« It’s not spam
Ad for blogmysite »

A new EV1 spammer

Guestbook spam info

There’s a new EV1 spammer afoot.

Rojisan did the first report on them.

It’s even bigger than his report indicates, though that one is certainly indicative of a large scope!

Rojisan tracked the IP numbers spammed from. I decided to track the IP numbers pinged by the spamvertized domains:

69.57.150.28
69.57.150.107
69.57.150.120
69.57.150.121
69.57.150.122
69.57.150.123
69.57.150.124
69.57.150.125
69.57.150.126
69.57.150.127
69.57.150.128
69.57.150.129
69.57.150.130
69.57.150.131
69.57.150.133
69.57.150.158
69.57.150.165
69.57.150.196
69.57.150.209
69.57.150.213
69.57.150.214
69.57.150.215
69.57.150.216
69.57.150.218
69.57.150.219
69.57.150.220
69.57.150.221
69.57.150.243
69.57.151.149

They are all on EV1’s IP block. I don’t know if they were rented out by EV1 or by a hosting company. Almost all have dns pointing to EV1.

Exceptions:

69.57.150.28
ns2.lomejordeinternet.net
This one’s in EV1’s IP block.
It’s likely the dns is for the former owner of the box. That dns name doesn’t ping anything.

69.57.150.107
ns2.hc11.net
This one’s in EV1’s IP block
Hosting company appears to be, unless they’ve since moved (very likely, since that hostname now pings: 69.45.6.164): hostcolor.com

The domain names end in:
.pl
.com.pl
.info.pl
.ch

And then he’s using dynamic dns from:
gmina.pl
and one .com domain

I’ll report his domains to Google for banning.

Whois info:

company: Eugeniusz Sawicki
street: Jazowa 15A
city: 43-316 Bielsko-Biala
location: PL
handle: tdc5462363137953
phone: +48.693340370
last modified: 2005.04.27
registrar: AZ.pl SC Albert Jerka, Andrzej Kostrzewa

Eugeniusz Sawicki
Jan Sawicki
Jazowa 15A
PL-43-316 Bielsko-Biala
Poland
janeksaw@gmail.com

The name servers are always custom. And always the same name as the domain name they serve.

I believe he’s rented one or several servers on EV1, and have lots of IP numbers on each server. The game is probably to make it difficult for people to figure out all his domains, if someone were to start tracking one of them.

Most of the domain names were registered around April 27, 2005, The .ch sites were registered around May 18.

So, did he enter the correct whois info? I don’t know. I do know there’s someone with the same name who’s Poland’s ambassador to Brunei. Apart from that it’s hard for me to figure anything out, not knowing Polish.

This entry was posted on Tuesday, May 31st, 2005 at 10:23 am and is filed under Guestbook issues. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “A new EV1 spammer”

  1. J.O. Enterprises says:
    February 8, 2007 at 12:39 pm

    I am somewhat dismayed to find out that my NEW IP address 69.57.150.243 is on your SPAM list. I’ve had this IP for about
    a week. The post is nearly 2 years old but continues to display
    when my IP is input into Google which gives the impression
    that I am a spammer. Since this information is clearly out of
    date would it be possible to either remove the post or, at least,
    remove my IP 69.57.150.243 from the list?

Leave a Reply

Search
Categories
Archive
Bookmarks