Eugene Blagodarny

From Spamhuntress

Jump to: navigation, search

Contents

[edit]

Calendar

August 2006:

Uploading scripts:

Eugene is currently concentrating on finding unsecured upload scripts. He then uploads spammy pages and gets them into search engines. Websites that figure out what's going on delete his handiwork immediately, but my concern is upload scripts that are still out there, and clueless webmasters.

I noticed some sites that had removed his spammy pages and then removed the uploader script. That might be the right way to go.

He uses anything where he can place pages that doesn't break his javascript redirects.

If you find a user named MarkusMerk on a forum with an uploader, delete it.

HyperNews:

He's commenting on HyperNews articles, often using the e-mail address mark@php-soft.com

Those comments have javascript redirects in them. He's using redirects to his own sites as well as direct redirects to affiliate links.

July 2006

He registered the username MarkusMerk on lots of twiki installations. Although I sometimes found fop.com as a URL on there, these users haven't been used for spam so far. But he's used the e-mail address mark@php-soft.com, which is an apparently working e-mail address.

A few days later, some usernames were registered at the same wikis, with a sophisticated redirect. Not sure it's his, though. Affiliate links were used.

Compuserve Germany

He created lots of users on ehome.compuserve.de, and filled them with spammy pages containing redirects.


June 2006

He spammed a wiki June 22, 2006

He used throwaway domains, with hideawhois - e-mail addresses always go to the-ns.com. I also saw a blog on a free service. Also with a javascript redirect from a blog post.

Spambot: 85.202.197.152, which is in Ukraine. This might be his home connection?


New: He's spamming guestbooks in my name, August 4-19.

He's still spamming (September 4). Forum profile spam, blogs. Occasionally PHPnuke.


[edit]

Main profile

I've been keeping an eye on some porn spammers. Some usually leave trackbacks with sites on dynamic dns servers. This one however used comments.

I followed the trail of one such site (from dyndns site to site it redirects to via javascript), and ended up on the same server as Eugene Blagodarny's advanced-submitter. It's exactly the kind of software used for spamming the blogs. This was in April, and the site I found and pinged, is no longer in the zone. Stuff moves around.

So, my question is, do all the sites on that server belong to Eugene Blagodarny, or just the two connected with his submitter software?

Oh yes, he's got something to do with it. Might even be his. The e-mail address used for registering the porn domains use an e-mail address from a domain registered by Eugene.

Mark Bosner is often the name associated with the domains, when there's someone associated with them at all.

But since the e-mail address given for those domain names resolves to Eugene's own e-mail address (VRFY is disabled on most mail servers, but this one was sloppy), I think we can bypass Mark Bosner easily:

Here's the output from my trace:

VRFY domains@gals4all.com
252 2.1.5 <eugene@trafficshop.com>

May 10, 2005, I found some newly spammed free sites (man-fucking-dog.beastialityx.x24hr.com) that redirected to a site (inceststories.ws) that was hosted on 205.252.251.146. On that IP number, I found a domain name (free-gay-video-clip.com) that was spamvertized via comments March 17, 2004. The whois info is again for Mark Bosner, but the e-mail address of the registrant is different from the other contacts, and it contains: eugene@trafficshop.com. It also contains Eugene's phone number: +38.0675555555. Another domain spamvertized that same day has a domain (sweethotgirls.com) with this whois info for registrant:

Eugene eugene@trafficshop.com +38.0675555555
PHP/PERL Solutions
WA str, 45a
London,WA,UNITED KINGDOM 23555

Yep, unless Eugene is fronting for someone else, he's a spammer himself.

I trust that wasn't a big surprise?

I verified my findings May 9, and posted my findings to link usenet. Spammers move their domains around a lot, so if your findings are different weeks from now, that's to be expected.

After mucking around a bit with spam domains, I finally found some that had Eugene's well known e-mail address from php-soft on them.

And I found Eugene soliciting content. So, we know Eugene at trafficshop reads and writes Russian.

Advanced-submitter still has Eugene's name on the whois info, but he's changed his location to Australia. The info leaves no doubt that php-soft.com belongs to him, even though that now sports a different whois info. Geodog captured an earlier version of advanced-submitter's whois info

My original expose, containing some of the same text as this article

If i am not mistaken (but i am sure i am not) then Eugene Blagodarny is a russian name. That name might be also ukraine or belorussian.

[edit]

Webhost IP numbers

Some (OLD) IP numbers housing websites belonging to him:

  • 66.230.140.146 (holds some of his non-porn sites) - isprime.com
  • 69.50.164.156 - esthost
  • 69.50.164.157 (holds his submitter script as well as porn sites) - esthost
  • 69.50.170.75 (added May 15. Probably only dynamic IP sites)
  • 69.50.170.76 (only sites with pointers from dynamic DNS services) - William Lu/Atrivo
  • 69.50.170.77 (only sites with pointers from dynamic DNS services) - William Lu/Atrivo
  • 69.50.191.27 - (holds php-soft and perl-soft as well as porn and other affiliates) esthost
  • 70.85.190.43 - The Planet
  • 80.77.85.103 - hqhost
  • 205.252.251.146 - advanedhosters
  • 205.252.251.154 - advancedhosters
  • 206.161.200.178 - advancedhosters
  • 206.161.200.184 - advancedhosters
  • 206.161.200.185 - advancedhosters
  • 206.161.205.133 - advancedhosters
  • 209.8.40.52 (added May 14. Has mostly .name domains on it)

August 2006:

  • 69.31.41.236
  • 69.31.41.237
  • 69.31.83.50
  • 69.50.166.116
  • 70.87.100.198
  • 80.77.85.103
  • 85.255.114.172


Here's a raw list of IP numbers used to host dynamic IP sites by spammers (and only spammers. These IP numbers are controlled by spammers only). Dynamic IP addresses

Update July 29, 2005

Eugene is apparently tired of losing his dynamic IP subdomains, and has invented a fake dyndns site: chiki-piki.com. August 1: ESTdomains suspended the domain.


[edit]

Whois 

chiki-piki.com
local Ind.
Terry Manson        (webmaster@chiki-piki.com)
14th street, 5
London
,08071
GB
Tel. +91.5671892

404traff.com
Prime, Inc
Prime, Inc        (webmaster@workst.net)
15111 N Hayden Rd., Suite 14
Scottsdale
Arizona,85260
US
Tel. +480.6242599

Note that this is DomainsByProxy's address, but the domain is not using that service. It's a fraudulent address, in other words. workst.net belongs to Eugene as well, and has that same fraudulent address. 

porn-secrets.com
Mark Ago
Ipch-34,24
Mon
YUGOSLAVIA
02140
+91.226370256
domains@sweethotgirls.com

php-soft.com
Bosner, Mark  info@php-soft.com
Jungmanova, 31, ADRIA PALACE,
off. 315
Prague, LN 11000
Czech Republic
241741977      Fax --

Geodog (see link below) found an older whois for php-soft.com: 

Blagodarniy, Evgeniy asm@vinc.ru
Grigorenka 39a, apt. 25
Kiev, Kiev 02140
Ukraine
679070349 Fax --


Whois involved in uploading script as of August 2006 

rape-stories.name
Admin Organization: PORN-SECRETS.COM
Admin Name: Mark Ago
Admin Address: Ipch-34,24
Admin City: Mon
Admin Country: YUGOSLAVIA
Admin Postal Code: 02140
Admin Phone Number: +91.226370256
Admin Email: domains@sweethotgirls.com

sweethotgirls.com
Registrant:
 Eugene eugene@trafficshop.com +38.0675555555
 PHP/PERL Solutions
 WA str, 45a
 London,WA,UNITED KINGDOM 23555
Administrator:
 name: Mark Bosner
mail: domains@gals4all.com tel: +44.0555555555
 org: NA

none
Eugene        (hqhost@php-soft.com)
none
London
null,94858
GB
Tel. +91.226370256

These (below) are used when he comment spams on HyperNews installations and spams wikis and content management systems. The redirects are identical to his other redirects, but he uses other primary domains. There are however links to sites already identified as his on those sites. 

unisearch.name
Admin Organization: none
Admin Name: Jeremie
Admin Address: none
Admin City: London
Admin Country: UNITED KINGDOM
Admin Postal Code: 94858
Admin Phone Number: +91.226370256
Admin Fax Number:
Admin Email: uni@the-ns.com

VEZEM
Veronika Zemanova
1290 Saint Nicholas Ave 
New York, NY 10034
US
Email: veronika@the-ns.com

Raymond, Andrew  veronika@the-ns.com
Bellevue, Washington
null
Bellevue, WA 98008
US
212-677-5588 fax: null

"Whois (Email spam from Dec 2006 mercedes-lopez.com)"

Registration Service Provided By: ESTDOMAINS INC Contact: +1.3027224217 Website: http://www.estdomains.com

Domain Name: mercedes-lopez.com

Expiry Date: 13-Nov-2007 Days Left for Expiry: 320 Record Creation Date: 13-Nov-2006 Domain Status: Active

Domain servers in listed order: managedns1.estboxes.com managedns2.estboxes.com managedns3.estboxes.com managedns4.estboxes.com


RegistrantContact Details Name John Company Stella Email Address John-Smith@mercedes-lopez.com Address 11th Ave City Boston State null Zip 124431 Country US Tel No. +91.226370256


AdministrativeContactDetails Name John Company Stella Email Address John-Smith@mercedes-lopez.com Address 11th Ave City Boston State null Zip 124431 Country US Tel No. +91.226370256


TechnicalContactDetails Name John Company Stella Email Address John-Smith@mercedes-lopez.com Address 11th Ave City Boston State null Zip 124431 Country US Tel No. +91.226370256


BillingContactDetails Name John Company Stella Email Address John-Smith@mercedes-lopez.com Address 11th Ave City Boston State null Zip 124431 Country US Tel No. +91.226370256

[edit]

Links


More Link spammer pages

Retrieved from "http://spamhuntress.com/w/index.php/Eugene_Blagodarny"
Personal tools