Team Kimberlin Post of the Day

I’ve written from time to time about the Team Kimberlin related anonymous comments that show up in moderation here at Hogewash!. Many of them have come from the same few IP address, and some have used the same fake email address more than once.

One interesting factoid is that many of the IP that have been used are associated the service Bill Schmalfeldt has said he uses for VPN connection. Here are the IPs that have been used three or more times in order of occurrence. (9) (9) (8) (8) (6) (6) (5) (4) (3) (3) (3) (3)

Here’s a list of the “email addresses” that have turned up more than once.

That list should give the Gentle Reader a general idea of the general content of these anonymous comments, but I should note that many of the “return addresses” are much more obscene.

These comment trolls believe that they have been operating in an untraceable manner. That’s not completely accurate. However, not every comment is traced back to its origin. I’d appreciate any additional information that anyone might send my way.

UPDATE—A commenter outlines the first steps one takes in tracing harassing emails/comments such as these. There are more sophisticated means as well.

5 thoughts on “Team Kimberlin Post of the Day

  1. Sorry I don’t know a magic spell to make this painless (there probably is none), but you can just go to the abuse department of each of them and ask either corrective action, or, if you have some legal basis, get info on the person who has the account with them.

    The good news is that none of these seem to be TOR exit nodes based on plugging them all into . This means if you DO pursue account info, it might actually lead somewhere useful.

    You can use to look up what hosting provider corresponds to each address, and sometimesthere is an abuse contact provided. Just plug in an IP address to the search and check the “IP Address” radio button.

    As you can see, the first IP in your list is, which is a very commonly used shared/dedi host service – I myself use one OVH dedicated host.

    Some of the entries return no useful info.

    It may turn out that one or more legit service providers run each of these hosts, and Team Kimberlin people are just paying users of those services. Which would be sort of bad news because it gives you another layer to go through to correct the problem.

    • One more bit – if the abusers are traceably related somehow to these hosts, they are dumb for using so many different hosts because it just gives you that many more chances that at least one of the providers will do a good job of helping you out. But that would depend on you spending your time tracking them all down.

  2. In the last analysis, it probably takes several minutes to spoof an email address and create a dummy website, while it only takes a few seconds to mark it for deletion.

  3. Speaking of changing accounts and hiding and be sneaky and trying to be anonymous…

    Cabin Boy Billy is now @TidingsofDoom on twitter.

  4. Well, the good part is that it doesn’t go through TOR.
    I still think I’m right when I said (in a previous post) that the poster(s) are using access to some servers with lax security.
    How? Through SQL injection, then privilege escalation (a higher login level/account). If one didn’t have access to the server logs, the attack on the server and the posts here would looks like two different events.
    When they post from the server, the IP address Mr. Hoge will see is from that server (or they might use multiple servers). It could even be that these are ‘false-flag’ servers, where the access is sold off to pay for the cost of the hosting.

Leave a Reply