Monday, March 3, 2008

On The Trail Of SanCash And [so-called] "Infinity Secure"

In my continuing research into the SanCash operation, I have noticed that all SanCash properties have now switched completely to the use of an ordering page which claims to be from "Infinity Secure." There is no such operation, of course. But they now include a page within a subdirectory called "/order". It's not secure, the back end connection it makes to the third party card-processing page is not secure. As usual: they are lying to us. (Just like they are about the contents and quality of their "products."

The "Infinity Secure" page on all SanCash sites now lists the following address on all sites which feature that type of ordering page:

17 Bank St.
Ottawa, ON K1V 7Z5
Canada


Of course, there is no such address. There is an approximate location, but the site itself does not exist. This has been independently verified.

The postal code "K1V 7Z5" is also incorrect, and is in use for a series of addresses several blocks south of "17 Bank St." A quick Google search pulled up 127 Bank St., which houses Currey D S & Son Insurance Brokers Ltd. (Among several other addresses.)

In fact searching for the 17 Bank St. address distinctly only pulls up the "Infinity Secure" page from an "ED Pill Store" site:

http://www.edpillstores.com/order2.php?option=3

Which is handy, since it now ties "ED Pill Store" to the list of SanCash-spammed sites

That list so far:


  • VPXL / Express Herbal

  • Max Herbal

  • Target Pharmacy

  • Diamond Replicas

  • King Replicas

  • Prestige Replicas

  • ED Pill Store



Contact email addresses for these properties:

VPXL / Express Herbal: support@vpxlherbalgrowth.com
Max Herbal: support@maxherbalgrowth.com
Target Pharmacy: support@propharmasales.com
King Replicas: support@kingreplication.com
ED Pill Store: support@edpillstores.com

[For the others, no spamvertised domains are still active, so I'll add those later when I inevitably receive more spam for them.]

Each of those domains appears to be a "top-level" source for each of those properties.

Here is typical completely fake domain registrant contact info for each of those domains:

The Authorizing Registrar for each of these domains, as well as most of the spamvertised throwaways is (as usual, of course) XIN NET Technology Corporation.

vpxlherbalgrowth.com:

jiangjiang
xing xing
liao da lian
dalian Beijing 456123
CN
tel: 101 2345678
fax: 101 2345678
cncliup@21cn.com

maxherbalgrowth.com

jiangjiang
xing xing
liao da lian
dalian Beijing 456123
CN
tel: 101 2345678
fax: 101 2345678
cncliup@21cn.com

propharmasales.com:

liuhai bin
liu haibin
hai kou
hai kou Beijing 891000
CN
tel: 3219001
fax: 3219001
yayun22@21cn.com

kingreplication.com:

liuhai bin
liu haibin
hai kou
hai kou Beijing 891000
CN
tel: 3219001
fax: 3219001
yayun22@21cn.com

edpillstores.com

liuhai bin
liu haibin
hai kou
hai kou Beijing 891000
CN
tel: 3219001
fax: 3219001
yayun22@21cn.com


As you would expect, none of those email addresses do anything in terms of response. None of those phone numbers or addresses are legitimate in any way. It's all 100% fake.

But just in case:

According to Wikipedia, "Dalian "is the governing sub-provincial city in the eastern Liaoning Province of Northeast China." [Wikipedia Link]
Dalian is distinct and separate from Beijing.
"891000" is a legitimate Chinese postal code type, but it is for neither Dalian (whose postal code is 116000) or Beijing (which would feature a range from 100000 to 102100.) In all of China, there is no "891000" postal code.

I could go on, but you get the picture.

SanCash has representatives based in India (notably Sanjay, who has rather suddenly gone underground since the exposition of the links connecting SanCash with Genbucks, Tulip Labs and Elite Herbal.) There are (or were) also representatives located in Christchurch, New Zealand.

The SanCash.com domain name has gone dark since approx. December of 2007. They have instead moved their operation further underground. That isn't stopping NZ law enforcement from continuing their investigation.

I normally would bemoan the sheer volume of spam from one such identifiable sponsor, but in this case the more they spam, the more they lie, the greater the exposure and ease of tracking them down.

SanCash: your days as a sponsor of illegal spammers are numbered. Spammers in the SanCash program: we will find you, and you will lose everything.

SiL / IKS / concerned citizen.

44 comments:

Anonymous said...

The infinity secure site contains Visa, Geotrust, Scan Alert, Mastercard, Diners Club and JCB logos.

D'ya think that these companies would be interested to learn how their brand is being used to perpetuate such scams?

IKillSpammerz said...

> D'ya think that these companies would be interested to learn how their brand is being used to perpetuate such scams?

I'm certain that they're already aware of it. I've notified them personally several times. I'm not sure what steps they've been taking regarding this abuse of their brand.

You can certainly complain as well. The more people who do so, the more the message has to get through: criminals are abusing their trademarks and impacting their companies' reputation.

SiL

Sandy said...

These jerks are now using our one of our corporate email accounts as their fake 'from' address.

Now we get the bounced and rejected spam returned to us.

Not only are we dealing with the email, our corporate reputation is at stake here. It LOOKS like we are forwarding SPAM to anyone who can't read headers. We aren't.

The headers indicate some is coming from Greece and some from Russia, but that doesn't help me much.

I too have contacted VISA. We'll see what happens.

Anonymous said...

An address from my website was recently harvested, and is being used as a forged return. Now in addition to my normal spam load, I am the recipient of hundreds of bounced spam emails.

It tokk me about a half an hour to track down these illicitly registered, and totally bogus domain registration.

Why can't ICANN just have a person or two that simply researches and shuts this kind of crap down? That simple action would turn the tide.

Anonymous said...

I've contacted GeoTrust and ScanAlert about the use of their logos on the checkout page. The first clue to any idiot who would give his personal info here is the fact the "Infinity Secure" page is not an HTTPS site.

Also, I love the "All Questions... should be directed to support@" with nothing after the '@' symbol. Very nice.

Anyone who inputs their credit card info here gets what they deserve.

IKillSpammerz said...

> Anyone who inputs their credit card info here gets what they deserve.

Well... yes and no. Keeping in mind that there are anecdotal (and some press) reports that people's health has been compromised after purchasing dodgy pharmaceuticals or "herbal remedies", I think it's possibly a bit harsh to say they "get what they deserve."

People should be much more cautious than they seem to be regarding online purchases, or the choosing of pharmaceutical products via anonymously spammed sources.

People should consult actual pharmacists regarding any products they intend to ingest in the hopes of achieving some form of benefit.

When people fail to do these things: they unknowingly support criminal operations, and allow the spamming or other promotion of these "companies" to continue.

We're into year #5 of this particular operation's spamming. They are well aware that their acts are illegal and that they put people's lives at risk. Yet they are still profitable. Something has to change to get the word out that these companies should be shut down and their owners charged with fraud.

Companies like these, and the spammers who mail on their behalf, are relying on the possibility that nobody will ever complain to anyone about it, and that their typical customer will be about as technically adept as a common household cat. Judging from how long they've been in business, they appear to know their market pretty well. That doesn't make them any more legitimate.

SiL / IKS / concerned citizen.

Anonymous said...

Great site. Thanks for the info!

Anonymous said...

I notice most p1ll and r0lex spammer pages now use this "Infinity Secure". I will do a traffic analysis later to see, where they load data from.

I do test orders ever so often, and notice, that all "Infinity Secure" pages use some technics to find out whether you "order" via a proxy (anon (tor) and other anonymous (non-tor) proxies). Also they block certain IP addresses, as the one from a server I have I did about 5000 test orders by now.

Spammers seem to try to protect themselves against automated ordering, thus, since all is fully automated, they otherwise lilely would send (my generated but otherwise always invalid) credit card information to their bank.

Imagine a bank has to verify 1000 numbers in 12 hours from one customer (the spammer)... *g*

IKillSpammerz said...

> I notice most p1ll and r0lex spammer pages now use this
> "Infinity Secure". I will do a traffic analysis later to
> see, where they load data from.


It's always from the same domain. It's just a reconfiguration of their same order page, only now it's branded as being "Infinity Secure", which is yet another lie (no SSL, no security of any sort, and from my previous investigations, not even their back end servers process any data using any sort of security whatsoever.)

The key would be to gain access to the source code of their site templates, the php scripts the spammers drop into these throwaway domains. I was able to do this about a year and a half ago. It exposed the following:

- Order form posts to a recipient PHP page.
- PHP page contacts a third-party server (usually a set of three, but not always.)
- That third party server receives several values using the querystring. Again: no secure server or encryption of any sort is ever used. This is well known already.
- Third party server merely responds with a blank page (though they modified this to become a set of javascript retaliations once I / we started targeting them in late 2006. This indicates we found a sore spot.)
- Main PHP page responds with "success" message, even though the credit card data may not actually be validated.

It's unknown who does the actual order verification, but it's bound to be somebody at SanCash, without question. This is the main service which SanCash (and other sponsors like them) provides to their spamming affiliates.

It's also unknown at the moment which parameters the VPXL sites pass to the third party server. The last time I was able to analyze this was when the server in question was placing orders for "Spur-M" (later known as "Wondercum", another SanCash "product".)

> I do test orders ever so often, and notice, that all
> "Infinity Secure" pages use some technics to find out
> whether you "order" via a proxy (anon (tor) and other
> anonymous (non-tor) proxies). Also they block certain IP
> addresses, as the one from a server I have I did about 5000
> test orders by now.


I've never yet received any kind of "cease and desist" action in the nearly three years or more that I've been performing similar actions against these sites.

They have routinely blocked by IP address. It's a pretty bogus method. Also note: that blocking clears itself after approx. 12 minutes or less. I've managed to get in several dozen "orders" per hour.

> Spammers seem to try to protect themselves against automated
> ordering, thus, since all is fully automated, they otherwise
> lilely would send (my generated but otherwise always
> invalid) credit card information to their bank.


Correction: "High Risk Merchant". The high risk merchants are the ones performing the credit card verification, and they tend to add a layer of protection to companies like SanCash since they knowingly lie to their customers. Visa should begin an active investigation into these so-called "high risk" merchants, since they are clearly supporting criminal activity.

> Imagine a bank has to verify 1000 numbers in 12 hours from
> one customer (the spammer)... *g*


I wish it were a bank performing these verifications. It would have solved this problem years ago. These are highly organized criminals, unfortunately.

Thanks for the comment!

SiL

Anonymous said...

Ah, "High Risk Merchant" was a part of the puzzle I didn't had.

I didn't meant to say "bank", just didn't knew better.

Still, bombing these High Risk Merchants with fake orders should move something. At least let the spammer pay. When you check the first match on Google for "High Risk Merchant" the prices there (rates and fees) seem to be 5 cents per check. So 20 checks to get 1$. Takes long to seriuously harm the spammer though. :-(

But massive flooding of the merchant could result in some suspicious action towards the spammer.

Anonymous said...

Ns1.infinity-secure.com, ns2.infinity-secure.com are currently (4/7/2008) hosted on IP 89.248.238.100, lxxxix.ccxlviii.ccxxxviii.c.quickline.ru. This IP also hosts many "A5 Productions Inc" VPXL/HerbalKing spam domains.

The support contact for 89.248.238.100 is hosthost.biz and Pawel/Pavel Malinkovich.

There is a discussion on www.dslreports.com/forum of a credit card scam involving fraudulent charges for E-books or web templates. It is a complicated scam involving another Russian hosting operation registered to Mr. Malinkovich. The discussion describes how this particular theft operation works by using mules and credit card "pinging". It is a long thread; I jumped into the middle of the discussion on page 9, here:
http://www.dslreports.com/forum/r19620593-Ebook-websites-fraud-charges-DevbillDigitalAgePluto~start=160

IKillSpammerz said...

> But massive flooding of the merchant could result in some
> suspicious action towards the spammer.


My experience shows that it has more of an effect on the sponsor themselves, since they are the ones telling the spammers what to promote. When we did this against the onslaught of Spur-M spam back in October, 2006, we saw an immediate cessation of all spam for that product, and they switched over to ManXL or "Manster" instead, with a noticably different ordering structure.

Some of you might be interested in using this utility I created as a means of fighting back. :) [Note: please read the runme.html file completely before beginning use. Caveat Emptor.]

Thanx again for the comments, folks. Law Enforcement watches this blog as well. Who knows where it will lead?

SiL

Anonymous said...

I hope this quoting works...

> My experience shows that it has more of an effect on the sponsor themselves, since they are the ones telling the spammers what to promote. When we did this against the onslaught of Spur-M spam back in October, 2006, we saw an immediate cessation of all spam for that product, and they switched over to ManXL or "Manster" instead, with a noticably different ordering structure.

Shows it might work.

> Some of you might be interested in using this utility I created as a means of fighting back. :) [Note: please read the runme.html file completely before beginning use. Caveat Emptor.]

I downloaded it and now wait for the next VPXL spam, thanks, looks promising.

There is a perl script which does more. It is smart enough to fill out forms so they match of what is expected in most cases. I suck at perl, so used some ugly bash scripting and other modules to also generate pseudo-valid credit card numbers (they are always invalid but make it behind the spammer's LUHN-10 test).

There are more anti-spam tools if you go up a directory.

Unfortunatley it can not crawl though all stages of the order process like the HTML thingy above can, so it fails to automatically order at pill and rolex spammers, but does a good job to bomb phishers and loan scammers.

The script has quite some potential, but as I mentioned I suck at coding, failed often to improve it.

So this is a call to all Perl coders and spam haters. It is a chance to create an all-in-one "keep spammer busy" tool. Somebody "just" needs to improve it. If it works it could keep spammers and their High Risk Merchants busy and hopefully cost them some money.

Btw. if you want to use a proxy with it, it uses HTTP_PROXY, also should use HTTPS_PROXY but I seem I messed it up in my "improved" version.

Oh, though Perl is also available for Windows/Mac it might feel itself more comfortable on Linux machines.

> Thanx again for the comments, folks. Law Enforcement watches this blog as well. Who knows where it will lead?

We all end up in prison while spammers got an easier time to sell their crap?

IKillSpammerz said...

> We all end up in prison while spammers got an easier time to sell their crap?

Nonsense. If this were used against amazon.com, different story, since they have legitimate (and realtime) credit card validation, from genuine / above-board credit card processors. Spammed sites like these do not.

I've been creating these for three years now and never once have I received any sort of notice on behalf of any of these companies to stop sending them my "orders". If they were in any way a legitimate company, I wouldn't even be doing this.

I created this using javascript because it requires absolutely no technical knowledge to run, and can be used on any system using a decent browser. It's fine if you have a perl setup, etc., but the average joe just isn't that sophisticated.

I have others for the replica spammers as well. :) (Same group, SanCash.)

SiL

Anonymous said...

> I created this using javascript because it requires absolutely no technical knowledge to run, and can be used on any system using a decent browser. It's fine if you have a perl setup, etc., but the average joe just isn't that sophisticated.

True, but it only takes a few (the more the better though) people to use this "all for one" Perl script to cause problems to the spammers. Those people who are interested in fighting spam might also have some knowledge of coding or how to use Perl and would like to use it.

For the HTML which works (only when I not use IPs which the spammer blocked or not using an anon proxy): that might be nice for newbies. But they soon lose interest after the first "Wow, that's cool" I'm afraid.

> I have others for the replica spammers as well. :) (Same group, SanCash.)

Nice, got to find them. Thanks. :-)

IKillSpammerz said...

> Nice, got to find them. Thanks. :-)

I've created a download here.

This is specifically for the "Prestige Replica" sites, not any other replica spammed site. I have other custom ones for King and Diamond replica. Each of these feature a different product database.

"Exquisite Replica" is a different site altogether, and from a totally different sponsor. They also perform realtime credit card validation unlike any of these other sites, which merely validate the card number format.

Enjoy!

SiL / IKS / concerned citizen

Anonymous said...

Thanks for the new "Replicator". Too bad it doesn't feature an automated order function as the one for the VPXL spammer does.

None the less it seems the replica spammer only allows one order per IP now and rejects attempts to oder form anon proxies at all. :-(

IKillSpammerz said...

New automated version available here. :)

I notice that they have now switched back to an ancient design (the one which this utility's design was based on.)

My 700 orders yesterday must have caused a bit of a stir.

SiL

Anonymous said...

> New automated version available here. :)

Thanks. :-)

> I notice that they have now switched back to an ancient design (the one which this utility's design was based on.)
>
> My 700 orders yesterday must have caused a bit of a stir.

Don't they block your IP? I have no luck, neither my from my fixed IP nor anaon prxies. :-(

IKillSpammerz said...

> Don't they block your IP? I have no luck, neither my from my fixed IP nor anaon prxies. :-(

Nope. :) Not so far. Maybe they're confused.

I'm up to 700 per day lately.

SiL

Anonymous said...

>> Don't they block your IP? I have no luck, neither my from my fixed IP nor anaon prxies. :-(
>
> Nope. :) Not so far. Maybe they're confused.

Seven_Of_Nine: They will adapt (at some point).

But it worked on a second attempt here now. :-)

> I'm up to 700 per day lately.

As I checked I must have "ordered" for $12.000 this morning. I have a Firefox add-on called "Cookie editor" where I can delete cookies in a running session. Would be cool to somehow (though not allow a script to violate the system integrity by doing this) delete cookies while running.

Anyway, since at least for the Replica spammer it works well, are you on it to make such a script for some of the pill spammers too? Otherwise I might spend some time and try to adapt one of your scripts for them.

Of course (lazy me ;-) I'd prefer you doing it, also because you know and understand already how your script works while I had to read and understand it first.

Hmm, may be, like in the old Commodore 64 days, one could write a "Spammer-flooding-construction -kit" at some point. :-)

IKillSpammerz said...

> are you on it to make such a script for some of the pill spammers too?

I have been doing so for at least three years now. :) Pill spammers are extremely well aware of me, and my retaliatory utilities. They constantly tweak and modify their forms as a result of them, so at the moment none of the ones I've written are still current, or they've gone the way of actually validating credit cards in realtime. So the focus becomes (instead) getting their domain name servers shut down.

You should check out complainterator.com for that. :)

SiL

Anonymous said...

Same as some of your other people. my corporate e-mail address (only used to those I know and trust) has been hijacked by these creeps, so now I'm getting mail-delivery-returns by the hundreds, not to mention that it seems like I'm selling fake gucci. Any advice on this greatly, greatly appreciated.

IKillSpammerz said...

> Any advice on this greatly, greatly appreciated.

Unfortunately there is very little you can do about that particular situation. Once an email has been sent with your address as the "from" or "reply-to", you really just have to wait it out. If it happens more than a handful of times, you may actually have to create a new address. It's ridiculous, and of course the morons behind this operation seem to think that that option is no big deal. They'd claim that you were "whining about it" and should "just delete the messages." We're dealing with the mentally-challenged here, unfortunately.

You may wish to share this information, including any bounced messages containing verified VPXL (or other Sancash) urls, with the New Zealand authorities who are investigating Genbucks and Sancash as we speak. You can contact their anti-spam unit by emailing info [ at ] antispam [dot] govt [dot] nz. You never know. It could prove to be useful ammunition in their investigations.

SiL

Anonymous said...

I reply to two issues in one post...

andrew said...

> Same as some of your other people. my corporate e-mail address (only used to those I know and trust) has been hijacked by these creeps, so now I'm getting mail-delivery-returns by the hundreds, not to mention that it seems like I'm selling fake gucci. Any advice on this greatly, greatly appreciated.

As SiL already said, you have to sit it out. It is like someone writes a letter to someone else but puts your address as sender on the envelop.

It came across spammer's database most likely because you or one or more of your receptions has an infected computer, where a bot harvests email addresses found at the computer and forwards them to spammers.



IKillSpammerz said...

>> are you on it to make such a script for some of the pill spammers too?

> I have been doing so for at least three years now. :) Pill spammers are extremely well aware of me, and my retaliatory utilities. They constantly tweak and modify their forms as a result of them, so at the moment none of the ones I've written are still current, or they've gone the way of actually validating credit cards in realtime.

Then they must have access to customer databases.

And I can still use the pseudo-valid numbers I let generate, none is ever rejected by any spammer in pre-auth. Though I get the message ever so often "Bank rejected credit card". And that is good and what should have happen, and why those scripts must hammer spammers. Because (if I'm right) spammers forward the numbers to their high risk merchant, and that should cost them money and may be piss off the merchants.

> So the focus becomes (instead) getting their domain name servers shut down.

oO

That's something new to me, shutting down DNS?

> You should check out complainterator.com for that. :)

Thanks, I read over it at the moment and try to understand what it does.

Anonymous said...

Glad to see your blog. These scum are and have used my domain names in the past to send their scam bullshit emails out to supposed customers. These has the effect of filling my servers and mail boxes with hundreds of thousands of bounced mail. It also lowers the value of our domain names since if someone does contact us for a legit purpose, any email we send them in reply is trapped by their spam filter. I'd love to drag them down the street at a high rate of speed.
Scott Neuman - Recordweb.com.

IKillSpammerz said...

> That's something new to me, shutting down DNS?
>
> > You should check out complainterator.com for that. :)
>
> Thanks, I read over it at the moment and try to understand what it does.


Yes. When you can't stop them from spamming you, you instead look into who registered their domain names. Let's take a spankin' new example for VPXL: ogepoge.com

It is of course the same crappy website we've all grown to recognize. Express Herbal / VPXL.

Let's look at who is alleged to have registered this domain:

%whois ogepoge.com
Domain Name: OGEPOGE.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.FREIGAE.COM
Name Server: NS2.FREIGAE.COM
Status: ok
Updated Date: 17-apr-2008
Creation Date: 17-apr-2008
Expiration Date: 17-apr-2009


Well imagine that: no contact info. And registered via that old standby, XIN NET (alternately known as "paycenter" by members of law enforcement.)

But let's look at the name server:

%whois freigae.com
Domain Name: FREIGAE.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.STRAWBERRYDNS.COM
Name Server: NS2.STRAWBERRYDNS.COM
Status: clientHold
Updated Date: 13-apr-2008
Creation Date: 31-mar-2008
Expiration Date: 31-mar-2009


Again: no surprise. XIN NET / paycenter are now responsible for some 75-80% of all registered spamvertised domains.

Contact details:

Registrant:
Li Ming
NO.38,YongFeng street,Tianchange City,Anhui Province
239355

Administrative Contact:
LiMing
Li Ming
NO.38,YongFeng street,Tianchange City,Anhui Province
Tianchange Anhui 239355
CN
tel: 550 2400568
fax: 550 2400568
yayun22@163.com


As we would expect: 100% false. No such phone number. No response from that email address. An incomplete and incorrectly formed postal address.

If you enter the original spamvertised domain into the complainterator (after you've spent a few moments configuring it,) it will automatically generate a series of formalized complaint email messages to the appropriate contact person at the domain name registrars responsible for both the web domain and the DNS nameserver domains. You can customize these messages if you want to after they're completed. (It will also include a complaint for "strawberrydns.com", a domain which has remained in operation for months now in support of this illegal operation.) It takes seconds, and (with XIN NET being one of the very few exceptions) has been quite effective at raising awareness at domain registrars around the world. One notable convert: Joker.com (aka:
COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM, a bit of a mouthful) resisted nearly 99% of all complaints until their ICANN compliance was threatened in late 2007. They aren't perfect but they do finally take action.

Getting the DNS server's domain name revoked has the effect of disabling several thousands of these sites in one blow.

Complainterator is an ingenious creation. (I didn't make it. A very smart and diligent colleague of mine - Red Dwarf - did.)

XIN NET's ICANN compliance is currently under protest by folks like me. If we all send enough complaints to them for sites like these, they have to take notice. Currently their shut down rate is at less than 3% of all complaints. (Some 300,000 domain names and counting.) Most of these are registered using laughably fake contact information, and stolen credit cards. XIN NET does (virtually) nothing.

Hope that helps.

SiL / IKS / concerned citizen

Anonymous said...

SiL, you probably know. But a verification showed that the VPXL and King-Replica spammer are the same (Yambo I guess), both use "Infinity-Secure".

So it might be possible, if not existing already, to also write a flooder which floods the King-Reolica spammer. :-)

Have a nice weekend.

IKillSpammerz said...

> SiL, you probably know. But a verification showed that the VPXL
> and King-Replica spammer are the same (Yambo I guess), both
> use "Infinity-Secure".


I actually mentioned that in the very post you were commenting on. :) [Scroll up to the rather prominent bulleted list of properties known to belong to SanCash, and which feature "Infinity Secure" branding on their checkout pages.)

Also: Give up the labeling of "Yambo." It is there to confuse you. Instead focus on SanCash, or if you want a more publicly visible label: GenBucks. Yambo is nebulous at best, and in my opinion will never actually identify the responsible parties.

> So it might be possible, if not existing already, to also
> write a flooder which floods the King-Reolica spammer. :-)


Already done, months and months ago. I notice that their order / checkout page never seems to load. Your mileage may vary, of course.

You can download a recent version Here. Please note that they often change their inventory up, and that the King Replicator can only be used againt King Replica websites, not Prestige, Exquisite or Diamond Replica sites. (I have a custom one for Prestige which has been rather effective lately.)

Enjoy!

SiL / IKS / concerned citizen

Anonymous said...

Thanks, I'll give it a try.

Anonymous said...

In my opinions they are phishers. I came across your blog searching for some info on infinity secure. Also check maxgainplus.com . Just go thru order form to a place where you pass credit card details. No https, no anything :)... I am tracking fraudsters on the net :).

IKillSpammerz said...

> In my opinions they are phishers. I came across
> your blog searching for some info on infinity
> secure. Also check maxgainplus.com . Just go thru
> order form to a place where you pass credit card
> details. No https, no anything :)...


They may well be. However I can assure you, based on firm evidence, they do actually attempt to process the credit cards using a third-party process. That's why I continue to feed them fake orders. It has to affect their merchant account at some point (and eats up precious time after a short-term spam run.)

That third-party server also is not secure (no https, just a plan, raw, regular url passing all your personal data.)

Which reminds me: isn't that also a good idea to tell all your friends never to purchase anything from a spammed url?

SiL / IKS / concerned citizen

Anonymous said...

I like the idea to feed the with false credit card details :). It drives'em mad I guess. Much more work for them. Do they actually send any products to people who really ordered something? I do not know anybody who purchased anything from these people...

IKillSpammerz said...

> Do they actually send any products to people who
> really ordered something? I do not know anybody
> who purchased anything from these people...


Yes, they do actually ship you something. But it's a set of pills, often with no protective packaging of any sort, and which contain (based on analysis performed during the recent BBC story about it) absolutely no active ingredients. They're fake. They do nothing.

Part of the reason you "don't know" anybody who's wasted their money on these pills is because if you did, there's a high probability that they feel stupid for ever having spent their hard-earned money on them. How many people do you know who boast about their need for any medication to fix an erectile dysfunction?

SiL

Anonymous said...

PLEASE HELP, this bastard has taken my small company's sales email address and used it as the reply-to address. We are losing about $5,000 a day in sales due to this, because our server CANNOT KEEP UP.. there are TENS OF THOUSANDS of bounced messages. PLEASE HELP.. is there an FBI number we can reach?

IKillSpammerz said...

> PLEASE HELP, this bastard has taken my small
> company's sales email address and used it as the
> reply-to address. We are losing about $5,000 a day
> in sales due to this, because our server CANNOT
> KEEP UP.. there are TENS OF THOUSANDS of bounced
> messages. PLEASE HELP.. is there an FBI number we
> can reach?


Not a number, no, but there is the renowned
Internet Crime Complaint Center (aka: the IC3):

http://www.ic3.gov/complaint/

It sounds a bit far-fetched that it's *actually* causing losses of $5k or more when all you have to do is turn off catch-all mailings on your email server. (Don't allow bounces from nonexistant addresses, for example.) I'm not your sysadmin, but if I were, that's among the first things I would be fixing if your business is that tightly tied to email functionality.

There isn't much you can really do otherwise. But if the spam messages are for VPXL, at least you know that SanCash is the responsible company. How helpful that is to you is another question, given that they are now a completely underground group.

SiL / IKS / concerned citizen

Anonymous said...

Based on calculations today, they are causing losses of about $2,300 or so daily. That is what we put in the Phoenix, AZ FBI report made today. They said they might open a case, might not. They will let us know. The problem is that they used our sales@.....com as the reply-to address. We are getting postmaster undeliverable replies, but that's not the problem. We can easily remove those from our inbox (although sometimes we get enough of those that actually crash the server, thousands per hour). The REAL problem is that our sales emails are NOT BEING DELIVERED! We have customers (big ticket $15k) calling us saying things like "We are very upset that you have not contacted us - we are taking our business elsewhere". I have documented proof of this (voice messages, liveperson chat logs, etc.). We are in fact replying to our sales address, but our potential customers are not receiving our emails! AND, we are not listed on any blacklist that I can find!

IKillSpammerz said...

> We have customers (big ticket $15k) calling us
> saying things like "We are very upset that you
> have not contacted us - we are taking our business
> elsewhere". I have documented proof of this (voice
> messages, liveperson chat logs, etc.). We are in
> fact replying to our sales address, but our
> potential customers are not receiving our emails!
> AND, we are not listed on any blacklist that I can
> find!


And so here we have exactly the kind of abuse that long-term, non-compliant, illegal spammers are capable of. Every time you hear anyone say "Just delete it", think of this specific scenario. How, precisely, should this individual "just delete" these messages? How can anyone say that this isn't costing someone some genuine money? How can a spammer claim that they haven't caused any abuse?

Further: spammers like these have essentially acted like the AIDS virus infecting a human host. They've rendered their chief method of communicating their "marketing" message absolutely useless. Their relentless pursuit of deliverability at all costs, especially to recipients who clearly have absolutely no wish to receive their messages, has caused any legitimate messaging to be swallowed up in the process. They have thrown the baby out with the bathwater, and when they see a drop in sales, they merely send more messages. It's the most retarded "strategy" I've ever seen. (And I'm not alone. Most people in marketing companies I hear from are baffled that spammers like these would willingly accept such a pitiful conversion ratio in their email campaigns. But that's a separate conversation.)

I see many "anonymous" postings from individuals who are clearly behind these spam runs. They always make the same claims: I am just jealous of their immense wealth. I must have all kinds of free time on my hands. There are bigger issues to fight in the world. I call bullshit on all of these.

If you're mailing on behalf of SanCash, promoting VPXL, let me be extremely explicit as to what that actually means in the eyes of the online world: you are scum, you are a criminal, you are responsible for endangering the health of the general public, and you are causing monetary losses. You are assholes, and your days promoting bullshit products like VPXL are most definitely numbered. Maybe it'll be me who causes you the most grief, maybe law enforcement, maybe a fellow mailer, or maybe one of the numerous coward operators of SanCash (among numerous spam-friendly sponsors, Spamit being the obvious #2 in that list.)

Spamming is far from "just an annoyance." Telling us all to "just delete" is a bullshit, diversionary statement and is usually the only form of solution respone I ever see from any of these scumbags. How about this, you complete idiots: clean your goddamn lists! You are the problem, not our complaints. You know this. Your failure to learn from this will ultimately be your demise.

I'll say it again: Mailers and sponsors of SanCash and VPXL: your days in this "industry" are numbered. Mark my words.

SiL / IKS / concerned citizen

Mitchell said...

I got a shoe spam a few hours ago and my investigations led me here. The advertised domain was "www.goamsleks.com" (registered to a Beijing address), and the purported sender was Taiwese (didn't record it, unfortunately). On the order form, the contact address was "luxuryshoestore.com", which has the same registrant as the nonsense domain above. Infinity Secure and 17 Bank St also show up, so the people you are discussing are evidently the ones behind it.

It would be interesting to know if shoes actually turn up when ordered.

IKillSpammerz said...

> I got a shoe spam a few hours ago and my
> investigations led me here.


Success! :) As of this writing, this blog is now the #3 result for the term "Infinity Secure".

> The advertised domain
> was "www.goamsleks.com" (registered to a Beijing
> address), and the purported sender was Taiwese
> (didn't record it, unfortunately).


Since literally every word of that information is guaranteed to be a complete lie, that is no great loss.

Also: you meant "Taiwanese" :) [picky picky]

> On the order
> form, the contact address was
> "luxuryshoestore.com", which has the same
> registrant as the nonsense domain above. Infinity
> Secure and 17 Bank St also show up, so the people
> you are discussing are evidently the ones behind
> it.


That is correct. This is a property known as "Exquisite Footwear And Bags", a subset (rather obviously) of SanCash's Presite Replica / King Replica sites we've all been spammed by for at least three years now.

This is a rather new offering from SanCash, and it appears to be one that was specifically requested by mailers, since other spam sponsor groups (notably Spamit, bulker.biz and affconnect) have been offering "replica footwear" as a spam channel for about a year or so now. SanCash is late in the game with this property, it would appear.

> It would be interesting to know if shoes actually
> turn up when ordered.


Anecdotally at least: they do. But as you could imagine: the "quality" of these items is far from anything you would consider buying at a PayLess shoe store anywhere. They're made using underground labor, for pennies a pair, and sold at (guessing from the website's prices) an average price of $160-$180. It's likely that at least 75-80% of that profit goes into the pockets of SanCash.

You'll notice that Infinity Secure" branding again appears on their order form. No security is used, and they continue to lie to all of us that they use "Verified by Visa", and are "Secured by GeoTrust" and "ScanAlert Hacker Safe." Not one word of that site is true. None of those organizations support these rather obviously illegal sites, they use no security of any sort, and your identity is most definitely at risk of being stolen and abused by these individuals.

Stay far away from Exquisite Footwear and Bags, or any other SanCash property. You're putting you life and your identity at risk by doing so.

SiL / IKS / concerned citizen

Anonymous said...

I guess I add something to this older thread.

Prestige Replicas

I don't get these anymore. I guess my permanent test-ordering black listed me. But it's still there as I can see googling for it, and dropping "new" URLs to the Prestige Replicator still works.

Instead I get from the same spammer "Gucci" spam. You not have by chance a form flooder script for him? He sends so much spam I don't want to let him wait to order there.

Tor Proxy and JonDo

The King Replica spammer and Penis Enlargement spammer (same scumbag) seems to be able to detect Tor Proxy nodes via the "Infinity Secure" pages. You can go to the order form and fill it out, but then the server throws an error. If you use a non Tor server it works then. But then only for three times, as he blocks your IP after the third order.

Do you know a way to make Tor undetectable? This spammer shouldn't also wait too long for more orders from me.

If not, it seems the JonDo (formally JAP) cannot be detected by this spammer. But I cannot get it to work to randomize the IP more often. Do you know by chance how to get JonDo to change the IP more often? Let's say all 3 minutes would be fine.

Or any other way to get a different, non detectable (so the spammer can't tell I come from an anonymizer), IP within few minutes sequences?

PS: are you interested in emailing with me? I hate Blogs and it consumes time to discuss issues here.

Anonymous said...

Thanks. Very ethical thing you are doing to uncover this criminal activity. Very well done.

Anonymous said...

Today I got a 'work from home' spam with phone dropbox at: +1-800-258-6070. The spam contains also an 'unsubscribe' redirector: http://url.nux.net/9cf807

This redirects to: http://z.deckhype.com/r.php, which is 122.198.62.4 (SBL67690), a well known Yambo/Herbal King server. So the same criminals also spam for those 'work from home scams'.

IKillSpammerz said...

You have to remember: a mailer is basically a low-life opportunist.

If you read my previous posting on the topic, you'll see that the individual sending the message (the spammer or "mailer") is really just a single person, who will send that message on behalf of anyone or any organization. They are not a dedicated resource to one specific type of product or service. They want to profit by doing as little actual work as possible. So, yes, they will spam anything from stocks, to illegal onling pharmacies, to bogus "herbal remedies", to bogus Nigerian scams, to phishing scams, to porn. They don't care. Their entire formula for a day's work is: Hit "send", and wait for money to arrive. It's a retarded way to earn a living and the days of this formula continuing to work are most definitely numbered, especially in light of so many recent arrests.

Also: don't tie individual website IP addresses to any individual spammer. Sponsors are the ones who set those up, not the mailer.

If you report these websites as providing a bogus or (in this case) illegal enterprise, you might be surprised at how quickly they can be shut down. We have all seen huge strides in this type of response thanks to public outcry over the providers of hosting and domain registration to online criminals.

Thanks for commenting.

SiL / IKS / concerned citizen