Our resident spammer
(Since Olliver already figured it out, I better post this now instead of waiting until tomorrow)
So, who did the tigerspice and emistry spam?
As far as I can tell from the circumstantial evidence, it’s none other than the regular here who goes by the nick “seo black & white”. He also goes by Rathamahata, but his real name appears to be Sergey S. Kostyliov.
He’s been here for quite a while, and I should have put the pieces together. But I’ve been preoccupied with my job and mail servers, and he was playing nice, so I welcomed him. Actually, I’m not saying he should take a hike now either. I’m not going to chase him away if he’s playing nice. But that might be too much to expect after this little expose. Or maybe he’s glad for the attention?
Sergey, you knew I was a spam hunter. You knew I get my kicks from finding out exactly who spammers are. So why did you come here in the first place? Do you like living dangerously?
Anyway, back to the expose.
Emistry.com had the same Adsense publisher account as his personal site (pub-7003516765187668). Like I said, the emistry spammer was quite a joker, so I couldn’t be sure it was his code. But there’s more.
His blog at rathamahata.blogspot.com has links to speedygoogle.org, which has an e-mail address from rathamahata.net in the whois info. That site is hosted on 65.75.152.31, which also holds a few other domains. Some of those have whois info I remembered. Spammers often use naming conventions, even when they use fake whois info. And the Tigerspice spammer used lots of different names. I’ve collected many of them, and remember them. So it was easy to figure out that the domain was (and probably still is) owned by that spammer.
Sergey has been mixing his whites and his coloreds, as a house wife would say. He’s been keeping white and black domains on the same servers…
But spammy domains can live side by side with non spammy domains on the same IP address, and the domains can be owned by different people (different reseller accounts or single accounts). So next order of business is to figure out exactly what kind of IP address this is.
Managed INC uses an rwhois server, so you can find info on small IP blocks. Here’s the info for this block (and I munged the abuse address):
Server Used: [ rwhois.managedsg-inc.com:4321 ]
65.75.152.31 = [ ]
network: Auth-Area: 65.75.128.0/18
network: Class-Name: network
network: Network-Name: NET-MSG
network: IP-Network: 65.75.152.30/30
network: IP-Network-Block: 65.75.152.30-33
network: Organization-Name: Co
network: Organization-City: Moscow
network: Organization-State: RU
network: Organization-Zip: 113093
network: Organization-Country: US
network: Description-Usage: customer
network: Created: 20060111
network: Updated: 20060111
network: Updated-By: abuse at managedsg hyphen inc dot com
In other words, those four IP addresses belong to the same outfit.
So, next question is if this is coincidence or not.
A lot has been written about Tigerspice. There was a collective cry of pain from the blogging world when he started that campain in February 2005.
Mildinsanity traced some of his dns servers, and they came down to numbers in that block.
And here is where netcraft (or several old zone files, if you can get them. I’m interested, if you’ve got some BTW) comes into play (check my tracing page for links).
The spammer moved his domains from IP address to IP address. He often recycled them, and moved them about (probably) depending on the amount of traffic he expected. He’s got accounts on machines that hold other people’s domains (probably reseller accounts), and he’s got his own machines with only his own domains. It’s all moving about. Here’s Netcraft’s saved history of
tigerspice.com
13-Jan-2006 205.234.132.13
23-Feb-2005 219.153.9.11
18-Feb-2005 65.75.152.33
15-Feb-2005 211.144.164.145
14-Feb-2005 205.234.132.13
12-Feb-2005 211.144.164.145
10-Feb-2005 211.144.164.145
7-Feb-2005 211.144.164.145
genaholincorporated.com
13-Jan-2006 206.225.93.42
8-Apr-2005 81.3.150.161
emistry.com
11-Nov-2005 Failed to resolve hostname
15-Sep-2005 84.204.54.116
14-Sep-2005 84.204.54.116
13-Sep-2005 206.225.93.42
12-Sep-2005 216.32.95.180
1-Sep-2005 216.32.95.180
poker-rooms-777.com
13-Jan-2006 205.234.132.13
But according to http://drupal.org/node/14216 :
December 2004 222.47.62.198
free–online–poker.com
13-Jan-2006 65.75.152.31
9-Jan-2005 69.50.163.38
31-Dec-2004 222.47.62.198
online—–poker.com
13-Jan-2006 65.75.152.31
9-Jan-2005 69.50.163.35
31-Dec-2004 222.47.62.198
As I mentioned before, the Tigerspice (and subsequent domains) campaign started February 2005. But poker-rooms-777.com was spamvertized as early as October 2004 , and the earliest mention of it (that I could find) in MT Blacklist was September 2004.
Judging from Sergey’s opinions and self professed Black and White SEO activity, I’d say it’s likely he’s the Tigerspice and Emistry spammer, and he also may have done some nonsense spam . He’s quite fond of experimenting, so that fits. He says he’s been involved in SEO since June 2005, but his spamming activities appear to go back further than that. The only way I can see that it’s a misunderstanding, would be if the spammer is a friend and let him host his personal site on his machine for free. It’s theoretically possible, but I don’t know how likely it is. There doesn’t appear to be any sites on those IP numbers that are unrelated to the spammer. I’m guessing it’s the same machine, and it has three IP numbers. That’s quite common in the spamming world. Based on my experience with tracing, it’s almost certain the domains on those IP numbers are all owned by the same person. Today at least, what he does tomorrow to fudge is another thing. But this is a historical document, and I’ve got more stashed away, so it’s not going to help him.
Sergey has a history of Linux kernel development, and some other programming. And he likes BSD as an operating system (and many of the webservers are running FreeBSD). I’m sure he’s capable of coding his own spamming application. Which would explain his condescending comments about Russian school boys and spamming. They’re probably using code they’ve bought or pilfered from others.
The whois information on his personal site is probably either legit or a good forgery. The address exists. It’s not his home address, but a business location in Moscow.
Since Olliver already figured it out, I better post this now instead of waiting until tomorrow
I didn’t mean to spoil your party :-). Seriously, since you’ve already announced a larger document, there would have been no reason not to wait for it ;-). But how about an Adsense id blacklist in your Wiki? I think this could be at least as valuable as the ip listing there.
Olliver
Olliver:
That’s a very good idea. I often wish I had that. I’ve got some notations here and there, but it’s a matter of finding it. And frankly, this would be a good idea for a collaborative effort. Anyone up for it?
Oh, and it should contain more than Adsense. It should contain other affiliate ID’s as well.
Gpshewan blogged about my post, but I didn’t get a trackback, so here it is:
http://gpshewan.com/articles/2006/01/14/remember-the-tigerspice-spammer
Thank for a good and polite review.
Two notes:
1) I don’t like freebsd (or other bsds).
2) I had not heard about SEO before june 2005.
About your direct questions to me:
1) I feel rather good to live in dangerous situation.
2) Current situation is not dangerous at all.
Black hat SEO is mostly legal no matter what any peoples think about it (including you and me). I have to say that I personally was involved in some illegal activities in the past (mostly illegal drugs and illegal immigration but there are some others) so I think I know the difference. I also was indirectly involved in im and smtp spam in the ancient days (before their wide criminalisation in many countries). Coexistence of black/white persons was rather common in my smtp/im spam days (though allmost all blacks were not openly black).
From my experience both sides are biased. I personally found that smtp anti-spam activity is much harmful (for me) than smtp spam itself. As ordinary person (not as professional) of any kind I really don’t like that to happen for black hat seo.
As I already said I’m quite familiar with some illegal activities. From my angle of view the harm of state corruption is much heavy for that activities than harm from all that activities by itself (at least in Moscow, Russia). I just don’t want that to happen for black hat seo case.
To me you just a great opponent who clearly can separate out ethical and legal issues. The fact that I in many cases doesn’t follow the ethic doesn’t prevent me from understanding ethical issues. And I clearly prefer the dialog rather than any fight. SEO is almost certainly not my last professional activity. Even if I clearly biased (because of my position) I’m always trying to understand the other side. You are smart and open to discussion at the same time so that is exactly what I need.
Thank you.
The opposing views is exactly why I wasn’t looking to chase you off the site, Sergey. Remember though that I have no control over what other people write about you on their sites. There were a lot of feelings stirred up over that Tigerspice spam campaign.
And yes, I see what you mean about the ethical and the legal issues. There are a lot of people who get lost on that issue.
Even if linkspam per definition is not illegal the same way e-mail spam is, you spammers are not as squeaky clean as you want to make people think, legally. I’ll get back to that later.
Heh, I noted you didn’t specifically admit to the Tigerspice campaign. But it’s not a prerequisite for a linkspammer to know about the SEO industry in the beginning of his spamming career.
If this isn’t typical of you, I don’t know what is:
http://aslowerpace.com/serendipity/archives/318-Waiting-for-a-Christmas-sale……html
That quote is attributed to Noam Chomsky - http://www.chomsky.info/
I found that quote used by a linkspammer as early as December 2004.
I found another quote, attributed to Friederich Hayek, from The Constitution of Liberty, here:
http://www.inthesetimes.com/comments.php?id=87_0_2_0_C
I don’t know of any other linkspammer with an outspoken interest in civil rights?
In fact, most of the hits in Google for “as contrasted
with their clumsy totalitarian” is probably your spam.
And the e-mail address is also interesting. Nonsense. Which has been mentioned in connection with you before, Sergey.
I had not heard about SEO before june 2005. Period.
About legal vs. illegal. I’ve got nothing against death of linkspam. I personaly like ideas like openid, captcha, comment moderation etc, etc. The issue I care about is not juridical status by itself. I have already stated that it is not problem to me been completely illegal (if it fits in my personal view on ethic - the good example is illegal drugs). All I care is yet another possible area controlable by the law which (law) has already proven (to me) to fail on much simple issues.
My interest on civil rights didn’t born due to any of my job. It is all due to my personal experience and doesn’t related to any well known writings. Please be more close to reality and don’t think that any libertarian smelling phraces in any linkspam belong to me.
Ballpoint Wren blogged this post as well. Her trackback didn’t make it, so here’s the link:
http://www.bonniewren.com/2006/?p=91