Italian language spam
I’ve gotten quite a bit of Italian language comment spam lately. So I thought I’d run them down and find out if it’s an Italian spammer.
The first site I tried was:
easy-jet.metromarketing.info
at 69.31.46.224
The root site also belongs to the spammer.
There’s a javascript that does a redirect to 69.31.41.63 and some php code, including the site name we just came from.
The whois is protected, so I look for other sites on the same IP addresses.
69.31.41.63 has saveplanet.net that was registered and has nameservers at estdomains. It has been comment spamvertized:
none
Wally Gramberg (wallygg777@yahoo.com)
303 E Wildwood St
MILLTOWN
,54548
US
Tel. +1.6088256555
69.31.46.224 has (beside metromarketing.info)
bestdatingblogs.net
soldiersofspirituality.com
Both have been comment spamvertized. Both are registered at estdomains and have nameservers from them.
Whois:
bestdatingblogs.net
Blogyavus LLC
Samuel T. Jackson (samjack1967@yahoo.com)
Leoforos Palama 125
Larnaca
null,10011
CY
Tel. +357.25301002
soldiersofspirituality.com
na
Vladimir Krouglov (krouglov1983@yahoo.com)
Kosmonavtov 24 - 23
Samara
,183199
RU
Tel. +7.8322345923
Both e-mail addresses are from late 2005. Samuel L. Jackson is a movie star. The name might have been a variation on that theme. Vladimir Krouglov is a java programmer who’s been active on the net for a very long time. A lot longer than many webspammers have been alive… Still, I suppose it could be him. Incidentally, I’ve seen a spammer with the same last name before: . Alexandre also seems interested in java.
So, the trail so far leads to Russia, despite the Italian language spamming.
——
Another Italian language spam today was for this domain:
realworldrecords.net
at 69.31.46.218 and also registerfly whois protected
That IP hosts at least one other domain, registered at registerfly:
Dehan, Arnoldo arnoldo_dehan@yahoo.com
773 Howard Ave
NEWBURGH, NY 12550
US
+1.1111111111 Fax: +1.1111111111
Obviously fake, and had javascript redirect to
69.31.41.63
with the name of the site redirected from included in the script.
——————-
Another domain spamvertized yesterday was:
russpotts.org
at 69.31.46.223
Whois:
Registered at estdomains, with nameservers from them
Registrant Name:Oleg Dzizenko
Registrant Organization:no
Registrant Street1:Tverskaya 42 - 89
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:
Registrant Postal Code:203441
Registrant Country:RU
Registrant Phone:+7.0953259475
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: dzizenko@yahoo.com
Can’t find any trail of Dzizenko on the net.
I’ve seen the Tverskaya in several traces recently. It’s a real area.
That IP has two other sites on it:
match-blog.net
mirtilo.net
match-blog.net
BorganzPPs LLC
Stanton Lietzow (stanlie33@yahoo.com)
611 Genoa Ave NW
CINCINNATI
OH,44011
US
Tel. +1.5134796551
Creation Date: 13-May-2005
Expiration Date: 13-May-2007
mirtilo.net is registerfly whois protected
————-
The IP numbers used to spam from/through are interesting:
201.55.104.82 - 201.55.104.82.cable.digizap.com.br
70.28.4.20 - CPE000c41e69f61-CM0011e6ed08e8.cpe.net.cable.rogers.com
201.228.20.46 - COLOMBIA TELECOMUNICACIONES S.A. ESP
User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
saveplanet.net was spamvertized (on my blog) May 25 and 30, 2006, by these:
69.31.41.63 - colocation at pilosoft. Current host of saveplanet.net
69.160.92.140 - adelphia
69.120.206.107 - optonline
67.124.200.237 - ADSL customer at PacBell
196.40.43.218 - Costa Rica, a Cisco router
66.98.134.34 - EV1, Apache Red Hat. Appears to be an extensively used proxy
bestdatingblogs.net was spamvertized May 28-29, 2006, by these:
196.40.43.218
200.185.241.35 - 200-185-241-35.user.ajato.com.br
soldiersofspirituality.com was spamvertized June 18, 2006, by this one:
69.117.83.249 - optonline, a proxy
realworldrecords.net was spamvertized June 24, 2006, from these:
61.99.131.63 - KRNIC
67.84.124.190 - optonline