|
I'd been getting comment spam in my blog since a few months after I started blogging. I knew that one person was responsible for most of it back then, but I didn't bother doing anything about it. Fast forward about a year, and blog spam is getting to be a real pain in the ass. So I start wondering: Is one person still responsible for the majority of all blog spam? By now I'd picked up one more, a really filthy Russian that I still haven't tracked down. So I start tracking. Looking for any clue I can find. You can see the progress in the archives of my blog, exactly how I did it and all the steps. On here I'll summarize. The break came when I was looking at sites that had been spamvertized (casino.game.gb.com). Hmmm, tzahariev must be the user name. So I googled for it, and turned up quite a few sites where MySQL or PHP had barfed the same way. I also found other instances of tzahariev, including reviews of a software called PartnersManager, which is an affiliate network software. It's got it's home site at partnersmanager.com I also found the e-mail address tzahariev@hotmail.com, connected to whois info of spamvertized domains. And a few spams easily connected to the same spamming outfit, with the words: “hey grendal” , it’s Zahariev here!. Later on I also found a piece of spam with this wording: “hey grendal” , it’s Iavor - i see! I don't remember how I found the home page of the spammer, but it's easy to reconstruct how it could have happened. There's a page with the title: AAA PartnersManager by Twins Ltd. And it also includes an e-mail address for twins@twins-bg.com. Which of course leads to twins-bg.com. They've recently changed their website a little bit. But in the past, they had a link for one-cialis.com, which is one of the spamvertized sites. That provides a nice loop of evidence. I had found the spammers! Here's an archive page showing the link I'd found: They use open proxies exclusively, and spam with both comments, trackbacks and referrers. They also hit wikis, message boards and guestbooks on occasion. Occasionally they'll use their own IP numbers, including: 213.91.217.118 I've seen them use more IP numbers, but these are recent (January/February 2005). In the distant past they hadn't started using proxies yet. I even saw Iavor Zahariev (one of the twins) search Google for his own name and land on my site with the 213.91.217.78 IP address. Another curious fact, is that there's a Yavor Zahariev who's been working as a gaffer etc on Hollywood productions in Bulgaria. Considering they use a different alphabet than us, chances are good this is the same person. Especially since another Zahariev, Emil, is running a lighting shop in Bulgaria. They have a pretty impressive roster of customers, who may end up paying for their crimes, since Google seems to be banning quite a few of their spamvertized domains lately. They've put me and most of my blogroll on a blacklist, so right now, we're free of spam from them. There are enough other spammers, but it's still good to get rid of a major annoyance. Update: I think I've figured out who's who... The twins are Iavor/Yavor and Todor, and Emil is their father. If you want to block them, there are some .htaccess tricks you can try:
To discuss this article, go here |
This page was created by Ann Elisabeth Nordbo
and has its home at http://www.annelisabeth.com/
Updated 04.28.2005
Premiere issue February 2005