Specific RBN Attribution
Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.
Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.
According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 22.214.171.124/24. It should be noted that the pre-invasion attacks emanated from 126.96.36.199. Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from 188.8.131.52. (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding 184.108.40.206 on July 29th in SBL66533.
Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.
Contribution - James McQuaid
Further spam botnet analysis - Knujon
They are part of a botnet that came into existence in 2008. The vast majority show up in Mar/Apr 2008, but some have been sending spam since 2006
220.127.116.11 - Web Media Services - Russian Federation
nslookup = mx1.privatehost.nl
79 hits from April 2008 and 4 from Mar 2008.
18.104.22.168 - Czech Republic nslookup = 34.224.broadband4.iol.cz
5 hits spread over Feb, Mar and Apr 2008.
242.3.213.198 = mailrouter2.austincc.edu
107 in Mar/Apr 2008, 1 in Jan 08 and 1 in 2006
22.214.171.124 = mail5.hostweb.com.mx
1 in Jul 2007
126.96.36.199 = mx2.seidata.com
90 in Mar/Apr 2008, 1 in Oct 2007
188.8.131.52 = dns2.tea-cegos.es
104 in Mar/Apr 2008
184.108.40.206 = mx2.teuto.net
209 total. 159 in Mar/Apr, 2 Jan, 6 Feb 2008. 39(2007) 3(2006)
220.127.116.11 = adoptolder.org
8 Mar/Apr 2008
18.104.22.168 = mx2.bt.net
100 Mar/Apr, 1 Jan 2008,65 2007) 9 (2006)
Mar/Apr 2008 period
RBN info from James McQuaid his blog here
Spam Botnet analysis Dr. Bob Bruen of Knujon.com.