To Catch a Spammer
January 19th, 2012
The Problem
Spam. It’s like the herpes of the internet. We know it’s out there and for the most part we do our best to avoid it.
Unfortunately, if you run a blog and/or forums or pretty much anything that accepts content from external sources, chances are you are going to get spammed… and as such, have to deal with it on a more personal basis then you would probably like.
The solution? There isn’t one, most captchas are easy to break and if you are using something like ReCaptcha then the penis flood attack of 09 tell use that this can be easily defeated… just like questions and answers and almost any other form of anti-bot detection you can implement.
As a result, most administrators of sites simply deal with it, we detect, delete and move on. There isn’t much else you can do until you know where the source is originating from (which can be quite difficult since they tend to use open and anonymous proxies to avoid IP blocking along with generic user agents and multiple email accounts) and even if you did know what could you do?
Why I decided to do something
Up until about 6 months ago, one of the sites I am admin was getting a little spam but not much until one night it increased 20x.
Reviewing some of the posts, I noticed one of the them linked to a site called xrumerservice[dot]org. I browsed to the site, checked it out and found the 2 public email addresses it made available for contacting services. I sent a friendly email asking the owner to stop spamming the forum or possibly face retaliation. This seemed to work and to my suprise (whether coincidence or not) the level of spam dropped off… until a few weeks ago.
Once again, reviewing some of the newer spam posts, I found the exact same text that had prompted my initial email. Realising the new influx of spam was related to the same person I then sent another email asking them to stop… this time I recieved a bounce back from the server indicating my email address was rejected by the host.
Needless to say, I decided enough was enough and since the Sophos guys and others can track down the koobface team I decided it was time for me to have a crack at indentifing the Xrumer Services guy.
The Beginning
After a quick look at the site, I discoverd a minor XSS hole in the search page but given that the remainder of the site was straight html I doubted that this type of vulnerability could be leveraged to gain access to an admin panel which I could then possibly use to identify the owner (I doubt they are smart enough to connect with a proxy to it).
After this, my next stop was to look at the whois details for the site and this uncovered nothing of real value other then highlighting they had registed the domain using whois guard (which makes the registrant information unusable) and some other tidbits relating to the nameservers . I then used a tool which finds sites sharing the same IP address and found the ip was shared amongst 16 other sites. Reviewing the whois details of these domain returned a variety of results and as such, I discounted that they all belonged to the same person and figured the site was on a shared server.
With this information in hand I made a post to the private forum so I could involve some of the other guys in the game. I included the domain name, whois information along with contact email addresses [info@xrumerservice.org & services@xrumerservice.org] and then went to dinner.
Returning from dinner, I noticed one of the users posted some other details from the target site including the owners skype handle (dzoniij) and links to a few site where the same handle was used to offer xrumer services (which blasts forums with spam). I did some general recon with google and found numerous other posts to blackhat affiliate marketing forums made by the same handle, noted these and went to bed.
The Next Day
The next morning, I woke up sick and decided to have the day off work. Checking the forums I noticed another 30 spam posts… damn. So I deleted them, called the doctor and made the decision to spend the morning watching This is Spinal Tap. After the movie I decided to check the forum again… more spam 
This was the motivation I needed to continue my quest and so I once again headed to google to look for something that would help me identify the domain owner. The first major result I found was elance where amongst other things the user dzoniij has requested a MAC address changer. I toyed with the idea of a complex social engineer ruse to uncover the operator but then decided against it… since by nature, I’m rather lazy and couldn’t be bothered having to create accounts, initiate contact etc.
The next site that piqued my interest was Traffic Planet and like the rest of the forums I discovered that had a user with the handle dzoniij, this user was always discussing linking and link building techniques. I reviewed each post thoroughly but discovered nothing worthwhile. After that there where a lot of Latvian domains returning results for the user dzonjii (and generally talking about the same subjects + WoW) .
My next big motivator for the chase occured a couple of pages later when I found a post on Web Hosting Talk made by dzoniij (within the previous 24 hours) indicating he had been booted from his hosting providing LiquidWeb due to infringing the TOS. I then confirmed this post was made by one and same when the updated whois reflected the site had indeed changed hosts… to Black Hat Hosting.
Was this one of the guys from my forum or someone else reporting his activities to his host? At the moment no one is claiming credit so maybe someone else has also had enough of this clown.
Realizing there is more then one way to skin a cat at this point I decided to go the snitch route and reported his account to the abuse system at paypal (who are hopefully investigating and closing his account). With trouble getting a host and trouble taking payments, maybe he will shut down for while.
The next part of my google username journey returned some Latvian Photo Blogs where a user with the same handle had posted photos of a Ford explorer (with plates). Again, I imagine this user is the same dzoniij I am chasing since they both appear to be latvian… though one of the guys of my forum has suggested these photos are reasonably old since Latvia hasn’t issued plates in this format since 2004. Exif data on the photos revealed nothing of interest.
Realizing my username search was starting to become useless I decided to go back to looking at the domain and searching a bit deeper in google. I eventually found a post on a site which people can report phone numbers of annoying calls to… xrumerservice[dot]org was one of them . Excited I went back to our ongoing thread to report my findings only to realise one of the other guys had already found it (second post, doh).
Moving on I decided to stay with the google approach and generally just searched against the username and domain again trying to find anything I missed. This time I found a post where he indicated he was using his desktop to host the xrumer server and even a post where an annoyed blogger talked with him about his practices. This kind of made the MAC request on elance more reasonable. Somewhere in between that, I found an older post on some site which published the IP address of the poster. Again, it was for xrumerservice[dot]org and again it traced back to Latvia.
Hence by this stage I am confident our spammer resides in Latvia, owned or was looking at a Ford Explorer and was generally a noob starting out. I also managed to find a few other posts for the same type of posts which also published the IP address and it also returned the same C class address as the one I had originally traced… so we can conclude the original blasts where made whilst he was trying to understand xrumer and these were made without proxies. At this point I have not made an abuse complaint to his ISP but we will see what comes of this post over the next few days… and whether he keeps spamming our forum.
The next major item I found out about the site is that is was up for sale at some point. Figures for its turnover can be found here.
Digging a Little Deeper
At this point I have decided I’ve reached the point where I can do not more searching on google with the data I have, all leads go cold. I need a new approach. I then decide to go back to the original forum posts that have been made by dzoniij but require registration to see all the posts made by him. I sign up for a few sites and get to work. The first major break comes when I find a post by a customer complaining about the service and he quotes their irc session… with dzoniij’s name as ‘Janis Macins’ in the transcript.
Hitting Paydirt
Realising the value of this data I head back to google and immediately find numerous results for the name.
The first that comes is a whois result for domain registered to a person living in Latvia using the same host as the one the xrumerservice domain is using, black hat hosting.
A coincidence? I think not… but still, you don’t want to drop dox unless you are sure its the right person.
More Gold
I then find a second whois result for the same name which points to ‘supremebacklinkservice.net’ though the email address they are using is different [jaystevens84@gmail.com] but the address, phone and host are the same so that’s good enough for me to draw a conclusion.
Realising, I now have a name, address and the new email (janism1@inbox.lv) to work off I jump back on google and perform a search against the email address.
First result in for the site Stop Forum Spam and the IP address is again linked back to the same provider as those I originally found for xrumer. This time, they have an email address which can be linked to forum spamming.
The second result is much better and more conclusive to the investigation. Its a blogspot domain (http://xrumerservices.blogspot.com/) and although Janis has attempted to remove all posts in order to cover up any relationship between xrumerservices[dot]org and the email address (janism1@inbox.lv), google cache has come to the aide by still having some posts available for viewing.
As shown below, the email address published as the contact for the spamming service is janism1@inbox.lv, hence we have a basic link between the site and the spammer and if we look at little closer we can see a link between the spammer and xrumerservice[dot]org domain since they are both using the same ICQ id.
The Data
xrumerservice[dot]org whois is unavailable but Janie Macins is the IRC contact 594878091
http://xrumerservices.blogspot.com/ used Janie Macins as the IRC contact 594878091
http://xrumerservices.blogspot.com/ used janism1@inbox.lv as the email to contact for spamming service.
supremebacklinkservice.net whois indicates Janis Macins as the owner with jaystevens84@gmail.com as the email contact
Address is: Staraja Rusas 5-20, Riga, Riga LV-1048 LV
Phone: +371.25547727
Depending on where you go
home-businessreviews.com whois indicates Janis Macins as the owner with janism1@inbox.lv as the email contact
Address is: Staraja Rusas 5-20, Riga, Riga LV-1048 LV
Phone: +371.25547727
home-businessreviews.com whois indicates Jay Stevens as the owner
Social Media Type Stuff
Twitter: http://twitter.com/JanisMacins
Supporting DOX
Once I had all the information I needed about him, finding more details was trivial and I found a Latvian photo blogging site used by him.
Here is a letter from the bank, notice the address they have on file is identical to the address in whois… along with the name?
Homeboy got his MAC address changer… guess elance couldn’t deliver.
Ohhh… and his passport
The Aftemath
So its getting late and I’ve been tracking the owner of xrumerservice[dot]org for 24 hours now and I am confident I have my mark.
Everything adds up and I am about to publish this post to the internet. I am sure all the DOX I have are valid so I can leave it at that.
To the Internet – do what you will with him and this information.
The mother fucker deserves it.
Ps: If you are a spammer and someone contacts you are asked you to stop spamming their forum, just do it. Its honestly not worth the hassle you will be put through.
Posted in: General