Krin
From Spamhuntress
Also aka Romzes (see below)
This guy started comment spamming the blog on annelisabeth.com May 22, 2005. He's been in the porn biz for several years, but appears to have used regular promotion methods in the past. Either that, or his spam is so old it's out of the search engines. July 2005: He's switched to referrer spamming imoney555.com.
He also has name servers that are used either by other spammers, or by himself using other names.
User agent (this is how it's actually entered in the log. A malconfiguration you can block by):
- User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
He spams using proxies, but has a master spambot. It doesn't do any POST requests, only GET:
205.177.122.162 (Advancedhosters)
He first spamvertized various subdomains on f-z-a.com, a domain that belongs to him. And recently a domain that formerly belonged to the Alaska Right To Life Organization. Their registration lapsed in January, and Krin snapped it up right away.
Update June 2:
He's got a slew of new domains he's spamvertizing. There's no longer any point keeping track of them. All of them (this time) had a redirect to crazyxxxlinks.com. If there's a redirect to that domain, it's Krin.
Update August 21 He's got dozens of domains he's referrer spamming. I'm just noting the IP numbers as I check the domains.
Some key domains:
- search-ok.com
- web565.com
Domains (combined Krin and Romzes):
- 64.21.21.232
- 64.21.21.234
- 64.21.21.236
- 64.21.21.239
- 64.21.174.144
- 64.21.174.145
- 64.21.174.146
- 64.21.174.147 (Nac)
- 64.21.174.148
- 64.21.174.149
- 64.21.174.150
- 64.21.174.151
- 66.29.2.241
- 66.29.2.242
- 66.29.2.243
- 66.29.2.246
- 66.29.17.80
- 66.29.17.81
- 66.29.17.82
- 66.29.17.83
- 66.29.17.84
- 66.29.17.85
- 66.29.17.86
- 66.29.17.87
- 66.29.31.240
- 66.29.31.241
- 66.29.31.244
- 66.29.32.232
- 66.29.32.235
- 66.29.32.237
- 66.29.32.239
- 66.246.59.176
- 66.246.59.177
- 66.246.59.178
- 66.246.59.179
- 66.246.59.181
- 66.246.59.182
- 66.246.197.80
- 66.246.197.82
- 66.246.197.83 (Nac/Winscorp)
- 66.246.197.84
- 66.246.197.85
- 66.246.197.86
- 66.246.212.72 (Nac)
- 66.246.212.75
- 66.246.212.78
- 66.246.212.79
- 66.246.230.184
- 66.246.230.185
- 66.246.230.187
- 66.246.230.188
- 66.246.230.189
- 66.246.230.190
- 66.246.230.191 (nac.net)
- 66.246.246.22
- 205.177.122.162 (advancedhosters.com)
- 205.177.122.167
- 205.177.122.168
- 205.177.122.170
- 206.161.124.99
- 206.161.124.100
- 206.161.124.101
- 206.161.124.102
- 206.161.124.103
- 206.161.193.171
- 206.161.202.174
- 209.8.19.178 (Advancedhosters)
- 209.8.19.179
- 209.8.19.180
- 209.8.19.181
- 209.8.19.182
- 209.8.19.183
- 209.8.19.184
- 209.8.19.185
- 209.8.19.186
- 209.8.19.187
- 209.8.19.188
- 209.8.19.189
- 209.8.19.190
Whois info:
Name Server: NS1.WINSCORP.COM Name Server: NS2.WINSCORP.COM Registration Service Provided By: ESTDOMAINS
Registrant: Zenal Vasiliy Bobrov (krin@krovatka.net) Naberejnaya Kosmonavtov 127-39 Tula ,547002 RU Tel. +7.9053204170
and for another domain he uses:
Registrant: Sofit LTD Sergey Popov (krin@every-day.net) Moskovskaya 25-7 Saratov null,410067 RU Tel. +7.9053204337
An older domain he got in trouble over (misused Pokemon imagery):
Administrative Contact: Name: Vasia Last Name: Pupkin Address: Moskovskaya 5-48 City: Saratov State: xx Zip Code: 410008 Country: RU Company: Email: krin@krovatka.net Telephone: +79053204750 Fax:
Newer whois info:
Pavel Naumenko (mikhail@top07.com) Proletarskaya 24-62 Saratov ,410008 RU Tel. +7.9172090859
RexComp Mikhail Zverev (mikhail@top07.com) Maksima Gorkogo 45-182 Saratov Saratovskayaoblast',410063 RU Tel. +7.9053204170
Dmitry Tashlikov (mikhail@top07.com) Proletarskiy proezd 51-27 Saratov ,410062 RU Tel. +7.9172090859
Legio Arkadiy Reznikov (mikhail@top07.com) Tarasa Shevchenko str. 21-205 Saratov ,410047 RU Tel. +7.9042431533
Roman Danilenko (krin@every-day.net) Prospekt Kirova 24 Saratov ,410029 RU Tel. +7.9053204170
Lik comp. Oleg Samoilov (roman@every-day.net) Klochkova 17-3 Saratov ,410008 RU Tel. +87.9047007500
He's got an ICQ number, of course:
- 130171829
On the profile, he says: country: Russia First Name: Michail Nickname: krin
Payoffs:
His affiliate ID's include:
- krinsir
- ec_wm4
- 18913
- 103&p=2&m=2
- wm=acr1891
- wm=18954
- uni189129
They should be relatively easy to recognize, if you are familiar with porn affiliate ID's.
Java applet
There's a path from one of Krin's pages to an applet hosted on awmdabest.com, which is owned by:
Arianda LTD Leo Kumar (tech@makethemcry.com) Krasnoarmejskij pr. 22 St. Petersburg ,191000 RU Tel. +7.9219882226
The name servers for that domain are interesting. They're from the domain: toolbarplace.com
Don't follow this link except with text browsers. This is where the applet is served from: h*tp://www.bestporn4all.net/bonus/index.html
More Link spammer pages
Romzes
This spammer posts his spam to annelisabeth.com.
The URL's spammed usually look like free websites, but aren't. Subdomains and directories.
Domains:
- moris-dada.com
- trumpetmission.org
- stellapast.com
- balltaas.com
- girls-real.com
- linksclinic.com
- carrozzina.org
- faraonxxxnova.com
- abolishpoverty.org
- booktextone.com
- filarolla.com
Whois
STAMM Sergey Sviridov (romzes@fromru.com) Klochkova 18-22 Saratov ,410008 RU Tel. +7.9033291502
DBS Ltd. Roman Poplevkin (roman@every-day.net) Babishkin vzvoz 25-68 Saratov ,410027 RU Tel. +7.9047063263
Registrant Name:Vacheslav Tezikov Registrant Organization:Itera Registrant Street1:Dzerjinskogo 153-49 Registrant City:Saratov Registrant State/Province: Registrant Postal Code:410028 Registrant Country:RU Registrant Phone:+7.9033291502 Registrant Email: romzes@fromru.com
The name servers are usually Winscorp, which is owned by Krin, another spammer gracing these pages. In fact, I once found a redirect to a page owned by Krin. The redirect seems to be gone now, but the java applet remains.
