Spam my blog and I report your site to Google for banning. You've been warned!
« A new spammer, to me | Main | Sent abuse mail to »
January 24, 2005
The identity of the comment spammer
I think I need to make another post with the short version and some keywords.
As best as I can tell, the identity of the comment spammer is a set of twins in Bulgaria.
twins hyphen bg dot com
Last name Zahariev.
They have a Bulgarian and a US website for an affiliate network program, and I suspect they're behind all comment spam perpetrated with a UA containing: NT 5.2 , and a few UA's before that.
To recap, they're behind the fake whois personas:
Jane Phill
Thomas Reece
Jakayla Jalyn
Drake Sandra
Sandra Drake
Gregory Tristin
John Coleman
John Grisham
Monica Stanes
Rogelio Victor
Trevin Madisyn
They've been at the comment spamming for a long time.
See one of the posts below for the whole story on how I figured out how the circumstantial evidence points to them.
Posted by Ann at January 24, 2005 12:01 AM
Trackback Pings
TrackBack URL for this entry:
http://www.annelisabeth.com/blog/mt-tb.cgi/133
Listed below are links to weblogs that reference The identity of the comment spammer:
» Referrer Spam Attack from How Now, Brownpau?
Referrer Spam. For myself and for anyone curious about my inbound traffic, my installation of Refer is public, but hidden from search engines by a... [Read More]
Tracked on January 24, 2005 08:40 PM
Comments
This has taken another turn:
I have done a tail on one of the recurring spammer domain, and everything seems to indicate that this operation is being run through a BotNet of some sort, or even running on spyware-infected windows boxes.
Check the User-Agent field, they're now all indicating that they are som .net web service on Windows 2003.
(The trigger referer spammer to look for is -4u.info)
Not only that: I did lookups on a few of the referring domains, and I couldn't find them in DSBL or other proxy lists, and I find it hard to believe that the hosts I found (Anything from Bellcom to Bahrain Telecom) are willingly acting as spammers.
If you choose to investigate this further, and come up with something sensible, I'd suggest that you locate some US cybercrime unit: I, for one, refuse to believe that this operation is being run from anywhere other than the US. The Zahariev twins are likely only middle-men being well paid by bogus drugs and casino overlords.
Posted by: Arve Bersvendsen ![[TypeKey Profile Page]](http://www.annelisabeth.com/blog/nav-commenters.gif)
at January 24, 2005 01:14 AM