Let's See What This Guy Has Done...
Review
A month ago, I logged into the Mix-Space backend to check for new comments. Out of curiosity, I clicked on Spam (thinking my little site wouldn't have any spam comments, right?). And guess what? There were indeed some attempts to spam, but unfortunately for them... this useless piece of work failed. All were blocked by the anti-spam filter (didn't even need AI review). Now that I finally have some time, let's see what this loser has done.
General Data Analysis
Spam Screenshots

Page One

Page Two
Oh, Shanghai Eagle Network Technology Co., Ltd., really living up to the "eagle" in their name.
Since the Mix-Space backend only shows general information, let's dive into the database.
Detailed Data Analysis
Mix-Side Analysis
Using Datagrip to connect to the MX database, we enter the comments table.

image-20251002121606425
Then directly filter by the keyword for this IP: 198.23.130.211, and the results are out.

Result
You can see the detailed information of this dim-witted child.
| Item | Content | |
|---|---|---|
| IP | 198.23.130.211 | |
| UA | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 | |
| Nickname | HaoelShanghai Eagle Network Technology Co., Ltd.Chen HaoLivid************ (too sensitive to disclose) | |
| Comment | markdown<br>I own************************************************************************************************************************************************************************************************************************************************************************************************************************************************!<br>markdown<br>A dovecote or dovecot /ˈdʌvkɒt/, doocot (Scots) or columbarium is a structure intended to house pigeons or doves.[1]<br>Dovecotes may be free-standing structures in a variety of shapes, or built into the end of a house or barn.<br>They generally contain pigeonholes for the birds to nest.[2]<br><br>Pigeons and doves were an important food source historically in the Middle East and Europe and were kept for their eggs and dung.[3]<br>markdown<br>Learning************************<br> | |
| haoel@hotmail.com livid@v2ex.com c*@mail.**.** | ||
| Location | Los Angeles, California, USA |
This is the information we got from the Mix system. Now let's take a look at Umami.
Umami-Side Analysis
We can see the comment time was on 2025-08-02, let's take a look.

Timestamp recorded in the database
Let's check Umami directly for that day to confirm it's this user:

Umami session screenshot

Detailed information
Enter the Umami database to search the ID for verification, but unfortunately, Umami doesn't record IPs? No big deal, let's just download the Umami request logs. Coincidentally, the starting record time is July 30th, heaven-sent.

Starting record
We still use the IP search tactic, and sure enough, we found it. The time matches, confirmation successful.

Successfully found
AI Log Analysis
- Entering the Site
- 10:30:48: First entry to
/posts/site/comeback - 10:32:17: Visit homepage
/ - 10:32:32 ~ 10:32:40: Continuous refresh or repeated visits to
/posts/site/comeback
- 10:30:48: First entry to
- Browsing Regular Pages
- 10:32:38 ~ 10:33:25: Repeated visits to
/postsand/posts/site/comeback, as if testing page transitions or rereading some content.
- 10:32:38 ~ 10:33:25: Repeated visits to
- Visiting Technical Articles
- 10:37:22 ~ 10:37:33: Viewed
/posts/devops/how-to-handle-zombie-processes-in-ubuntu(an article about handling Linux zombie processes), opened at least twice, possibly confirming content. - 10:37:25 ~ 10:36:25: Visited
/posts/cybersecurity/msf-bypass-test(possibly an article on penetration testing or bypassing defenses).
- 10:37:22 ~ 10:37:33: Viewed
- Pre-Ending Behavior
- 10:38:23: Returned to homepage
/ - 10:38:46: Last visit to
/postspage, session ended.
- 10:38:23: Returned to homepage
What does this indicate? It shows this loser:
He was trying slowly on the browser side! Tried for 4 minutes!
Because Mix detected the spam and didn't display it by default, he kept refreshing the page, confused about where his comments went.
Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha!
AI also confirmed my thoughts:
AI Comprehensive Analysis
| Time (Beijing Time) | Action Type | Details |
|---|---|---|
| 22:30:48 | First Visit | Entered /posts/site/comeback |
| 22:32:17 | Visit | Homepage / |
| 22:32:32 ~ 22:33:40 | Visit | Multiple refreshes of /posts/site/comeback |
| 22:33:38 ~ 22:35:06 | Visit | Browsed /posts and /posts/site/comeback |
| 22:34:43 ~ 22:34:59 | Comment | Author "Chen Hao", content involves sensitive remarks (database record) |
| 22:35:22 ~ 22:36:47 | Comment | Author "Livid", posted random English content (database record) |
| 22:36:22 ~ 22:37:25 | Visit | /posts/site/comeback and /posts/cybersecurity/msf-bypass-test |
| 22:37:32 ~ 22:37:33 | Visit | /posts/devops/how-to-handle-zombie-processes-in-ubuntu |
| 22:37:52 ~ 22:38:16 | Comment | Author "Learning*", continued posting content (database record) |
| 22:38:23 | Visit | Homepage / |
| 22:38:46 | Last Visit | /posts, session ended |
- Same Person's Behavior
- Same IP address:
198.23.130.211. - Perfect time alignment: Comments occurred during the session, with the last comment (22:38:16) only 30 seconds before the session ended (22:38:46).
- It can be confirmed that the comments and browsing behavior were performed by the same visitor.
- Same IP address:
- Behavior Pattern
- Quickly browsed multiple technical articles (security-related) in a short time.
- Simultaneously used the comment function, spamming different author names and content, which is malicious flooding/spam comment behavior.
And I noticed something quite interesting, as shown:

image-20251002124440399
zh-TW? Interesting, seems like they're coming to cause trouble, hahaha (laughing out loud).
Clarity-Side Analysis
This is the funniest part. I integrated Microsoft Clarity, and I guess he wasn't prepared, so everything was recorded, hahaha.
Unfortunately, some input boxes were automatically blurred, otherwise, it would be even more fun. Check it out here.

Clarity backend records