There was a flurry of activity in the weeks of December before the Xmas holiday. I saw a lot of diligent reporting of the activities of what is arguably the most annoying and least-compliant illegal spam operations in the world today: The mailers of the pernicious "Elite Herbal" penis enlargement herbal remedy products.
If you have an email address at all, of any sort, whether you've ever given it out to anyone or not: you've more than likely seen this spam, though fortunately most of it ends up where it belongs, in the junk folder. This doesn't stop the spammers behind this "product" from sending multiple copies of the same messages every single day to you.
Elite Herbal is one of a batch of products promoted via what is known as the SanCash program, a spammer affiliate program sponsored by bulkerforum.biz members Sancash and Azzy. Several members of bulkerforum.biz are active mailers for that program, notably "Moneyminters", a non-compliant mailer going back several months now at least.
Starting in July of 2007, the spam research blog Spam In My Inbox began investigating who was behind the relentlessly high volumes of spam he continued to receive for this unwanted product. He did quite a bit of due diligence and appears to have been very forthright in trying to find specific contact information for who was behind Elite Herbal itself. All initial contact was ignored (of course) whenever posted via one of the spamvertised fly-by-night websites.
He discovered that IP addresses associated with the spammed websites belonged to a company claiming to be called "Tulip Lab Pvt. Ltd.", located in Mumbai, India. He attempted to contact them regarding the mountains of unwanted spam emails. He never once received any kind of response.
Using some clever technological tricks, he entered an order into one of the spamvertised sites, but while doing so he carefully also entered some tracking code of his own (I'm not privy to what he specifically did, but I have my own theories.) This meant that any computer which viewed his order would report back to him regarding its IP address. He reported on this on July 4th, 2007, stating that an IP address belonging to DSL Internet provider known as iHug (now a division of Vodaphone), located in New Zealand. He complained to iHug and provided his evidence. They took action and investigated the offending account, eventually shutting it down. That IP address turned out to be directly related to one Shane Atkinson, a spammer who has been uncovered at least once (back in 2003) and who had claimed to have given up spamming altogether.
He also noticed that an IP address belonging to Tulip Lab also viewed his order. He documented all of this.
In August, 2007, the spam runs for Elite Herbal intensified. I myself noticed an increase from the usual 14 - 22 messages a day which were received to my control monitoring account, to upwards of 24 - 33 per day, all promoting only Elite Herbal.
In September, SpamInMyInbox wrote an open letter to Tulip Lab and those who supported them. He asked why they continue to allow spammers to promote their "products", and asked for verification as to what the correlation was of the Tulip Lab IP address to the order he placed. He sent an email version of that open letter to the operators of Tulip Lab, cc'ing numerous India-based media outlets and newspapers, and the Pharmaceuticals Export Promotion Council in India, of which Tulip Lab was a member.
Nothing happened for a while after that, but the spam maintained its ridiculously high numbers on a daily basis.
Then in December, the BBC4 program "The Investigation" hosted by Simon Cox aired a half hour program which investigated this exact same rampant spam operation. Since it was the BBC, it appears that they got deeper access than an average individual would otherwise get. They took all the same steps as SpamInMyInbox did - placing an order, waiting to see if anything happened, drawing the same conclusions as to the involvement of Tulip Lab, and eventually contacting the author of SpamInMyInbox himself, which provided them the link to the New Zealand spammer behind his particular spam messages, and those received by the BBC themselves. They further correlated that an affiliate program known as GenBucks had several connections to Tulip Lab and Elite Herbal.
They also directly contacted Shane Atkinson, asking why he had spammed them and others. Atkinson answered that he was a spammer in the past, but claimed that "we've closed all that down years ago", before abruptly ending the interview.
The next day, law enforcement in Christchurch, New Zealand performed a raid on four addresses and "seized 22 computers and boxes of documents ... as it investigates an international spamming operation". [scoop.co.nz]
This harsh spotlight has recently caused the spammers behind this setup to hide like a bunch of cockroaches. The day after the BBC investigation aired, the author of SpamInMyInbox was told by the BBC that Tulip Lab was apparently going to sue him for what they claimed to be "harrassment" (likely related to the numerous unanswered inquiries whcih pretty much anybody would like an answer to: why are they still spamming everybody? Why do they condone spamming? Why do they allow it to happen in such high volume related to one specific product of theirs? Etc.?)
This ruffled some feathers over on BulkerForum.biz. One member named "icanspam" posted a link to the story, and made the same assumption that the BBC did: that Shane Atkinson was the spammer behind this particular spate of annoying Elite Herbal spam runs. This caused other bulkerforum members to pipe up, and several of them were definitely in some distress concerning what appeared to be the exposition and shutdown of the Elite Herbal program run by Sancash. Some excerpts:
TOPIC: SANCASH.. What's going on ?
mic141414
Joined: 12 Jul 2007
Posts: 37
Posted: Thu Dec 20, 2007 8:19 am
Post subject: SANCASH.. What's going on ?
they are offline .. been like that the last 3-4 days.
Commissions NOT paid this week.
Anyone has news on that ??
I am a little worried for my $$
thanks
In the thread: General Talks: raided suspected spammers in Christchurch:
ubuntu
Joined: 06 Feb 2007
Posts: 12
Posted: Thu Dec 20, 2007 10:26 am
Post subject:
not sure if this is sancash
this is related to this audition.. and hmm.. looks like GB...
http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jhood
Joined: 23 Oct 2006
Posts: 151
Posted: Thu Dec 20, 2007 11:51 am
Post subject:
thanks for link ubuntu..
eliteherbal/manster IS SanCash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
icanspam
Joined: 10 Aug 2007
Posts: 52
Posted: Thu Dec 20, 2007 2:22 pm
Post subject:
SA?
Shane Atkinson, bro.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mail4spart
Joined: 15 Sep 2006
Posts: 33
Posted: Thu Dec 20, 2007 5:18 pm
Post subject:
I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.
I guess, in spammer talk, "smart business" translates to: "violating court orders to promote fake products illegally using botnets" because that's precisely what Shane Atkinson was doing.
I checked moments after those postings were made, and the domain sancash.com was unresponsive (and still is.) Suddenly, I saw no spam whatsoever for Elite Herbal. All of a sudden. Just like that. Instead, the spammer who's chosen to keep sending to my control account had switched to stock spam. Many other rather sudden changes also ensued, all very much noticed by SpamInMyInbox in further investigations he pursued, all posted on his blog. It was clear that whoever was responsible for this spam specifically wanted to suddenly and completely remove any trace of connection between Sancash, GenBucks, Elite Herbal and Tulip Lab. It struck me (and others) as a rather clumsy and desperate move.
It's worth mentioning that this is not the first time I and others have investigated and taken action against this group of companies. Last November, in 2006, I and several colleagues performed our own investigation into the operation of several spamvertised sites promoting a bogus product known at that time as "Spur-M". We discovered that they used a third-party back-end server, hosted and owned by GenBucks, for the processing of credit card orders. We also noticed quite a bit of correlation between the domains registered for the Spur-M websites and the GenBucks affiliate program.
The same day, I created what became known as "The Spur-M-Enator" which allowed for several thousand automated, believable, and completely fake orders to be placed at these back end servers. I released it to a handful of colleagues and we all left it running in the background for several hours.
This definitely made them mad, but never once did they stop spamming us. We increased the volume of fake orders per hour, which we know for a fact caused them to lose a considerable amount of time in processing and verifying the orders themselves. We could tell they were upset by this because the back end servers previously never output anything. Now they were outputting a bogus message about how our hard drives had been completely downloaded, or some such nonsense. It didn't stop us. What did stop, after a few days, was any spam - or indeed any mention - of Spur-M as a product. Instead all such spam numbers were focused on stock spam, a trend we notice they tend to fall back on when something isn't going as planned.
They later created "ManXL" and "Manster" as the replacement name for "Spur-M". In the BBC investigation, the label on the bottle which was eventually received from Elite Herbal said that the product was actually called "Manster." That definitely connected more dots for us, and confirmed that for two straight years now, we'd made it difficult for this pernicious operation to profit from relentless spamming. I should hope that this has cost them considerable effort and lost profits, and that further arrests will be forthcoming.
Over the holidays I noticed that all such "Elite Herbal" spam has now been replaced either with more Stock Spam, or spam initially promoting "Express Herbal" and then later "VPXL", yet another so-called Penis Enlargement herbal remedy (though the header banners on these sites actually still say "Express Herbal". They can't seem to focus much.) The cycle repeats again, apparently.
This is very obviously the same criminal group, and the shutdown of Shane Atkinson's operation has clearly not diminished the amount of spam I continue to receive for this particular product. As happy as I am (and many others are) to see the death of the Elite Herbal "brand", it doesn't appear to be diminishing any of this bogus "herbal remedy" spam at all.
In the days following the raid, SpamInMyInbox dug even deeper into what he had discovered on Tulip Lab and GenBucks. I'll leave you to read it for yourself, but trust me: it's outstanding research, and makes it even clear just how guilty all of these parties are in perpetrating illegal spamming of an unwanted product to the world at large.
I and others are determined to find out who, specifically, is continuing to flood our inboxes with this scourge, and will continue to assist law enforcement in finding and shutting down every last one of these malicious criminals.
Tulip Lab and GenBucks: get the message. We hate you. We hate your "products" and we hate the fact that you seem to employ ONLY illegal spammers to do your promotions for you. Your days are numbered. Count on it.
SiL