« Scraper sells off sites
Misconfigured mailservers keep on bouncing »

Den Kokareff - spammer

I’ve been receiving lots of comment spam lately that’s obviously culled from a new feed, with spammy links interspersed, hidden behind the text. Here’s an example from today, with the links redacted:

Cable deal lifts B’ville station Time Warner Cable and three Baldwinsville-area municipalities tentatively life insurance comparison agreed to a deal that would guarantee the local cable access station a steady source of money life insurance comparison the next decade.

One of the links was:

http://eteamz.active.com/businessloan/files/life-insurance-comparison.html

It had a javascript redirect to:

http://search.comparezone.info/life-insurance-comparison.html

Now, that site is on the same IP the spam came from:

70.84.176.58 - The Planet

I checked my inbox. I had 429 spams from that IP address in August.

In addition to Adsense, the site had several affiliate links that I didn’t bother to figure out:

Adsense: pub-2039039127093366

The site is on a net block that rwhois says is owned by CPS Labs Ltd, in Illinois. Problem is, the only company with that exact name I could find on the net, is actually in the Russian Federation. That got me curious enough to keep digging. So far I’ve been unable to find a company by that name in Oak Park, Illinois.

However, CPS Labs has at least two IP blocks at The Planet:

70.84.176.56 - 70.84.176.63
67.19.100.224 - 67.19.100.231

Some whois data used by sites on those ranges is obviously fake:John Smith
Apartado Postal
Quito, 423012 423012
Ecuador

But the guy who’s really behind this forgot to hide very well:

Kokareff, Den den_kokareff@hotmail.com
32 Rebecca Rd
East Hanover, New Jersey 07936
United States
9733861607 Fax –

That’s a legit address, and I found an older listing (confirmed October 2005) for him at that address:

Denis Kokarev
32 Rebecca Rd
East Hanover, NJ 07936-3431
(973) 386-1607

Unless this guy’s been whois joe jobbed by the spammer, he IS the spammer.

Update: There is or was a 30 year old by that name in Oak Park, Illinois. Maybe that’s the new address?

This entry was posted on Tuesday, August 29th, 2006 at 6:46 am and is filed under Comment spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Den Kokareff - spammer”

  1. 0-day Says:
    October 13th, 2006 at 4:54 am

    Glad you mentioned this guy before, as it saves me some time finding out about him :-) . This spamtard has been active on my site during the past days. Nothing serious, just a few connection attempts in vain due to my banning of the entire Planet ranges (which he doesn’t seem to grasp).

    As of today there’s just one domain on his 70.84.176.58 spam server, comparedeals.info, but obviously it fits into his spamming niche. The domain comparezone.info that you mentioned in your article has been moved to 67.19.100.226. Other stuff on that server you may like to check out:
    bestgamblingzone.com
    comparezone.info
    destinylane.com
    gcbatteryworks.com
    globalwizz.com
    hollysdesigns.com
    jobsflugger.com
    peleet.com
    promotiononwheels.com
    skibluesky.com
    thebestzone.com
    thebettingarea.com
    thecreditarea.com
    thedebtarea.com
    thegamblingarea.com
    thetravelarea.com
    vasodeleche.com
    webwerkz.com
    wine-citizen.com

Leave a Reply