xie Jie	xiejie
Xie Jing	xiejing
Xie Ju	xieju
Xie Kai	xiekai
Xie La	xiela
Xie Leng	xieleng
Xie Liang	xieliang
Xie Lie	xielie
Xie Lin	xielin
Xie Ling	xieling
Xie Long	xielong
Xie Man	xieman
Xie Meng	xiemeng
Xie Min	xiemin
Xie Ming	xieming
Xie Na	xiena
Xie Niang	xieniang
Xie Peng	xiepeng
Xie Pian	xiepian
Xie Pin	xiepin
Xie Qi	xieqi
Xie Qing	xieqing
Xie Qiong	xieqiong
Xie Qiu	xieqiu
Xie Qu	xiequ
Xie Quan	xiequan
Xie Ran	xieran
Xie Ruan	xieruan
Xie Rui	xierui
Xie Sha	xiesha
Xie Shuang	xieshuang
Xie Si	xiesi
Xie Tao	xietao
Xie Ting	xieting
Xie Tong	xietong
Xie Wei	xiewei
Xie Wen	xiewen
Xie Xi	xiexi
Xie Xiang	xiexiang
Xie Xin	xiexin
Xie Xing	xiexing
Xie Xiu	xiexiu
Xie Ya	xieya
Xie Yi	xieyi
Xie Yin	xieyin
Xie Ying	xieying
Xie Yong	xieyong
Xie Yu	xieyu
Xie Yue	xieyue
Xie Zeng	xiezeng
Xie Zhan	xiezhan
Xie Zhang	xiezhang
Xie Zhe	xiezhe
Xie Zhuo	xiezhuo
Zheng Nan	zhengnan

That list of some 493 names is up to date as of this writing, 2016-08-23 early evening CEST. A few more turn up with the bursts of activity we have seen every day since June 19th, 2016.

A possibly more up to date list is available here. That's a .csv file, if that sounds unfamiliar, think of it as a platform neutral text representation (to wit, "Comma Separated Values") of a spreadsheet or database -- take a peek with Notepad.exe or similar if you're not sure. I'll be updating that second list along with other related data at quasi-random intervals as time allows and as long as interesting entries keep turning up in my logs.

If your name or username is on either of those lists, you would be well advised to change your passwords right now and to check breach notification sites such as Troy Hunt's haveibeenpwned.com or breachalarm.com for clues to where your accounts could have been compromised.

That's your scoop for now. If you're interested in some more background and data, keep reading.

If you are a regular or returning reader of this column, you are most likely aware that I am a Unix sysadmin. In addition to operating and maintaining variuos systems in my employers' care, I run a small set of servers of my own that run a few Internet-facing services for myself and a small circle of friends and family.

For the most part those systems are roundly ignored by the world at large, but when they are not, funny, bizarre or interesting things happen. And mundane activities like these sometimes have interesting byproducts. When you run a mail service, you are bound to find a way to handle the spam people will try to send, and about ten years ago I started publishing a blacklist of known spamming hosts, generated from attempts to deliver mail to a slowly expanding list of known bad, invalid, never to be deliverable addresses in the domains we handle mail for.

After a while, I discovered that the list of spamtrap addresses (once again, invalid and destined never to be deliverable, ever) had been hilariously repurposed: The local parts (the string before the @ or 'at sign') started turning up as usernames in failed attempts to log on to our pop3 mail retrieval service. That was enough fun to watch that I wrote that article, and for reasons known only to the operators of the machines at the other end, those attempts have never stopped entirely.

These attempts to log in as our imaginary friends is a strong contender for the most bizarre and useless activity ever, but when those attempts were no longer news, there was nothing to write about. The spamtrap login attempts make up sort of a background noise in the authentication logs, and whenever there is an attempt to log in as a valid user from somewhere that user is clearly not, the result is usually that an entire network (whatever I could figure out from whois output) would be blocked from any communication with our site for 24 hours.

There are of course also attempts to log in as postmaster, webmaster and other IDs, some RFC mandated, that most sites including this one would handle as aliases to make up the rest of the background noise.

Then recently, something new happened. The first burst looked like this in my logs (times given in local timezone, CEST at the time):

Jun 19 06:14:58 skapet spop3d[37601]: authentication failed: no such user: lilei - 59.54.197.34
Jun 19 06:15:01 skapet spop3d[46539]: authentication failed: no such user: lilei - 59.54.197.34
Jun 19 06:15:03 skapet spop3d[8180]: authentication failed: no such user: lilei - 59.54.197.34

-- and so on, for a total of 78 attempts to log in as the non-existing user lilei, in the space of about five minutes. A little later, a similar burst of activity came for the user name lika:

Jun 19 14:11:30 skapet spop3d[68573]: authentication failed: no such user: lika - 182.87.253.48
Jun 19 14:12:22 skapet spop3d[22421]: authentication failed: no such user: lika - 182.87.253.28
Jun 19 14:12:26 skapet spop3d[7587]: authentication failed: no such user: lika - 182.87.253.28
Jun 19 14:12:30 skapet spop3d[16753]: authentication failed: no such user: lika - 182.87.253.28

and so on, for a total of 76 attempts. Over the next few days I noticed an uptick in failed pop3 access attempts that were not for valid users and did not match any entry on our spamtraps list. Still, those attempts were for users that do not exist, and would produce no useful result so I did not do anything much about them.

It was only during the early weeks of July that it struck me that the user name attempted here

Jul  8 12:19:08 skapet spop3d[54818]: authentication failed: no such user: lixing - 49.87.78.12
Jul  8 12:19:28 skapet spop3d[1987]: authentication failed: no such user: lixing - 49.87.78.12
Jul  8 12:19:37 skapet spop3d[70622]: authentication failed: no such user: lixing - 49.87.78.12
Jul  8 12:19:49 skapet spop3d[31208]: authentication failed: no such user: lixing - 49.87.78.12

(a total of 54 attempts for that user name) might actually be based on the name of a Chinese person. "Li Xing" sounded plausible enough as a possible real person. It's perhaps worth noting that at the time I had just finished reading the first two volumes of Cixin Liu's The Three Body Problem, so I was a bit more in tune than usual with what could be plausible Chinese names than I had been. (And yes, the books are very much to my taste and I have the yet unpublished translation of the third volume on pre-order.)

Unsurprisingly, a quick whois lookup revealed that the machines that tried reading the hypothetical person Li Xing's mail all had IP addresses that belonged to Chinese networks.

Once I realized I might be on to a new pattern, I went back over a few days' worth of failed pop3 login attempts and found more than a handful of usernames that looked like they could be based on Chinese names. Checking the whois data for the IP addresses in those attempts, all turned out to be from Chinese networks.

That was in itself an interesting realization, but a small, random sample does not make for proof. In order to establish an actual data set, it was back to collecting data and analysing the content.

First, collect all log data on failed pop3 attempts for a long enough period that we have a reasonable baseline and can distinguish between the background noise and new, exciting developements.

The file bigauthlog is that collection of data. Digging through my archives going back in time, I stopped at January 16, 2016 for no other reason than this would be roughly six months' worth of data, probably enough to give a reasonable baseline and to spot anomalies.

If you've read the previous columns, you will be familiar with the scripts that produce various text and CSV reports from log data input: A text report of user names by number of access attempts, a CSV dump of the same, with first and last spotted, a text report of hosts attempting access, sorted by number of attempts, a CSV dump of the same, with first and last seen dates as for the user names.

But what I wanted to see was where the login attempts were coming from for which usernames, so I started extracting the unique host to username mappings. For each entry in this CSV file, there is a host and a user name it has tried at least once (if you import that somewhere, make sure you mark the Username column as text -- LibreOffice Calc at least becomes confused when trying to parse some of those strings). The data also records whether that particular username was part of the spamtrap database at the time. If you want to do that particular check on your own greytrapping database, any matching output from

$ doas spamdb | grep -i username@

on your greytrapper box will mean it is in your list. And then finally for each entry there is the expected extract from available whois info: network address range, the network name and the country.

The most useful thing to do with that little database is to play with sorting on various fields and field combinations. If you sort on the "In spamtraps" field, the supposed Chinese names turn up with "No"s, along with a few more random-seeming combinations.

While I was building the data set I decided to add those new usernames with @bsdly.net appended to the spamtraps, and this is what finally pushed the number of spamtraps past the 30,000 mark.

Just browsing the data or perhaps sorting by IP address will show you that the pop3 gropers are spread across a large number of networks in a number of countries and territories with numbers roughly in proportion to the size of that country or territory's economy. Some, such as a particular Mexican ISP and cable TV operator stand out as being slightly over-represented, and as expected networks in the US and China stand for a large number of the total.

If you sort on the In spamtraps field, you will see that a large number of the entries that were not in the spamtraps are the ones identified as Chinese personal names, but not all. Some of the No entries are the RFC mandated mailboxes, some are aliases that are in use here for other reasons, and finally more than a handful that would fit the general description of the rest of the spamtraps: Strings superficially resembling personal names or simply random strings. These may be parts of the potential spamtraps I missed while fishing  spamtrap candidates out of logfiles some time over the decade of weirdness that has gone into maintaining the spamtraps list.

But if you sort the data primarily on the fields Name, Country, and if you like IP address and User name, you will see that as anticipated the attempts on Chinese-sounding user names come exclusively from Chinese networks, except only the "Fa Dum" (fadum) user, which appears to have been attempted only twice (on June 6th) from an IP address registered in the USA and may very well be a misclassification on my part. That particular sorting, with duplicates removed, is the origin of the list of names and usernames given earlier in this article and this CSV file.

Now that we have established that the attempts at Chinese user names come exclusively from Chinese networks, the next questions become: Who are the cyber criminals behind this activity, and what are their motivations? And why are they bothering with hosts in faraway Europe to begin with?

For the first question, it is hard to tell from this perch, but whoever runs those attempts apparently have the run of large swathes of network real estate and seem to not take any special care not to be detected, other than of course distributing the attempts widely across the network ranges and coming in only in short bursts.

So are those attempts by, let us say the public sector, to steal political dissidents' email? Or perhaps, still with a public sector slant, simply hunting for any and all overseas assets belonging to Chinese nationals? Or are we simply seeing the activities of Chinese private sector cyber criminals who are trying out likely user names wherever they can find a service that listens?

Any of all of these things could be true, but in any case it's not unlikely that what we are seeing somebody trying to find new places where username and password combinations from a recent breach might work. After all, username and password combinations that have been verified to work somewhere are likely worth more on the market than the unverified ones.

Looking at the log entries, there are sequences there that could plausibly have been produced by humans typing at keyboards. Imagine if you please vast, badly lit and insufficiently ventilated Asian cyber-sweatshops, but I would not be too surprised to find that this is actually a highly automated operation, with timing tuned to avoid detection.

Security professionals have been recommending that people stop using the pop3 protocol since as long as I care to remember, but typing "pop3" into shodan.io still produces a whopping 684,291 results, meaning that the pop3 service is nowhere near as extinct as some would have preferred.

The large number of possible targets is a likely explanation for the burstiness of the activity we are seeing: with that many hosts to cover, the groping hosts will need to set up some sort of rotation, and in addition there is the need to stay below some volume of traffic per host in order to avoid detection. This means that what any one site sees is only a very small part of the total activity. The pop3 hunt for Chinese users is most likely not exclusive to the fjord country.

If you run a pop3 service, please do yourself a favor and check your setup for any weaknesses including any not yet applied updates, as you were about to do anyway. Once you've done that, take some moments to browse your logs for strange looking login attempts.

If you find something similar to what I've reported here, I would like to hear from you. Please note that at least one of the pop3 deaemons out there by default does not report the username for failed authentication attempts but notes that the username was unknown instead. Anyway, your war stories will be appreciated in email or comments.

If your name or username appears in the table at the start of this article or in this CSV file, please start checking for unusual activity involving your accounts and start changing passwords right away. Ask your service providers if they offer more secure alternatives, and if they do, consider using these alternatives. And as I mentioned earlier, do check breach notification sites such as haveibeenpwned.com or breachalarm.com for clues to help find out whether your data could be at risk in any of the services you do use. And of course, feedback in comments or email is welcome.

And finally, if you have information on one or more breaches that may have been the source of this list of likely Chinese user names, I'd like to hear from you too.

Good night and good luck.

---

Update 2016-10-15: The attempts at logging in with Chinese-sounding user names from hosts in Chinese networks became incrementally less frequent over time, and seem to have stopped entirely in early October 2016.

The final entry is this one, from October 6:

Oct  6 18:11:23 skapet spop3d[97769]: authentication failed: no such user: maxiang - 114.99.9.152

That is, an attempt from the IP address range assigned to the Chinanet Anhui province network, for the user name maxiang which may very well map to Ma Xiang (or Xiang Ma) as a person's name.

During the months they were active, the robots or sweatshops in the Chinese networks tried a total of 957 distinct user names, from 3794 distinct hosts for a total of 3998 host-username combinations.

Although the number of failed pop3 attempts have now fallen to almost none (bar a treesome of persistent miscreants in the Quasi Networks, Seychelles IP address range), I will make an effort to publish updates to the data at not too infrequent intervals. You are of course free to use the data in your own analyses, as long as reasonable credit is given for the data collection. If you're unsure what that means, please contact me directly (the address in the whois information works).

Update 2016-12-07: Even though the campaign that prompted me to write this article has ended or moved its attention elsewhere, I do update the data occasionally. Returning readers may be happy to hear about a slight enhancement in presentation of the data: Startiing with today's edition, I've added an 'Attempts'  column to the main .csv file, denoting the number of attempts for each host-username pair.

Update 2017-02-08: Another round of attempts at usernames that are likely Chinese user names started on February 8th, 2017.

The first few hours brought the following user names, with the likely corresponding real life name in the second column:

Name	Username
Luo Chun	luochun
Luo Fa	luofa
Luo Feng	luofeng
Luo Hai	luohai

These names have been added to the full data as well as the 2017-only portion. The log file (2016 and 2017 version or 2017-only data) contains the entries starting at Feb  8 15:26:45 (times are CET local time). It will be interesting to see how long this cycle lasts. Look for updates to the data at irregular but hopefully frequent intervals.

If you are seeing similar activity, I would like to hear from you, in comments or (these most recent attempts all originate in the 49.64.0.0/11 network (range 49.64.0.0 - 49.95.255.255, also known as  CHINANET-JS or the CHINANET jiangsu province network). The previous cycle involved several distinct Chinese networks, and as we all know, stretched over several months of low intensity activity.

---

I would like to thank Tore Nordstrand and Øystein Alsaker for valuable input on various aspects of this article.
The data referenced in this article will likely be updated on a roughly daily basis while the Chinese episode lasts. You can fetch them from the links in the article or from this directory, which also contains some trivial data extraction and data massaging scripts I use. If you find any errors or have any concerns, please let me know.