Scrim
From Spamhuntress
Contents |
About the spammer
Scrim is a spammer who appears to break into innocent websites, placing files that creates spammy redirect pages for him. He then spamvertizes those addresses in guestbooks etc.
He might have been a "regular" webspammer before August, 2006.
Named Scrimak after his e-mail address (but he says he prefers Scrim), he's been active on Russian forums etc, selling doorway scripts and webspamming scripts, so called "spamilki" in Russian lingo. He's also got a webhosting biz, where he's recruiting for KlikVip.com, one of those affiliate schemes we're seeing a LOT of spamming for lately.
He uses files named read.php and possibly other names, depending on what blends in better on the target site.
Syntax is the URL with read.php, and for instance ?q=mortgageinterestrate after it, to call the page he wants.
There might be a connection to Asiawood, who also uses read.php and has a domain on the same server as Scrim.
Domains:
- t3mortgage.com
- search-vip.net
- pharmacysearch.biz
- yaboards.com
- scrim.biz
IP addresses:
- 88.214.198.10
- 88.214.202.20
- 67.19.221.205
- 67.19.221.204
Whois:
New (didn't take him long to figure out he was under investigation, eh? Whois changed the day after I recorded the first version):
globomobo krimberg (spmhuntress@mail.ru) JHAHan, 12-12 Lucher 0,1237123 CL Tel. +123.33333333
Current:
besthost dmitriy (scrimak@mail.ru) rublevka 41 moscov 0,454555 RU Tel. +999.99999999
old:
alex gudsf (scrimak@mail.ru) tverskay street 43 rostov RU
His ICQ number: 227922772. He says his first name is Dimas or Dimasik
Other links:
Updates:
- Someone with the IP number 194.186.16.4 systematically removed this page in sections yesterday. --Spamhuntress 05:22, 11 Sep 2006 (CDT)
- Two new attempts to delete the contents. I'm locking the page for the time being. --Spamhuntress 10:15, 11 Sep 2006 (CDT)
- His hacked spam pages seem to be inactive. Probably because we exposed his operation? --Spamhuntress 09:00, 14 Sep 2006 (CDT)
