I missed this… until today.

I’ve had two or three Bulgarians in my logs this last month. The first searched Google for:
micro_httpd dsl router
IP address: 213.91.170.2
(no spamming activity according to Google. Relatively normal internet usage)

The second searched Google for
Iavor Zahariev
IP address: 213.91.217.118

The third searched Google for:
ADSL micro_httpd
IP address: 213.91.247.203
(no Google hits at all, so probably innocent bystander)

ISP for all three: btc-net.bg

The one searching for Iavor read a post about Iavor the first day, then came back and read the blog itself the next day. The day after that he tried the archives. No luck (404), so he went back to the blog itself.

The Bulgarian most interested in my site could be anyone, of course. I mean, there’s more than one Iavor out there.

BTW, I found something really funny in his search results:
The spammer is using both Iavor and Zahariev while calling out to Grendal in some spams from November last year

I also noticed the work done by Tao of Dowingba a year ago. There’s a domain there with Iavor as the registrant. The domain is still with Moniker, exactly one year later, but the registrant and other info has been changed.

Anyway, after I discovered I hadn’t received any referral spam from their latest campaign, that’s when I started looking in my logs for anything faintly Bulgarian. And now I’m wondering if this is the explanation. Don’t know, it’s just speculation, of course.

Ah, I did a Google search for the IP number in question, and found it has spammed before. Found preserved examples November 2004 with domains that, although registered by Godaddy, still have DNS servers pointing back to the twins. Most of the samples still preserved are from Wikis or message boards. The IP address normally wouldn’t show up on blogs, of course.

I checked out one of the old domains spamvertized in November, and found cloaking that wasn’t even visible in the served page. The redirect hinges on the referrer. If you found the page on Google, it redirects, if you didn’t, you get the search engine spider fodder. I tricked the server, and here’s the headers served up if you’ve got a Google referrer:

HTTP/1.1 302 Found
Date: Tue, 22 Feb 2005 18:06:12 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.1.2
X-Powered-By: PHP/4.1.2
location: http://www.empirepoker.com/indexnp.htm?wm=1708103
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

In case you’re wondering, that’s an affiliate code URL.

Wow! And the server is named:
tzahariev.orbitel.bg

——-

UPDATE: I found a wiki version that includes both the IP number and the url for partnersmanager.com. I’d like to see Iavor Zahariev wiggle out of that one…

More about the Bulgarians

This entry was posted on Tuesday, February 22nd, 2005 at 6:24 pm and is filed under spamhuntress. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.