« Eugene Blagodarny not dropped by ESThost
New block for Bulgarians »

New poker spammer

My moderation queue caught some comments from a spammer using techniques I haven’t seen before. Might be an old one using new tricks, I don’t know.

Whois info today is:

Stamenov, Kalin kalistia12@yahoo.co.nz
9660 U.S. Hwy 136
null
Macomb, IL 61455
US
416-288-0125 fax: null

IP numbers spammed from vary, so probably proxies of some form.

The websites are on these IP numbers:
221.10.224.230
66.154.58.173

It’s hard to find the payoff. He’s got affiliate ID’s inside encoded javascript. I found a way to decode it, and can present the affiliate ID’s here:
pacificpoker.com ID: 321149
empirepoker.com ID: 2169662
888casino.com ID: 506157

———

Update May 16
This spammer hits wikis, guestbooks, blogs and forums

Ugh, I just found an older spam from this one. Look at the whois info for bon-rassi.com, which was spamvertized on a guestbook

Registrar: 007NAMES, INC.

Registrant:

Sofia
Sofia, 1434
BG

Domain Name: bon-rassi.com

Administrative Contact, Billing Contact, Technical Contact:
Stamenov, Kalin tzahariev@hotmail.com

Sofia
Sofia, 1434
BG
Phone: +35.98882353

Record expires on: 27-apr-2006
Record created on: 27-apr-2005
Record last updated on: 03-may-2005

Domain Servers in listed order:

dns1.dns2004.com
dns2.dns2004.com

So, my question is. Is this a customer of Zahariev, a copycat (no, can’t be, he’s on their server) or Zahariev in disguise?

This entry was posted on Friday, May 13th, 2005 at 2:51 pm and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “New poker spammer”

  1. Tuxedo Jack Says:
    May 14th, 2005 at 1:53 am

    They’re at it again.

    They hit my forums with several spam posts using compromised machines to advertise poker.

    The affiliate ID and site spammed are:

    empirepoker.com wm=2169662

    The specific URL shown in spams on my forums is:

    anylight4u.com/texas-holdem-poker.html

    And…

    online-poker.electricscooterland.com

    Both use redirects and affiliate IDs hidden in them.

    And the IPs/machines they posted from are:

    168.234.251.245, which resolves to p251u245.terra.com.gt; 210.174.105.58, which is pop.kripton.co.jp; and 210.225.131.66, which is hokuu.co.jp.

    This is getting interesting - one of them came in response to the genaholincorporated post I have, which has your comment about Tigerspice, and the others went into my HijackThis log forum.

    I’ve submitted them to EP for removal, and I’m trying to hunt them down on my end. Best wishes to you.

  2. Spam Huntress » Blog Archive » Zahariev in disguise? Says:
    May 16th, 2005 at 7:44 am

    […] d about a spammer a few days ago. One that had puzzled me. Although there are people named Kalin Stamenov in the world, I wasn’t sure any of them was our spammer. And I&#8217 […]

  3. kalin Says:
    May 17th, 2005 at 10:38 pm

    Wow,

    I just got a google Alert on this site. I had it set on my name Kalin Stamenov and look what popped up. Doesn’t sound nice to have the same name as some spammer.

  4. Administrator Says:
    May 18th, 2005 at 3:27 am

    I had a look at your website when I researched the spammer. I considered you, and dismissed you as a possible spammer. I considered contacting you. Glad you’ve got alerts on your name. I guess most of us with relatively unique names should do that.

    But since I did that research, I found the name of a well known spammer interspersed with the records with your name on it. Todor Zahariev. Does that ring a bell for you? He usually uses fake info on whois. Although it’s possible it’s a disciple of him, it’s also possible he’s the spammer himself.

  5. Lemat Says:
    July 4th, 2005 at 6:55 am

    A supplement to http://spamhuntress.com/2005/06/29/zaharievs-list-of-proxies/

    169.139.218.29
    12.43.192.132
    129.33.12.33
    129.33.12.41
    129.33.12.42
    139.124.58.200
    140.96.178.113
    147.46.29.86
    148.209.3.5
    149.121.12.4
    150.101.196.26
    152.14.62.30
    157.193.58.107
    158.75.130.26
    165.229.159.240
    167.21.1.35
    168.10.27.12
    168.143.113.0/24
    168.172.128.94
    168.243.232.130
    193.10.251.166
    193.188.105.22
    193.188.77.2
    193.194.84.195
    193.48.203.33
    194.27.158.2
    194.63.239.27
    195.208.235.68
    195.245.185.18
    195.55.164.8
    198.109.197.254
    200.13.230.243
    200.161.15.31
    200.207.51.91
    200.215.36.17
    200.42.212.42
    200.62.182.149
    202.14.68.239
    202.28.27.3
    203.109.92.66
    203.130.238.84
    203.154.67.149
    203.69.225.66
    205.238.226.40
    207.191.10.198
    207.237.230.75
    208.34.84.250
    210.105.204.13
    210.107.42.250
    210.111.230.61
    210.111.244.210
    210.166.210.75
    210.172.95.210
    210.177.248.129
    210.196.191.78
    210.212.165.130
    211.1.112.105
    211.118.206.152
    211.139.95.30
    211.144.195.230
    211.24.137.50
    211.253.183.18
    211.253.184.130
    212.0.138.93
    212.0.138.94
    212.117.151.85
    212.123.204.115
    212.138.47.21
    212.244.131.100
    213.139.47.93
    213.184.21.88
    213.86.212.230
    213.96.243.141
    216.132.3.61
    216.164.99.102
    216.231.186.118
    216.65.116.205
    217.107.222.75
    217.14.176.57
    217.171.186.100
    217.79.190.93
    218.135.134.81
    218.224.249.98
    218.230.247.154
    218.44.6.4
    219.166.112.114
    219.166.95.38
    219.184.162.50
    219.93.174.194
    219.94.126.38
    219.95.29.249
    219.96.224.64
    220.110.49.188
    220.227.145.153
    220.227.153.146
    220.245.179.130
    221.117.22.219
    221.16.4.80
    24.11.61.150
    24.147.213.92
    24.232.134.112
    24.234.114.66
    4.78.22.230
    60.32.89.122
    61.194.17.138
    61.202.199.202
    61.204.28.114
    62.245.231.130
    62.69.44.15
    63.170.128.203
    64.139.141.190
    64.139.69.228
    64.166.236.145
    64.168.225.18
    66.148.141.222
    66.201.174.92
    66.208.197.217
    66.208.202.9
    66.208.204.148
    66.239.253.66
    66.250.57.250
    67.15.56.52
    67.153.93.162
    67.89.45.123
    68.101.240.35
    68.152.252.74
    68.47.157.98
    69.11.157.46
    71.128.40.225
    80.191.218.68
    80.248.192.200
    80.249.110.156
    80.34.115.120
    80.53.255.174
    80.55.204.114
    80.58.1.44
    80.58.11.42
    80.58.2.46
    80.58.23.235
    80.58.3.172
    80.58.3.42
    80.58.33.109
    80.58.37.237
    80.58.4.42
    80.58.5.46
    80.58.51.235
    80.58.52.235
    80.58.9.42
    80.59.117.215
    81.168.161.8
    81.168.228.198
    81.246.7.50
    81.56.240.106
    81.56.66.170
    81.57.250.213
    81.68.131.3
    81.93.4.106
    82.154.250.218
    82.225.61.24
    83.138.128.89
    83.16.60.46
    83.246.114.10

    A list of domains he used to “advertise”:
    24HOURS-CREDIT.COM 64.4.195.62
    allabout-poker.com 64.4.195.62
    allkinds-pills.com 64.4.195.62
    BABY-CASINO.COM 64.4.195.62
    brisbeck.com 64.27.27.150
    casino-555.com 64.4.195.62
    casino-ppp.com
    casino-startup.com 64.4.195.62
    casino-y.com 219.150.118.16
    casino7-online.com 219.150.118.16
    dalin-ina.com 64.4.195.62
    djsdesigns.net 64.4.195.62
    doctor-pills.com 64.4.195.62
    drugs-order.com 64.4.195.62
    E-POKER-4U.NET 64.27.27.203
    e-poker-888.com 64.4.195.62
    epraha.info 219.150.118.16
    exciting-casino.com 64.4.195.62
    firstfriends.us 64.4.195.62
    GREATS-POKER.COM 64.4.195.62
    hbsnwa.org 219.150.118.16
    highest-credit.com 64.4.195.62
    lilaleemcrightrealty.com 64.4.195.62
    low-tek.com 64.27.27.150
    money-4me.com 64.4.195.62
    mothershope.com 219.150.118.16
    mynet-poker.com
    norwichwriters.org 64.4.195.62
    PLUS-CASINO.COM 64.4.195.62
    poker-4-u.com 219.150.118.16
    poker-7.com 219.150.118.16
    poker-boulevard.com 64.4.195.62
    poker-places-4u.com
    poker-stadium.com 64.4.195.62
    poker-sys.com 64.4.195.62
    poker-valley.com 64.4.195.62
    prakashcommunication.com 64.4.195.62
    progressiveupdate.net 64.4.195.62
    racepointfunding.com 64.4.195.62
    rebuildsanmateohighschool.org 64.4.195.62
    ridgeviewelem.org 64.4.195.62
    sigmapiscu.org 64.27.27.203
    smithtownelementarypta.org 64.4.195.62
    splendid-casino.com 64.4.195.62
    street-poker.com 64.4.195.62
    SVSTING.ORG 64.4.195.62
    thebest-pills.com 64.4.195.62
    uccpp.org 64.4.195.62
    uclaaud.org 64.4.195.62
    wow-poker.com 64.4.195.62

    Registrant: moniker
    Whois info seems to be fake.
    Hosted on:
    219.150.118.16 CHINANET
    64.27.27.150 Uplink Systems
    64.27.27.203 Uplink Systems
    64.4.195.62 ANET Internet Solutions

    I have connected these by the words “casino”, “poker” - I’m not sure if this is one spammer or more.

  6. Cris Says:
    December 15th, 2005 at 1:07 pm

    Searching the net trying to find the person currently registered for the domain name Deanyeotis.com. Registrant information indicates Kalin Stamenov as the registant but the domain name is now associated with this Empire poker website. I want to try and find the person who is actually registered for Deanyeotis.com but am beginning to suspect from what is being said here that a spammer is just using name Kalin Stamenov. I am not all that computer savvy and would really appreciate some assistance. Thanks.

  7. Administrator Says:
    December 15th, 2005 at 1:37 pm

    Ah, you could try talking to the Zahariev Twins. You’ll find more on them here:
    http://www.annelisabeth.com/pc/pc14.htm

    Although it’s possible the domain belongs to an associate of theirs, chances are it’s actually theirs. Todor has an e-mail address associated with those domains. They’re kind of sloppy that way.

    Maybe they’ll sell it to you? But don’t be fooled, the domain isn’t worth anything, market wise. It’s been banned in Google, and has little or no traffic, despite a lot of spam.

    But contact the Zahariev twins directly. Why deal with a fake persona when you can contact a real person?

Leave a Reply