I sorted the spammer’s accesses alphabetically, to find favorite proxies.

Here are some I sent abuse mail to:

211.24.161.10
211.24.161.11
Belongs to the IP range of this ISP in Malaysia:
http://www.time.net.my/

213.167.97.194
Belongs to
Lyse Tele, Stavanger, Norway
I called them, and a few other Norwegians harboring open proxies. What I found, was that I needed to tell the person I was talking to from the start what I was doing (I’m a blogger, and I chase spammers, and while doing that, I found a list of Norwegian open proxies that I’d like to have closed), or they got suspicious and clammed up. I called some Swedes too, and they were a lot nicer, actually. Weird…

66.237.84.20
66.237.84.20.ptr.us.xo.net
Abuse mail sent

And the machines in Bahrain keep spamming. They have not been secured yet.

I think I need to make another post with the short version and some keywords.

As best as I can tell, the identity of the comment spammer is a set of twins in Bulgaria.

twins hyphen bg dot com

Last name Zahariev.

They have a Bulgarian and a US website for an affiliate network program, and I suspect they’re behind all comment spam perpetrated with a UA containing: NT 5.2 , and a few UA’s before that.

To recap, they’re behind the fake whois personas:
Jane Phill
Thomas Reece
Jakayla Jalyn
Drake Sandra
Sandra Drake
Gregory Tristin
John Coleman
John Grisham
Monica Stanes
Rogelio Victor
Trevin Madisyn

They’ve been at the comment spamming for a long time.

See one of the posts below for the whole story on how I figured out how the circumstantial evidence points to them.

I just got a spam comment in my moderation queue. It’s entered by someone using a regular browser, and searching the French version of Google for:
blog “post a comment

UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; KITV4.7 Wanadoo; i-NavFourF; .NET CLR 1.1.4322)

E-mail sent to the Abuse department of Wanadoo.

———–

Heh, I got an access coming in from a Yahoo search for:
blog submitter

Fairly tenacious surfer. My blog was on the 14th page of the results! I wonder if this is a wannabe spammer?

The IP number was from Israel.

I finally got around to checking my old logs. I’ve been assuming that our current spammer has been with us for months, so I expected to see the same outfit even months ago. After all, it was a persistent texas holdem spammer that caused me to abandon B2 because it lacked tools for monitoring comments.

I found some accesses I found weird. The referrer was:
http://12.163.72.13/
This was consistent during the last half of October 2004, and it tried accessing the B2 comment script (already removed). He was already using bots.

In fact, for those looking for those critters, there’s a HUGE subculture scanning for and keeping track of them. Here’s a forum you may want to check out. Please admins, check this out and tell me if you want to keep having open proxies on your servers?

I found a bot I hadn’t noticed before. Going for my old comments script a few days too late. UA: Mozilla/8.0
Check this Webmasterworld discussion. However, I have heard of real Mozilla/8.0 browsers. I would think they’d have more details on the OS, though.

My most prolific spammer from months ago used the e-mail address top@tredgf.com, and was the first texas holdem spammer I saw. The UA was usually: Jakarta Commons-HttpClient/2.0alpha3.

He was active at least from June 1st 2004. He would use the same IP address for long stretches of time. I’ll do a rundown of them later on. The whois info on the domains would (for some searches I did) go back to John Grisham (remember him?). Here’s a post about that from Online Confessional from September 2004. What’s interesting about that John Grisham, is that he occasionally uses the phone number 888-800-8457 which is associated with an affiliate network software provider. The phone number on the whois record in Online Confessional is fake. The address provided on the whois record today is that of an attorney. Down to the Suite number.

I was researching a poker site that’s still active, and went to see the partner sites. And MySQL barfed. That netted me the user name of that site!!! tzahariev at 66.154.52.84 (website address on request only, I don’t want to give him more attention). The whois info goes back to:

owner-address: Peter Kovach
owner-address: Simeon 504 GH
owner-address: 3423
owner-address: Prague
owner-address: Czech Republic
owner-phone: +420.23622345
owner-fax: +420.23622345

But the real goldmine was a google search for tzahariev. It turned up the same MySQL error on a gb.com site and a few others. Actually, referring to the same site I started with! That might be one of the mother sites of some of the sites spammed lately. Which means I have shown a connection between the spammer from months ago and the current spamming outfit.

I turned up bidding history for a domain name.

I even found an e-mail address on a spammy domain: tzahariev@hotmail.com , though I found that connected to another name: Peter Madson. Tzahariev wrote a review for the same affiliate program software I mentioned earlier.

I saw a few spams by him, with wording like this:

“hey grendal� , it’s Zahariev here!
One was as late as November 2004.

One Iavor Zahariev has been named as a spammer before. The domain name has different whois info today… But the e-mail address in the old info still belongs to him, now with spelling Ivo Zahariev. There’s also a Yavor Zahariev, who may be the twin of Ivor (hmm, not one spammer but two?). They have a website that include the meta description: Twins creates Web sites, Web-enabled database applications, Affiliate Software, Shopping Carts. One of their “clients” is that same affiliate network software site…

Here’s a snippet from their site:

15 april 2003
Twins pioneered affiliate marketing in Bulgaria, and today runs the largest pay for performance affiliate marketing service www.mypartners.net. The network is a thriving marketplace where top online sellers of goods and services form mutually beneficial business partnerships with tens and tens of thousands of unique, qualified affiliates.

UPDATE: I just found a link at the bottom of their site. It’s a link for one-cialis, which is the name of one of the servers used in a prior spamrun I found on the net. It was also used as the admin e-mail address in whois for many other spammy domains. One more nail in their coffin.

And, in this case, since I may have found the hub of the spammer’s lair, I’ll give you the website address:
twins hyphen bg dot com

I guess it’s time to start looking at Bulgaria in terms of spam laws and public opinion?

Here’s an article by Elena Kodinova

More about the Bulgarians

I did some searches on Google groups for some of the domains I caught in my referrer log. Two were sites for game cheats, mentioned in posts from 1999 and 2003.

I didn’t find any posts from the e-mail abuse groups, which means this particular spammer is most likely not using e-mail as a method to deliver spam.

I’ve enabled Typekey commenting. I wasn’t aware it didn’t work. Had put my user name in the field, instead of the token… But now it’s fixed!

Verio’s box is still operational. I still find some of the spammy domains pinging that box.

I think we need to collect all the domains we know are on that box, and e-mail Verio, insisting that those websites, and any reseller account they’re connected to, be shut down.

I was looking for a program that did batch dns lookups, from host name to IP address. Just found one: NSbatch. What I do, is that I grep my log file, for any UA containing NT 5.2, then exclude any line including annelisabeth.com. Exclude Google as well, while you’re at it. Then take the results and put them into Word. Convert to table, using for instance ” as the separator. Remove all the columns except that including the referrer. Then sort alphabetically and convert back to text. I usually remove the identical lines, but that’s not necessary. Finally save in a text file and use as input to NSBatch.

I did just that with all the referrer spam in my log. And I found some domains currently without an IP number, a few sites still at the Verio box, and the rest divided between 64.234.220.141 and 219.150.118.16.

Oh, and one oddity I found was that one subdomain of fidelityfunding was hosted on the Verio box, while another was on 219.150.118.16.

———-

I was reading Reid’s article and the comments. Very interesting reading.

Especially Gary’s argument about referrer spam possibly not being against the AUP. I was thinking along those same lines. IE, is anyone going to complain about me finding blogs commenting on this issue, then commenting and leaving link to my blog?

And the answer is, it’s very different.

When I do that, I’m commenting on topic. Often pointing out that the owner of the blog is gloating too soon about a spammer’s cancelled site. I never leave my link unless I’m commenting on topic.

And I never leave my referrer in someone’s log, unless someone clicked on a link on my site, thus naturally putting that referrer in the recipient site’s log.

The spammy sites never have links to me. They spam via a piece of software created for that purpose alone. So this is a different animal.

But, that being said, how easy would it be for a spammer to fool a hosting company? Probably not very hard. So far, I’ve virtually always been met with one response when I’ve talked to admins about this: They think it’s e-mail spam. Sometimes I’ve been asked to include e-mail headers, and sometimes I’ve been told it’s not possible - their server is not an open relay. The concepts involved in this issue is not well known.

What we need, is an outcry strong enough, so that admins will hear about it, same as they eventually did with open relays. And to get there, we may have to organize better than we have until now.

A site dealing with at least three topic would be good: comment spamming, referrer spamming and open proxies. I guess webspamming might be a term loosely relevant.

I glance at my firewall logs now and then. I see the occasional zombie scanning others, especially some on my own ISP. Irritating, and my ISP refused to contact their customers to make them fix their PC’s.

But today I got some attempts I hadn’t seen before. The first IP address I checked was from Korea, so it merited a closer look. Here’s the explanation:

Messenger spam

I get scans for 135 and 445 constantly. Like several an hour.

If you don’t have a firewall on your personal computer, you’re playing with fire these days!

Hmmm, maybe I could use that messenger spam thingy to notify people they’re worm/trojan infected? Worth a thought, eh? How do I get hold of a program to inject that stuff? My ISP has proven they don’t care, so at least I could send messages to the people on my own ISP (ie, those from my own ISP that get caught in my firewall log as sending those attempted connections)…

Etanisla notified me of a bot that had pulled all her files. I checked the IP address (213.10.206.246) and it had sucked up a lot of mine too. Not all of the old posts, but roughly 70 starting with the newest. And all archive pages.

It also tried these configurations, which all led to 404’s:
/blog/archives/000128.html#trackbacks
/blog/archives/000128.html#comments
Those URL’s do work, when accessed by a browser, but the whole thing breaks using that bot, apparently.

The UA is:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
This UA is familiar to me, since it’s identical to another spammer that’s been with me for a long time.

No referrer spam with this IP number (in fact no referrers at all), wich resolves to:
ipd50acef6.speed.planet.nl
It’s from the Netherlands, and the ISP is named: Planet Technologies
There’s no indication of a webserver, unless it’s just offline at the moment.

I grepped my logs for the UA, and found a few similar, yet shorter duration patterns:
January 19: 71.0.255.197
January 14: 82.91.108.34

I also have many failed comment runs from that UA in my logs. They’re for the old B2 comment script. It looks like this spammer configures his software with one IP number per session, then tries multiple comments from the same IP number.

————-

And on a personal note. In the beginning, this was so much fun I’d use hours tracking. But life has a tendency of catching up with you. In addition, I just bought a home studio sound card, and I’d love to spend some time with it, so I can get serious about recording my music. Almost zero latency sounds sweet. My first attempt at multitrack on a computer sucked totally. A 300 MHz P2 with a Turtle Beach Fiji doesn’t exactly work for more than stereo recording… But there are different times, and even cheap computers, actually, even older computers can do it. My video editing machine hopefully will work, and if not, it’s not like it’s a new machine anyway…

Anyway, what I meant to say is that my goal will be to write one post about spam hunting a day, as opposed to before, when I had two or three sessions a day with hunting and writing.