Spam my blog and I report your site to Google for banning. You've been warned!
« The domains' prior life | Main | Stuff from old logs, and from today »
January 23, 2005
I may have found the spammer!
My most prolific spammer from months ago used the e-mail address top@tredgf.com, and was the first texas holdem spammer I saw. The UA was usually: Jakarta Commons-HttpClient/2.0alpha3.
He was active at least from June 1st 2004. He would use the same IP address for long stretches of time. I'll do a rundown of them later on. The whois info on the domains would (for some searches I did) go back to John Grisham (remember him?). Here's a post about that from Online Confessional from September 2004. What's interesting about that John Grisham, is that he occasionally uses the phone number 888-800-8457 which is associated with an affiliate network software provider. The phone number on the whois record in Online Confessional is fake. The address provided on the whois record today is that of an attorney. Down to the Suite number.
I was researching a poker site that's still active, and went to see the partner sites. And MySQL barfed. That netted me the user name of that site!!! tzahariev at 66.154.52.84 (website address on request only, I don't want to give him more attention). The whois info goes back to:
owner-address: Peter Kovach
owner-address: Simeon 504 GH
owner-address: 3423
owner-address: Prague
owner-address: Czech Republic
owner-phone: +420.23622345
owner-fax: +420.23622345
But the real goldmine was a google search for tzahariev. It turned up the same MySQL error on a gb.com site and a few others. Actually, referring to the same site I started with! That might be one of the mother sites of some of the sites spammed lately. Which means I have shown a connection between the spammer from months ago and the current spamming outfit.
I turned up bidding history for a domain name.
I even found an e-mail address on a spammy domain: tzahariev@hotmail.com , though I found that connected to another name: Peter Madson. Tzahariev wrote a review for the same affiliate program software I mentioned earlier.
I saw a few spams by him, with wording like this:
“hey grendal� , it’s Zahariev here!
One was as late as November 2004.
One Iavor Zahariev has been named as a spammer before. The domain name has different whois info today... But the e-mail address in the old info still belongs to him, now with spelling Ivo Zahariev. There's also a Yavor Zahariev, who may be the twin of Ivor (hmm, not one spammer but two?). They have a website that include the meta description: Twins creates Web sites, Web-enabled database applications, Affiliate Software, Shopping Carts. One of their "clients" is that same affiliate network software site...
Here's a snippet from their site:
15 april 2003
Twins pioneered affiliate marketing in Bulgaria, and today runs the largest pay for performance affiliate marketing service www.mypartners.net. The network is a thriving marketplace where top online sellers of goods and services form mutually beneficial business partnerships with tens and tens of thousands of unique, qualified affiliates.
UPDATE: I just found a link at the bottom of their site. It's a link for one-cialis, which is the name of one of the servers used in a prior spamrun I found on the net. It was also used as the admin e-mail address in whois for many other spammy domains. One more nail in their coffin.
And, in this case, since I may have found the hub of the spammer's lair, I'll give you the website address:
twins hyphen bg dot com
I guess it's time to start looking at Bulgaria in terms of spam laws and public opinion?
Here's an article by Elena Kodinova
Posted by Ann at January 23, 2005 01:29 PM
Trackback Pings
TrackBack URL for this entry:
http://www.annelisabeth.com/blog/mt-tb.cgi/130
Comments
That's great work! Keep it up..
Posted by: Mariann at January 24, 2005 06:24 PM