What’s up Zahariev?
I got a weird access in my referrer log (it’s so fresh, he may still be hanging around here…). It had the whole URL in the GET, instead of the relative path I usually see. And it had http://www.google.com as the referrer. Now that’s of course a fake referrer.
So, what’s going on?
I checked the raw log, and found a weird user agent:
MSIE 5.0
IP number: 213.91.217.118
ISP: Bulgarian Telecommunications Company Plc.
Post accessed:
Highprofitclub finally pings
So I grep my log for other instances with that user agent, and find this:
82.103.65.225
Exact same pattern, except he’s interested in the Genaholincorporated post, and this time, the ISP info is peculiar:
inetnum: 82.103.65.224 - 82.103.65.239
netname: ZAHARIEV-BG
descr: Todor Zahariev
country: BG
admin-c: TZ32-RIPE
tech-c: TZ32-RIPE
tech-c: TD939-RIPE
rev-srv: ns.spnet.net
rev-srv: purgatory.spnet.net
status: ASSIGNED PA
mnt-by: SPNET-MNT
source: RIPE
person: Todor Zahariev
address: Sofia, Bulgaria
phone: +359 2
e-mail: todor@twins-bg.com
nic-hdl: TZ32-RIPE
source: RIPE
person: Tatiana Dimitrova
address: Spectrum Net
address: 36, G.M.Dimitrov blvd.
address: BG 1797 Sofia
address: Bulgaria
phone: +359 2 9867481
fax-no: +359 2 9657646
e-mail: taniad at spnet dot net
nic-hdl: TD939-RIPE
mnt-by: SPNET-MNT
source: RIPE
This is the first time ever I’ve seen Todor associated with the twins. He could be one of the twins, or another relative.
For more on why this is so amusing to me:
Bulgarian poker-spammers
—————
These accesses are nothing new. Gpshewan remarked on the google spoofing in February. But I’m pretty sure there was no IP block setup back then. Ah, yeah, here’s my lookup from December 16, 2004. Looks like they’ve had that IP block all along, I just couldn’t tell back then, because I knew too little about them!
inetnum: 82.103.65.224 - 82.103.65.239
netname: BreNet
descr: BreNet OOD
country: BG
admin-c: TE529-RIPE
tech-c: TE529-RIPE
status: ASSIGNED PA
notify: registry@spnet.net
mnt-by: SPNET-MNT
changed: jkk@techno-link.com 20041213
source: RIPE
route: 82.103.64.0/18
descr: Spectrum NET PA space
origin: AS8717
mnt-by: SPNET-MNT
changed: savova@spnet.net 20040213
source: RIPE
person: Todor Emilov
address: kv Vitosha bl. 56 ap.12
address: Bulgaria Sofia
phone: +3592957 51 87
fax-no: +3592957 51 87
e-mail: tod@web-today.com
nic-hdl: TE529-RIPE
notify: registry@spnet.net
changed: jkk@techno-link.com 20041213
source: RIPE
Hmmm, is Emil the father of the twins? You see, in Russia it’s quite common to go by one’s father’s name. Bulgaria seems to follow the same conventions. So I would be very surprised if this isn’t the same guy. Who’d then formally be named:
Todor Emilov Zahariev
However, February 27, 2005, a whois on that IP number got only the main IP block:
inetnum: 82.103.64.0 - 82.103.127.255
org: ORG-SN1-RIPE
netname: BG-SPNET-20040113
descr: Spectrum NET
Todor used to either own or be employed at Applet, a Bulgarian ISP. He’s still listed as the Administrative and Technical contact:
applet-bg.com
Zahariev, Todor mj@applet-bg.com
APPLET
28 Krum Popv Str.
Sofia 1421
Bulgaria
+35929640046 Fax —
Their block: 212.116.150.0 - 212.116.150.255
Looks like the ISP is still active, if their website is anything to go by.