Spamhuntress

I’ve had my first case of wiki vandalism.

The first change was subtle. He changed one line on the Dyakon page.

From: Andrey Shchegolikhin (dyakon@mail.ru)
To: Andrey Shchegolikhin (webmaster@se-traf.com)

This is bad, because it breaks the chain of evidence. And so far I haven’t seen any occurences of that variant of whois info. But it could have been innocent.

That is, until I saw the next change:

The whole contents on the page about Eugene Blagodarny had been removed. He’d entered:

nothing here

instead.

The IP address is interesting. It’s from ipipe, which is in the UK.
80.77.84.112
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54 [en]

But I’ve seen an IP address from ipipe once before. It was used by Romas, the umax search spammer, to hide his real IP address. I believe those are VPN lines or proxies, leased by spammers (update: yep, password protected proxies).

So who is this guy? Don’t know. I do know he came straight for the Dyakon page.

Hmmm, I do see one person touching the edit control for the talk page for that page once before, but not going through with it. This is a regular reader. Been with me since some time in March:
213.171.57.162
ns.krasnogorsk.ru
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

He also considered editing the Eugene Blagodarny page from that IP number.

Krasnogorsk is close to Moscow, Russia. But what’s also interesting, is that the IP number doubles as their name server.

———–

That IP number has a long and illustrious spam career:
Phil Ringnalda comments on soundalike blog domains - Alexander Morozov’s stuff
Confessions of a G33k

This entry was posted on Tuesday, May 10th, 2005 at 4:01 am and is filed under Preachy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.