Thursday, August 24, 2006

SCRAPER BUSTED #3 - UPDATE Cloaker Surfaces on Netfirms

The same cloaking bullshit artist I wrote about before has surfaced on Netfirms server.

Details:

IP Address: 80.77.80.103
User Agent: "" [blank]
Where scraping content and redirect appear:
rbmusicartist.netfirms.com/artistic-family-portrait.html
Which redirects to some Ukranian or Russian bullshit artist's site:
Domain Name: DEVAMATRI.COM

Registrant:
Oleg Povaljaev
Oleg Povaljaev (anandasat@narod.ru)
Tereshkovoj
Odessa
null,65072
UA
Tel. +380.482648166
Guess what?

They host it on ThePlanet.com, you could knock me over with a feather, I'm so surprised.

DEVAMATRI.COM (70.87.136.118)
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
NetRange: 70.84.0.0 - 70.87.255.255
Guess we should drop Netfirms in our blocked list too just to be safe:

rbmusicartist.netfirms.com (64.34.66.18)
Netfirms Inc PEER1-NETFIRMS-02 (NET-64-34-66-0-1)
64.34.66.0 - 64.34.66.255
Well, it's not much, but a little blocking each day will keep the scrapers away.

Now, here comes the real fun...

I was curious what else was on the server with DEVAMATRI.COM (70.87.136.118) and found a shitload of cloaking spam sites:
derrdek1234.info
devamatri.com
fred00med.info
fredodermok2.info
goramon.com
greddertrniko.info
koljazzza.info
nikkasder4ee.info
nikkrongz.info
niko0lwerty.info
nikolannsw12.info
nikolansedd.info
nikolas1qqq4.info
nikolas1qwe.info
nikolazqwii.info
nikolfdsaz.info
ringvvv.info
vvvorgs.org
vwwvcom.info
wvvver54.info
xkoljazzzao.info
Note: The sites are indexed in both Yahoo and MSN but they aren't in Google.

Probably not the last of the sites from this slimeball, most likely the tip of the iceberg, but it's definitely a start to unearthing his network of crap.

1 comment:

Olliver said...

Great findings, Bill :-)

I'd like to add that the spammer's ip address shouldn't be neglected:

inetnum: 80.77.80.0 - 80.77.80.255
netname: UAONLINE-1
descr: ipipe network
country: GB
admin-c: MS9776-ripe
tech-c: VK1045-ripe
status: ASSIGNED PA
mnt-by: uaonline
mnt-domains: uaonline
source: RIPE # Filtered

person: Soldatov Maxim
address: Marylebone high street 78
address: W1U 5AP London
phone: +380 50 4985406
e-mail: makc @ ipipe.net
org: ORG-RIBC1-RIPE
nic-hdl: MS9776-ripe
mnt-by: uaonline
source: RIPE # Filtered

person: Vladimir Klenov
address: London, United Kingdom
phone: +380 50 4985406
e-mail: maple @ ipipe.net
nic-hdl: VK1045-ripe
mnt-by: uaonline
source: RIPE # Filtered

UAonline stands, as you may have already guessed, for Ukraine online and these ip addresses primarily serve as VPS/Proxy connectivity for hire:
Spamhuntress #1
Spamhuntress #2

Spamhuntress mention hqhost, who are offering their services in English, too. Well, you can figure it out yourself: Spammer rents a proxy for a couple of weeks, signs hosting services, spams the hell out of them (or the rented address) and gets away with it unidentified.

Olliver