A few days ago, one of our registered users suddenly started posting comment spam (for pills / drugs). This doesn't happen a lot, but isn't too unusual either. For obvious reasons, we only allow comment posts for registered users, and so occasionally a spammer registers with the site just to post spam.
What was odd about this case, however, was that the user had registered with our site back in August 2004(!) and, before the spamming, last logged in September 2004.
So at first, I was assuming the worst: A hacked account. Hunting through our logs and database backups didn't bring up any evidence for a hacked account, though. And then another of our users independently reported the same thing happening on his site. On comparing the details of the two spammer accounts, it became evident that it was the same person. It seems someone has been planning this well in advance.
Since then, more accounts from the same spammer have surfaced on other sites. They all have either email@example.com or firstname.lastname@example.org as their email address. Most accounts were created in August 2004, but at least one account was created in March 2005. They all show signs of recent activity, i.e. the user logged into those accounts recently, but didn't always start spamming right away.
We have now alerted our users and recommended to them to either ban or delete that user.
So what do we know about the spammer?
Let's start with that email address: 3fn.net is a hosting service, so this is obviously one of their clients. The address sys54.3fn.net only brings up an empty page, though. The spam we saw came from 188.8.131.52, which also belongs to 3fn.net (or APS Telecom, which is either their parent or subsidiary).
The actual spam post tried to hide a huge list of links and keywords (mostly "phentermine") using CSS (
The links themselves point to blogs, user accounts, and wikis on several free sites, including my.opera.com, weblog.ro, and a wiki at the Georgia Institute of Technology. Most of those, in turn, either redirect or point to raph.us, which is registered to a Alex Beliy, supposedly located in Denver, Colorado, but who happens to use the email address email@example.com.
raph.us is hosted at 184.108.40.206, which is suspiciously close to the IP address that sent out the spam and which also belongs to APS Telecom / 3fn.net.
The links were all accompanied by an image hosted at s.8-d.com:83. That domain, 8-d.com, is registered to Alexander Morozov. There's also a connection between that spammer and 3fn.net.
Can you guess where s.8-d.com is hosted? Yep, 220.127.116.11, on the same server as raph.us. APS Telecom / 3fn.net appears to be quite the Gomorrah ...