Let's see what this guy has been up to...

Review

A month ago, I logged into the Mix-Space backend to check for new comments, and then out of curiosity, I clicked on Spam (I didn't think my small site would have any spam comments, right?). Guess what? There actually was someone trying to spam comments. Unfortunately for them... this useless piece of work didn't succeed. Everything was blocked by the anti-spam filters (didn't even need AI review). Now that I finally have some time, let's see what this loser did.

Rough Data Analysis

Spam Screenshots

Quite the Shanghai Hypergryph Network Technology Co., Ltd., ~~really knows how to Hypergryph~~

Since the Mix-Space backend only shows general information, let's dive into the database.

Detailed Data Analysis

Mix Side Analysis

Using Datagrip to connect to the MX database, enter the comments table.

Then directly filter by the IP: 198.23.130.211, and the results come up.

You can see the detailed information of this mentally challenged child.

Item	Content
IP	`198.23.130.211`
UA	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36`
Nicknames Used	`Haoel` `Shanghai Hypergryph Network Technology Co., Ltd.` `Chen Hao` `Livid` `************` (Sensitive, so not posting)
Comment Content	`markdown<br>【I own **********************************************************************************************************************************************************************************************************************************************************************************************************************************************!<br>` `markdown<br>A dovecote or dovecot /ˈdʌvkɒt/, doocot (Scots) or columbarium is a structure intended to house pigeons or doves.[1]<br>Dovecotes may be free-standing structures in a variety of shapes, or built into the end of a house or barn.<br>They generally contain pigeonholes for the birds to nest.[2]<br><br>Pigeons and doves were an important food source historically in the Middle East and Europe and were kept for their eggs and dung.[3]<br>` `markdown<br>Learning **********************<br>`
Email	haoel@hotmail.com livid@v2ex.com c@mail..*
Region	Los Angeles, California, USA

This is the information we got from the Mix system. Now let's take a look at Umami.

Umami Side Analysis

We can see the comment time was on 2025-08-02. Let's take a look.

Go directly to that day in Umami and confirm it's this user:

Enter the Umami database to search for the ID to verify, but unfortunately, Umami doesn't record IPs? Not a big deal, let's just download the Umami request logs. Coincidentally, the starting record time is July 30th, heaven is on my side.

We'll use the IP search tactic again. Sure enough, we found it, the time matches, confirmation successful.

AI Log Analysis

Entering the site
- 10:30:48: First entered /posts/site/comeback
- 10:32:17: Visited homepage /
- 10:32:32 ~ 10:32:40: Continuous refreshing or repeated visits to /posts/site/comeback
Browsing regular pages
- 10:32:38 ~ 10:33:25: Repeatedly visited /posts and /posts/site/comeback, as if testing page jumps or repeatedly reading certain content.
Visiting technical articles
- 10:37:22 ~ 10:37:33: Viewed /posts/devops/how-to-handle-zombie-processes-in-ubuntu (an article about handling Linux zombie processes), opened at least twice, possibly confirming content.
- 10:37:25 ~ 10:36:25: Visited /posts/cybersecurity/msf-bypass-test (likely an article on penetration testing or bypassing protection).
Behavior before ending
- 10:38:23: Returned to homepage /
- 10:38:46: Last visit to the /posts page, session ended.

What does this mean? It means this loser:

He was slowly copy-pasting and trying in the browser! He tried for 4 minutes!

Because Mix doesn't display spam by default after detecting it, he kept refreshing the page, wondering where his comments went.

Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha!

AI also verified my thoughts:

AI Comprehensive Analysis

Time (Beijing Time)	Behavior Type	Details
22:30:48	First Visit	Entered `/posts/site/comeback`
22:32:17	Visit	Homepage `/`
22:32:32 ~ 22:33:40	Visit	Multiple refreshes of `/posts/site/comeback`
22:33:38 ~ 22:35:06	Visit	Browsed `/posts` and `/posts/site/comeback`
22:34:43 ~ 22:34:59	Comment	Author "Chen Hao", content involves sensitive remarks (database record)
22:35:22 ~ 22:36:47	Comment	Author "Livid", posted random English content (database record)
22:36:22 ~ 22:37:25	Visit	`/posts/site/comeback` and `/posts/cybersecurity/msf-bypass-test`
22:37:32 ~ 22:37:33	Visit	`/posts/devops/how-to-handle-zombie-processes-in-ubuntu`
22:37:52 ~ 22:38:16	Comment	Author "Learning *", continued posting content (database record)
22:38:23	Visit	Homepage `/`
22:38:46	Last Visit	`/posts`, session ended

Same Person Behavior
- Same IP address: 198.23.130.211.
- Time perfectly aligned: Comments occurred during the session, the last comment (22:38:16) was only 30 seconds away from the session end (22:38:46).
- Confirmed that the commenting and browsing behavior were done by the same visitor.
Behavior Pattern
- Quickly browsed multiple technical articles (security-related) in a short time.
- Simultaneously utilized the comment function to batch spam different author names and different content, which is malicious flooding/spam comment behavior.

And I noticed a very interesting point, as shown:

zh-TW? Interesting, looks like someone from the other side came to cause trouble hahahaha (laughing out loud)

Clarity Side Analysis

This is the funniest part. I integrated Microsoft Clarity, and I guess he wasn't on guard, so everything was screen-recorded hahahahahahaha

Unfortunately, some input boxes are masked by default, otherwise it would be even more fun. Watch it here

Summary Diagram

Excalidraw Loading...

Review

Rough Data Analysis

Spam Screenshots

Quite the Shanghai Hypergryph Network Technology Co., Ltd., ~~really knows how to Hypergryph~~

Since the Mix-Space backend only shows general information, let's dive into the database.

Detailed Data Analysis

Mix Side Analysis

Using Datagrip to connect to the MX database, enter the comments table.

Then directly filter by the IP: 198.23.130.211, and the results come up.

You can see the detailed information of this mentally challenged child.

Item	Content
IP	`198.23.130.211`
UA	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36`
Nicknames Used	`Haoel` `Shanghai Hypergryph Network Technology Co., Ltd.` `Chen Hao` `Livid` `************` (Sensitive, so not posting)
Comment Content	`markdown<br>【I own **********************************************************************************************************************************************************************************************************************************************************************************************************************************************!<br>` `markdown<br>A dovecote or dovecot /ˈdʌvkɒt/, doocot (Scots) or columbarium is a structure intended to house pigeons or doves.[1]<br>Dovecotes may be free-standing structures in a variety of shapes, or built into the end of a house or barn.<br>They generally contain pigeonholes for the birds to nest.[2]<br><br>Pigeons and doves were an important food source historically in the Middle East and Europe and were kept for their eggs and dung.[3]<br>` `markdown<br>Learning **********************<br>`
Email	haoel@hotmail.com livid@v2ex.com c@mail..*
Region	Los Angeles, California, USA

This is the information we got from the Mix system. Now let's take a look at Umami.

Umami Side Analysis

We can see the comment time was on 2025-08-02. Let's take a look.

Go directly to that day in Umami and confirm it's this user:

We'll use the IP search tactic again. Sure enough, we found it, the time matches, confirmation successful.

AI Log Analysis

Entering the site
- 10:30:48: First entered /posts/site/comeback
- 10:32:17: Visited homepage /
- 10:32:32 ~ 10:32:40: Continuous refreshing or repeated visits to /posts/site/comeback
Browsing regular pages
- 10:32:38 ~ 10:33:25: Repeatedly visited /posts and /posts/site/comeback, as if testing page jumps or repeatedly reading certain content.
Visiting technical articles
- 10:37:22 ~ 10:37:33: Viewed /posts/devops/how-to-handle-zombie-processes-in-ubuntu (an article about handling Linux zombie processes), opened at least twice, possibly confirming content.
- 10:37:25 ~ 10:36:25: Visited /posts/cybersecurity/msf-bypass-test (likely an article on penetration testing or bypassing protection).
Behavior before ending
- 10:38:23: Returned to homepage /
- 10:38:46: Last visit to the /posts page, session ended.

What does this mean? It means this loser:

He was slowly copy-pasting and trying in the browser! He tried for 4 minutes!

Because Mix doesn't display spam by default after detecting it, he kept refreshing the page, wondering where his comments went.

Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha!

AI also verified my thoughts:

AI Comprehensive Analysis

Time (Beijing Time)	Behavior Type	Details
22:30:48	First Visit	Entered `/posts/site/comeback`
22:32:17	Visit	Homepage `/`
22:32:32 ~ 22:33:40	Visit	Multiple refreshes of `/posts/site/comeback`
22:33:38 ~ 22:35:06	Visit	Browsed `/posts` and `/posts/site/comeback`
22:34:43 ~ 22:34:59	Comment	Author "Chen Hao", content involves sensitive remarks (database record)
22:35:22 ~ 22:36:47	Comment	Author "Livid", posted random English content (database record)
22:36:22 ~ 22:37:25	Visit	`/posts/site/comeback` and `/posts/cybersecurity/msf-bypass-test`
22:37:32 ~ 22:37:33	Visit	`/posts/devops/how-to-handle-zombie-processes-in-ubuntu`
22:37:52 ~ 22:38:16	Comment	Author "Learning *", continued posting content (database record)
22:38:23	Visit	Homepage `/`
22:38:46	Last Visit	`/posts`, session ended

Same Person Behavior
- Same IP address: 198.23.130.211.
- Time perfectly aligned: Comments occurred during the session, the last comment (22:38:16) was only 30 seconds away from the session end (22:38:46).
- Confirmed that the commenting and browsing behavior were done by the same visitor.
Behavior Pattern
- Quickly browsed multiple technical articles (security-related) in a short time.
- Simultaneously utilized the comment function to batch spam different author names and different content, which is malicious flooding/spam comment behavior.

And I noticed a very interesting point, as shown:

zh-TW? Interesting, looks like someone from the other side came to cause trouble hahahaha (laughing out loud)

Clarity Side Analysis

This is the funniest part. I integrated Microsoft Clarity, and I guess he wasn't on guard, so everything was screen-recorded hahahahahahaha

Unfortunately, some input boxes are masked by default, otherwise it would be even more fun. Watch it here

Summary Diagram

Excalidraw Loading...

Let's see what this guy has been up to...

Before reading this article, you may want to read the following articles first to better understand the context.

Review

Rough Data Analysis

Spam Screenshots

Detailed Data Analysis

Mix Side Analysis

Umami Side Analysis

AI Log Analysis

AI Comprehensive Analysis

Clarity Side Analysis

Summary Diagram

Search

Let's see what this guy has been up to...

Before reading this article, you may want to read the following articles first to better understand the context.

Review

Rough Data Analysis

Spam Screenshots

Detailed Data Analysis

Mix Side Analysis

Umami Side Analysis

AI Log Analysis

AI Comprehensive Analysis

Clarity Side Analysis

Summary Diagram