The Real Profit Centers of Spam: Sponsors

I recently wrote a new entry describing and dissecting the quagmire that is the "spammer economy" on the now-infamous spam-wiki. It's located here. I had spent many months (in fact the better part of a year and a half) researching and documenting everything that I found which described the separate entities and their distinct relationships. The writing and publishing of that wiki entry is the result of not only a lot of research, but a considerable change of viewpoint regarding who profits from spam, how we all refer to them, and what their distinct role is.

Unwanted email spam has been with us for so long now that I think we all, as recipients, tend to associate the incoming messages with one individual, or possibly one group or organization. For years now, even well-respected groups such as spamhaus have referred to these entities - individually or as a group - as "spam gangs" or "spam kings." They've often used teminology or nomenclature such as "Yambo Financial" or "Badcow" to refer to ghostly, unseen groups of criminals. My feeling is (and maybe it's just my feeling): This is no longer an accurate way to refer to the groups of individuals who spend their livelihoods crafting randomized emails promoting illegal fly-by-night urls.

A key turning point came when I was exposed to several discussion groups used by spammers, many of which I will not refer to directly due to the clandestine nature of how I came across them. In these discussions, many of the mailers or sponsors were essentially mocking any references to "spam gangs." In a nutshell: there is no "gang." There likely is no "Yambo financials". While "Alex Polyakov" or "Leo Kuvayev" may indeed be real people, with possible verifiable connections to one or more of the criminal entities who support and thrive upon illegal spam email, my feeling is: that's likely a red herring, put there to divert attention away from the real responsible parties.

Another turning point came during the investigation and raids upon properties directly related to Sancash or Genbucks. (By the BBC and New Zealand law enforcement, respectively.) This really raised the point of who stands to profit the most in these million-message spam runs: sponsors.

Sponsors is not a sexy term when discussing spamming, generally. Usually the press and individual recipients tend to focus on two things: mailers (spammers) and botnets. They make the press most often because it's probably too complicated to go into the depth of detail required to expose precisely who is behind that "p3n1s-p|ll" message you just received. People don't have the time. Referring to a "sponsor" will only confuse them.

The truth is: sponsors, or sponsor organizations (as I commonly refer to them) are the big fish in the spammer economy. They take the most risk, provide the most resources to mailers, and profit the most from spamming. They control everything from the design and functionality of their sites, to their affiliate front-ends, statistics, domain registration, fast-flux hosting and in some cases even the design or copy of the messages being sent.

Who are these sponsors? There are a handful of them in the upper ranks of the spam messages we receive every day. The top three (based on my own research) are as follows:

• SanCash


• Spamit


• Bulker.biz

Pretty much everybody in the world is receiving spam on behalf of these three organizations. They are well-established, have ties to numerous individuals (remember: no gangs. Everyone is an island) who provide them everything from "bulletproof hosting" to botnet infections. They are the ones most responsible for the 90+ percent of crap we all receive every single day.

So let's examine each of them briefly.

SanCash

SanCash is responsible for that old standby: VPXL (also known throughout the past three years as a variety of names including "Manster", "ManXL" and "Elite Herbal." It's all the exact same useless crap. Despite their claims of it elongating your "member", it does nothing. There is tons of evidence out there to support this.)

SanCash was investigated first by an individual blogger [spaminmyinbox], and subsequently by the BBC [see their article here or download the podcast of the investigation here.], only the BBC weren't aware that that's who they were actually investigating. That's because they focused on the entity they could find out in the wild: GenBucks. Genbucks is a publicly available marketing affiliate group. You won't find any mention anywhere on their sites related to "VPXL" (et al.) You will find mention of a variety of other products for which practically nobody has ever received email spam. Their forums discuss banner advertising or "SEO" (search engine optimization) marketing. This is so that it appears that they have absolutely no connection to the rather obviously rampant amounts of spam being sent worldwide.

The first connection comes from how and where certain domains are registered, and how certain sites operate. During much of last year, domains used for the processing of orders on behalf of ManXL and Elite Herbal sites (domains like "mysecurepaysite.net", now long since out of use) featured a registrant's email address of "pilldude@gmail.com". Do a search for "pilldude" and you'll inevitably find the Genbucks forum (http://genbucks.com/forum/search.php?searchid=720) and his own genbucks blog (http://pilldude.genblogger.com/).

It is no coincidence that all posting on behalf of "pilldude" stopped abruptly at precisely the same moment that members of New Zealand law enforcement executed a raid on 20 properties in Christchurch, New Zealand as a direct result of the information uncovered by the BBC and spaminmyinbox. (See story here.)

But look around and you'll see people openly discussing SanCash, making no mention of Genbucks. Clearly the connection is there. They just want people to (wrongly) focus on GenBucks, when in reality it's SanCash that's profiting from VPXL spam.

Following the New Zealand raids, several people posted on Bulkerforum.biz regarding the raids and the investigation, making it extremely clear that the investigation was definitely on the right track:

ubuntu

Joined: 06 Feb 2007
Posts: 12

Posted: Thu Dec 20, 2007 10:26 am
Post subject:

not sure if this is sancash

this is related to this audition.. and hmm.. looks like GB...

http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

jhood

Joined: 23 Oct 2006
Posts: 151

Posted: Thu Dec 20, 2007 11:51 am
Post subject:

thanks for link ubuntu..

eliteherbal/manster IS SanCash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

icanspam

Joined: 10 Aug 2007
Posts: 52

Posted: Thu Dec 20, 2007 2:22 pm
Post subject:

SA?

Shane Atkinson, bro.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mail4spart

Joined: 15 Sep 2006
Posts: 33

Posted: Thu Dec 20, 2007 5:18 pm
Post subject:

I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.

"jhood" puts a very fine point on it: "eliteherbal/manster IS SanCash". So it's clear: they knew this operation was in trouble due to the investigation.

It didn't stop the spam at all, of course. And in the meantime "spaminmyinbox" has been sued and placed under a restraining order by Genbucks' offices in India, meaning he can't post more detail about his indepth investigation.

Following the raids, sancash.com as a domain completely shut down and I and other individuals noticed that new names began floating around, among them "etranzmu." As we speak, the new location of SanCash is unknown and their representatives (on bulkerforum.biz: azzy and sanjay) have taken all discussion regarding SanCash "off-forum". This is a clear sign of two things:

1) They must be feeling some heat.
2) They know they're operating in violation of the law.

You can read much, much more about this operation by reading the SanCash entry on the spam wiki.

Products they are known to spam (based on domain registrations and the use of the "Infinity Secure" order processing page):

• VPXL (Also known as Express Herbal)


• King Replica


• Diamond Replicas


• Prestige Replicas


• ED Pill Store / ED Pill Shop

And previously-spammed products going back at least two years or so:

• Manster


• ManXL


• Elite Herbal


• Extra-Time


• More-Size


• Wondercum


• Spur-M


• Personal Pussy


• Penis Enlargement Pills


• Penis Enlargement PatchRX


• Vigramax


• FatBlaster


• Hoodia

Spamit

As we've seen with SanCash, Spamit also has a shell, publicly available front-end company which is easy to find but which (again) doesn't discuss email spamming in any form whatsoever. That "company"'s name is Glavmed.

Spamit, unlike SanCash, still has a publicly available affiliate portal, but not much else is known regarding their operations. Their representatives on bulkerforum.biz were named kref and spamit. I say "were" because with absolutely no fanfare at all, their bulkerforum accounts and all postings were completely deleted on or about Feb. 11th, 2008.

Spamit is behind several very malicious forms of spam. They're probably best known as the sponsors of "Canadian Pharmacy" or "US Pharmacy", both very prolifically spammed, and notable for their focus on the sale of controlled pharmaceuticals such as Hydrocodone and Ambien. Mailers who send on behalf of this group have abused so many systems and so many trademarks and email templates that at some point I should think that a variety of large corporations should be able to serve a class-action corporate lawsuit against them. Here's only a few examples of the abuse that they are known to perpetrate in the name of landing even a single message into an individuals email inbox:

• Hijacking or hacking of publicly owned web servers to be used as redirectors or image hosts.


• Use of whitelisted corporate email templates to bypass spam filters, predominantly used only in Hotmail mailings.


• Use of the same domain to redirect to a Canadian Pharmacy website, present a dynamic / randomized stock spam gif image, or download an infection exe for Storm worm.


• Hijacking / hacking of a publicly owned web server to perform either a redirect to a Canadian Pharmacy website, or to download a new infection exe for Storm worm.


• Automated creation of several hundreds of thousands of redirection pages on free web services such as Geocities, Google Pages, Lycos Tripod and Blogspot.


• Persistent spamming to newly-created gmail accounts, even ones which have never been used at all, within days of creation.


• Persistent spamming to any and all "catchall" addresses, to any domain in the world, several dozen times per day. (Often several times per hour.)


• Completely false claims throughout all spamvertised properties. Everything: their claims of security and safety of offered products, who is on their staff, where they are located, who supports them -- all claims are 100% false.

What a bunch of charmers.

They are known to register several hundreds of thousands of throwaway domains using completely fictitious or nonsensical contact information, and they have been known to register domains using either stolen credit cards or stolen paypal accounts.

Spam sent on behalf of SanCash and Spamit represent some 97% of all the spam messages I receive to any account I control. I know this to also be true of many friends and colleagues.


Products they are known to spam (based on domain registrations and the use of the "Infinity Secure" order processing page):

• Canadian Pharmacy


• US Pharmacy


• Downloadable Software

Note also that "Canadian Pharmacy" will revert to "European Pharmacy" upon auto-sensing of your IP address's geographic location. It's the same site, though.

There are probably many more, but these are the top three for this sponsor.

An additional note regarding Spamit and the Storm worm.

Spamit have been directly tied to infection attempts for the Storm botnet as listed above. We can still see evidence of this even now. Here's two urls I was spammed today [omitting their use of Google ads click linking].

http://westphoto.org/video.exe [do not visit this link on an unprotected computer]
http://scramignon.com/redir.html

As mentioned above, both of these domains are publicly owned, legitimate websites whose servers have been hacked and had these files (video.exe, redir.html) placed on them.

video.exe claims to be the "storm codec", and spam for it usually contains some kind of social engineering copy to fool you into thinking you're downloading a naughty or voyeuristic video. It is of course an infection file for Storm worm.

The redirect in this case points to "sugaronly.com", a Canadian Pharmacy domain.

But let's switch the two around:

http://scramignon.com/video.exe [Again: do not visit this link on an unprotected computer]
http://westphoto.org/redir.html

They both still work. This means that these domains (and several thousand other such hijacked domains) can be re-used in parallel spam runs.

This indicated that Spamit as a company, and Canadian Pharmacy as a brand, rely heavily on high numbers of infections of the Storm worm.

Spamit also has a spam wiki entry, but it is currently missing a lot of this detail.

Bulker.biz

Bulker.biz is possibly one of the older sponsors of illegal spam in existence today. Thanks to the above-mentioned illegal activity of Spamit in relation to Canadian Pharmacy, Bulker.biz is no longer the most malicious spam sponsor organization around.

It's only recently that I noticed that representatives of bulker.biz publicly stated that bulkerforum.biz is mainly in existence because of their sponsorship. It makes sense (and was so obvious that I'm surprised nobody picked up on it earlier.)

Bulker.biz is perhaps best known for that old standby, "My Canadian Pharmacy," which I'll refer to as "MCP". At one point, MCP was the most prolifically-spammed property in existence, accounting for several million spam messages per day, and even peaking at an estimated 20 billion messages sent in a 24 hour period. (Based on research by the i-Law group in May, 2006. [Summary available here.] At that time it was unknown that bulker.biz was responsible for the MCP "brand".

MCP was the first criminal spam operation I researched, which culminated in a report which I provided to law enforcement in seven countries, and a revised summary entry in the spam wiki. You can see from this entry that just like spamit, bulker.biz is responsible for quite a bit of abuse to this day. A sampling of their illegal activity:

• Hijacking of publicly owned Unix servers for everything from DNS hosting, to website hosting, redirections, and image hosting. [This continues to this day.]


• Completely false claims throughout all spamvertised properties.


• Automated creation of several hundreds of thousands of redirection pages on free web services such as Geocities, Google Pages, Lycos Tripod and Blogspot.

Again: charming.

The unique targetting of Unix servers is of particular note, since it's the same method of hosting used by bulkerforum.biz, further tightening the link between the two. You can obviously read much more about them in the spam wiki entry.

Bulker.biz is responsible for a very large amount of spam for the following properties:

• My Canadian Pharmacy


• International Legal RX


• US Drugs


• VIP Pharmacy ("Viagra + Cialis")


• Canadian Health&Care Mall


• Men Health (Men+ Health)

And other sites they were directly responsible for, but for which less spam was seen:

• Exclusive Caviar Online


• Double Your Dating

Bulker.biz is represented on bulkerforum.biz by member "ebulker".

You'll notice that I make specific mention of their mailing practices. That may or may not be directly attributable to the sponsors directly, but especially in the case of Spamit, they clearly have people in their ranks who insist upon spamming every email address in existence in the off chance that two of them might actually receive it and link all the way through to a purchase. It can't be a coincidence that virtually everybody in the world is receiving spam for their websites. If it were an individual mailer, we would see the same volume of spam for a variety of other sponsors. It's for this reason that I specifically include any mention of mailing practices or frequency.

An additional point specifically regarding Spamit's Canadian Pharmacy and all pharmacy properties promoted on behalf of Bulker.biz: I mentioned above that they lie. It's important to note precisely to what extent they lie. In the case of MCP, they lie with literally every single word on that site. They have a completely laughable "about us" page which features mini-bios of completely fictitious "doctors", whose faces are actually gleaned from stock images of surgeons and medical personnel. There is no "Jack Poppins" or "Carl Rose". The same is true of Canadian Pharmacy, which also features stock images (probably used without permission as well) and makes completely false claims regarding their "pharmacists" and licensing thereof. You can see a great deal more detail of these falsehoods in the MCP spam wiki entry.

As I mentioned above: sponsors are the big fish. They are the ones who register and provide hosting for the thousands of spamvertised URLs we see every day. They often also provide pre-made blogspot or geocities redirects (which they hire an individual to create.) They pay out the commissions to the mailers who spam on their behalf. They take care of the credit card processing (using high risk merchants who they pay to provide stable credit card processing on their behalf.) They take care iof any botnet-supported web hosting or DNS rotation. They're the source of all of this. They know they operate illegally, and they get away with it on a daily basis.

It is my hope that someone in law enforcement, or better yet someone from the legal teams of Pfizer, Microsoft or any other companies whose reputations these sponsors are tarnishing will step up and take action to get them completely shut down. The only reason an individual mailer is able to profit from illegally spamming in the first place is directly because these sponsors, and others like them, fully support their illegal activities, and engage in several more of their own. Shut these three down, and you will have removed three of the biggest criminal operations in existence today.

SiL / IKS / concerned citizen

P.S. Recently the PBS featured a documentary entitled "Illicit: The Dark Trade." (Broadcast on PBS, produced by National Geographic.) I strongly recommend viewing this documentary for its indepth exposition of the wider fake drug / fake watch / fake fashion item trade. It opened my eyes to the deeper profit structure of these networks of individuals, spam-related or otherwise.

Who is Servman? (now that Bulkerforum is down)

Since Feb. 12th, bulkerforum.biz has been dormant. Domain does not resolve and it's not hosted on any of the previously known hijacked IP's. That's interesting in itself, in light of the slew of recent arrests involving illegal spammers.

But there's other interesting news regarding that site. Several members have suddenly been unceremoniously removed. I'll report back on a few of them in the coming weeks, but for now I thought I'd cover one particular member who seems to have actively wanted to cover his tracks: ServMan.

Back in November when Marion Lynn created his blog, spamgossip, he began exposing individual members of bulkerforum.biz, the go-to forum for illegal spammers.

Initially he listed handfuls of people per day, then removed a bunch, then removed a bunch more. Since then it's remained pretty dead, and numerous postings have been removed altogether. As one would expect, this caused people (like me) to dig a little deeper. I checked out some of the postings of the exposed users. At the time, none of it seemed particularly important.

I and many others had recently noticed (before the forum was shut down, if that's what's taken place) that some of those members have suddenly "gone dark" on that forum, notably Phantom (aka: Norman Keith Holmes.)

Then in mid-January I noticed that one of the members, ServMan, had either been systematically deleting any postings he had on the forum, or getting someone else to. (Or, alternatively, one of the admins of that forum may feel that having his particular info on that forum is a bad idea.)

Whenever I see this kind of thing happen, it definitely seems to indicate that there is truth to the exposed information. Why would somebody suddenly shut up unless the name was correct? Especially in light of how that group has acted whenever someone like myself has done this in the past (claiming libel, claiming my info is way off base, etc.) it is stunning just how silent some of the members have become.

Servman was listed as one Adam J. Minic. Searching for that turns up very few hits, but there is one interesting one from the NANAE newsgroup:

Newsgroups: news.admin.net-abuse.email
From: DarkFiber
Date: Sat, 24 Nov 2007 20:46:21 -0000
Local: Sat, Nov 24 2007 3:46 pm
Subject: Re: TURKEY STUFFING: ANOTHER SHITBAG!

On Thu, 22 Nov 2007 19:46:51 -0800, spamgossip wrote:
> SPAM AND EGGS! On Thu, 22 Nov 2007 19:46:51 -0800, spamgossip wrote:
> SPAM AND EGGS!

> The spam is in your mail and the egg is on the faces of these Bulker
> Forum members!

> servman - Adam J Minic - Boise, ID

Highly believable as there is evidence as recent as summer 2007 that Adam Minic associates with veteran spammer Todd Springer of the S & S Global LLC spam business that Todd and his brother, Scott used to run. Adam is perhaps a protege of theirs.

Kind of makes one wonder if Todd and Scott Springer didn't really retire from the spam business.

One also has to wonder if KEVIN JAMES MINIC #18299 who was discharged (as an inmate) from the Idaho Department Of Correction on 03/21/2005 is any relation.

On Dec. 27th, 2007 - the last time I bothered to check into it, Servman was responsible for 11 postings. Prior to that the number was much higher, around 30 or so.



I checked it on Jan. 28th, 2008, just out of curiosity. There were zero postings from Servman. None.



As it happens, I still have copies of some of his postings on the forum. In my opinion, while they are definitely damning evidence pointing to a string of the usual offences associated with illegal spamming, they aren't terribly different from those of numerous other members of the site. Nonetheless, either Servman or someone else must have assumed that this was too much exposure for him.

Here are the details I managed to glean from the postings I was able to archive from bulkerforum.biz last year following the exposition of Servman:

• He expressed interest in Hotmail and Yahoo email list verifier software.


• He was interested in purchasing lists from numerous members.


• He offered a new RX program (ie: Pharmacy spam, like we needed more of this crap.) He paid a 45% commission per sale.


• He used (or uses) DarkMailer (aka: DM) to perform his spam runs.


• He was (or still is) an active member of Sancash, the now-renowned "herbal remedy" spammer affiliate program with ties to Genbucks and Tulip Lab. (yes, VPXL / Elite Herbal / Manster / Megadik, again: like any of us wants to hear about it.) He liked spamming for them and made okay commission apparently. His conversion ratio indicates that he's spamming lots of people who definitely do not want to hear about these products: "My conversions started at 1:80 and have been at 1:150-1:250 ever since." More on this below.


• He was also a member of the bulker.biz affiliate program. (Canadian Pharmacy, I believe, is one of their properties.)


• He has dealt with diploma spamming in the past. Whether he actually mailed it himself is unknown. This is very obviously illegal activity.


• He was in need of new servers in Sept. 2007. He had very specific requests as to the specs of these servers, which were to be used for "proxy mailing", in other words: to use a botnet to send spam, which is illegal. It appears that he may have done a deal with RackSpace06 for those servers, and that he got ripped off by him (or nearly so.)


• In March 2007 he stated "We have entered a new era in mailing. Botnet is your best canidate for re-entering this industry." He then outlined how to get started in the bot-spamming business. It's pretty clear he knows a lot about how to send spam using hijacked and infected computers, to lists of people who very likely don't want to hear from him.


• He hates "antis" (such a stupid term.) Yet he continues to mail to people he knows would prefer not to hear from him. Their complaints make him angry.

What other dealings does Mr. Minic feel would be threatened by exposing him as a spammer? A google search for "Adam Minic" (with quotes) and "boise idaho" (without quotes) turns up a posting dated Jan. 23rd, 2008 on the forum "averyoutdoors.com" from a user named Camo Coatings discussing goose hunting. He is also located in Boise Idaho. I had previously suspended this posting because someone claiming to be Mr. Minic complained that someone was threatening his life based solely on my posting on this blog, ignoring completely that this information was already widely publicized last year by Marion Lynn on his spamgossip blog.

Since he has not shown me any proof of these alleged threats, this posting has been reactivated, with his comments intact. I have excised the contact info, which as mentioned before is already available elsewhere.

I mentioned his "conversion ratio." Conversions are the meat and potatoes of the spam industry if you spam on behalf of an affiliate program. A ratio of 1:80 is not good, by legitimate marketing standards. That means that for every 80 people who end up clicking through to your site, only one of them bought something. Legitimate companies, companies like (let's say) Amazon.com, or Lavalife.com, or any other above-board business which relies on third parties for some of their marketing needs would be hoping to see conversions more along the lines of 1:4, or 1:10. Even 1:10 is not considered a good ratio by legitimate companies. This goes quite a way to explaining the spammer mentality. They don't care how many people (like me) don't want to hear from them, they want money. They want the money for as little effort as possible. They want to follow only two steps:

1. Hit "send"
2. Get paid

Your complaints mean nothing to a guy like Adam Minic / Servman. He can't be bothered to clean his lists because that involves more steps than the two outlined above. Steps like: cleaning your list. Or possibly: choosing NOT to promote fake herbal remedies or illegally supplied fake pharmaceuticals which have no proven medicinal value.

A posting from January 2007 is probably the biggest indicator as to why he doesn't want his personal data out there. It's in response to a posting by mcproxy regarding exposing the personal data of someone who scams you in the spam industry:

The thing is, maybe not posting personal info. but enough to get the point across. Ie: icq, alias, etc.. In a perticular section of the forum. I was just expressing my idea in hopes that we could build something workable. I vote for a scammer section for misconduct and wrong-dooing un-becoming of a valid contact in this biz type of section.. hehe.

Currently if any of us get scammed, I can speak for myself anyways, I will post their alias info at least. I have never posted anyone's personal info. and I am sure never will. But many of us know each other past our alias. So therfor thats the assumed risk we take in business through gui interface..

Maybe my "quick reference section to scammers" is not a great or even good idea, but just wanted to convey my thoughts about this issue.

Any-thoughts guys???

Maybe he's worried about being perceived as a scammer. Or maybe he does business in other areas which would be impacted by having his real name associated with activities like spamming or using a botnet. Aside from the purely legal ramifications, I guess that would definitely impact his bottom line. But then why continue to spam? Why knowingly participate in these activities if you weren't already well aware of the risks?

I'm intrigued to see if he appears anywhere else out there in terms of forum postings. Having said that: I have a life. I'm not going to knock myself out about it. Digging this bit of info didn't take long at all. I like to keep it that way.

It appears that Lynn was correct in identifying Servman. (Surprise!) I'm still not sold that he's effectively identified anyone else, or that doing so has had the desired effect.

SiL / IKS / concerned citizen

A Spammer Responds, re: VPXL / Elite Herbal / Sancash / Genbucks

I received what is quite possibly a complete impossibility: A comment on this blog which wholeheartedly supports the spamming of VPXL, since it's such a "great product":

Hey, IKillSpammerz.

I purchased the penis enlargement product and used it continuously for 6 months. The product works well and I am very pleased with this product.

I have no problem with people selling stuff on the internet. Businesses around the globe use the internet as a vehicle to market their products and services to tens of millions of people every day. The retail market on the internet is a multi-Billion dollar market which is growing larger by the day, worldwide.

Personally, I have no problem with people selling their stuff on the internet. I sell stuff myself.

Wow. Just... wow This is one of the stupidest -- and most fictitious -- responses to any posting I have ever posted, ever, in any online forum.

I have a few choice words for whoever it was that posted this and assumed it was any kind of reasonable argument regarding the insane amount of spam which is present on an hourly basis promoting Genbucks / Sancash products:

1) You are rather obviously a spammer, and not a geniune customer. I am not overtly biased when I say this: the only time I ever receive this kind of positive response regarding what 99.999% of the email receiving public KNOW to be an illegal scam is when it's posted by a spammer themselves, or someone else within the spammer hierarchy. This has been proven numerous times, on several forums. (Including my favorite one, which spammers chose to attack extensively.)

2) Since this is not a blog which rails against "people selling their stuff on the internet" (I have absolutely no problem with amazon.com or ebay.com, and you will notice I never mention any [comparatively] legitimate online retailers who sell legitimate products) your comment is completely off topic. Online e-commerce is a great idea, and the companies who operate above board and market to people who WANT to hear from them are not mentioned in this blog.

I notice you worded your comment in much the same way as most spam messages we all recieve. You "purchased the penis enlargement product". Really. Which would that be? You obviously don't want to date your response, since the name of this product has changed approximately 9 times in the past six months. Only a spammer of these "products" would make that kind of choice.

Do you want to know the exact date I "opted in" to receive spam on behalf of VPXL or Elite Herbal or Herbal Max? Or Spur-M? Or WonderCum? Want to take a blind guess?

I can save you the hassle (but since you're a spammer, you already know this): I have never "opted in" -- EVER -- to receive email promoting this product. I never would. I have absolutely no interest in any "penis enhancing product" of any sort, but assuming I ever did: I would never trust that product if the only way I ever heard about it was via spam from a fictitious address, sent to me when I did not actively request it. That's most likely because I have a brain.

But in spite of this crucial detail, here's how much of my daily email intake is solely responsible for promoting this "product":

I receive 40 - 60 messages PER DAY promoting VPXL to only one of my email accounts. To my other three accounts which receive this type of spam - none of which were created for anything other than automated reporting of web stats and the like - I receive several dozen emails per day. I have never given ANYONE permission to send email to those accounts, and no living human being has ever been told of their existence.

As a test last year, a colleague of mine created a Gmail account which he never even used. He set it up, verified it, and left it alone for a month. He told absolutely nobody what that gmail account was, and he never posted it anywhere, in any public forum.

That account, which no human being is at all aware of, and which has certainly never "opted in" to anything, is currently receiving from 60 - 70 spam messages per day (all caught by Gmail's filters) solely for VPXL.

Explain to me, anonymous, how this can ever be perceived as "legitimate marketing" by anyone. Whoever is sending to my colleagues Gmail account is clearly attempting to send to the entire internet population whether they want it or not. That is just a blatant abuse of public (and in this case, corporate) services and processes, and costs everyone a huge amount of money every single day. It's fraud, it's abuse, and it's promoting a "product" which has already widely proven to have no medicinal value whatsoever.

I know of absolutely NOBODY AT ALL within my circle of professional or personal relations who has ever asked to recieved email regarding penis enhancement products, ever. I'm talking in over ten years of seeing the word "penis" in my inbox (which I certainly don't enjoy), I have never, ever, at any time, known anyone who was actively seeking these products, or who had ever given anyone permission to email them regarding these bogus products.

That's only part 1.

Part 2 is: there is a slew of very well written scientific evidence, especially in light of the investigative journalism the ongoing daily barrage of this crap unwanted email has given rise to, which unequivocally proves: this product is 100% bullshit.

The recent BBC investigation went to both a penile health expert and a pharmacologist. I myself have had communication with more than a few pharmacists regarding Elite Herbal / Manster / Megadik and (now) VPXL / Express Herbals.

I quote from the BBC article posted by Richard Cox on the BBC website:

Two weeks after I placed my order a brown envelope arrived from India. Inside was a bottle of Manster pills and the promise of a month's worth of enhanced sexual performance - although there is no mention of penis enlargement.

I sent the list of herbal ingredients to David Schardt, a senior Nutritionist at the Center for Science in the Public Interest in Washington DC.

He couldn't find any evidence to show that most of the ingredients would have any effect. What had cost me £35, he said, I could pick up for 50p in India.

This is only the most public, and most recent example of the exposition of this product as an outright fraud. In light of the considerable law enforcement and media awareness of this case around the world, that you would choose to word your pathetic comment in similarly vague terms is unsurprising, but phenomenally stupid.

Your idiotic comment is only present on this blog to somehow promote positive page ranks towards spam-friendly sites, most likely fraudulent comment spam postings. You are incorrect. You're likely one of the spammers (possibly the one who sends me the dozens of spams per day promoting this retarded non-product.)

Don't waste my (or the public's) time with stupid "comments" on my blog like this one.

I chose not to publish that comment, and instead opted to highlight it in its own posting as yet another desperate ploy by a scumbag spammer (or colleague of a spammer) trying to weight this blog in such a way that it end up supporting VPXL spam runs. It's still in the comment queue as evidence (since, trust me, law enforcement is well aware of this blog.)

Telling me that "The retail market on the internet is a multi-Billion dollar market which is growing larger by the day, worldwide" is a nice broad, pointless, non-statistical statement. You are purposely missing the point:

• Nobody opts in to VPXL spam. Nobody. There is absolutely no proof that the morons behind Sancash spam have ever used a targeted list, and this is borne out by numerous comments on pro-spam forums and the recent subversive actions of Sancash by attempting to hide their new affiliate program's location.


• The product is arguably fake, and overpriced.


• The product does not do what it claims


• The sites lie: they claim to be secure, when they are not. My own research has uncovered that not even the back-end processes of any Genbucks or Sancash website operates with any sort of security whatsoever.


• Their emails do whatever they can to get around spam filters, highlighting just how illegitimate their "marketing efforts" are. Numerous incoming messages promoting Elite Herbals are virtually unreadable. The only one who can compare on this level are the idiots behind "Canadian Pharmacy", whose emails abuse so many services it's impossible to list them all here.


• Their "testimonials" are completely fake and known to be written by staff members.

This rogue (and I hasten to emphasize: anonymous) commenter is only proving just how stupid a spammer can be. The only people who ever post this kind of crap responses are spammers. I have NEVER seen anything to prove otherwise.

As a final note: this blog has never claimed to be the expert on this topic. You can search the entire internet and find a plethora of similar distaste for this "product" and the individuals who choose to spam in hopes of promoting it. It is next to impossible to find any posting which is positive or supportive of the relentless assault of spam promoting VPXL (etc.) Don't just take my word for it, look for yourself.

SiL / IKS / concerned citizen

Elite Herbal, GenBucks, SanCash and Tulip Labs

Happy Holidays.

There was a flurry of activity in the weeks of December before the Xmas holiday. I saw a lot of diligent reporting of the activities of what is arguably the most annoying and least-compliant illegal spam operations in the world today: The mailers of the pernicious "Elite Herbal" penis enlargement herbal remedy products.

If you have an email address at all, of any sort, whether you've ever given it out to anyone or not: you've more than likely seen this spam, though fortunately most of it ends up where it belongs, in the junk folder. This doesn't stop the spammers behind this "product" from sending multiple copies of the same messages every single day to you.

Elite Herbal is one of a batch of products promoted via what is known as the SanCash program, a spammer affiliate program sponsored by bulkerforum.biz members Sancash and Azzy. Several members of bulkerforum.biz are active mailers for that program, notably "Moneyminters", a non-compliant mailer going back several months now at least.

Starting in July of 2007, the spam research blog Spam In My Inbox began investigating who was behind the relentlessly high volumes of spam he continued to receive for this unwanted product. He did quite a bit of due diligence and appears to have been very forthright in trying to find specific contact information for who was behind Elite Herbal itself. All initial contact was ignored (of course) whenever posted via one of the spamvertised fly-by-night websites.

He discovered that IP addresses associated with the spammed websites belonged to a company claiming to be called "Tulip Lab Pvt. Ltd.", located in Mumbai, India. He attempted to contact them regarding the mountains of unwanted spam emails. He never once received any kind of response.

Using some clever technological tricks, he entered an order into one of the spamvertised sites, but while doing so he carefully also entered some tracking code of his own (I'm not privy to what he specifically did, but I have my own theories.) This meant that any computer which viewed his order would report back to him regarding its IP address. He reported on this on July 4th, 2007, stating that an IP address belonging to DSL Internet provider known as iHug (now a division of Vodaphone), located in New Zealand. He complained to iHug and provided his evidence. They took action and investigated the offending account, eventually shutting it down. That IP address turned out to be directly related to one Shane Atkinson, a spammer who has been uncovered at least once (back in 2003) and who had claimed to have given up spamming altogether.

He also noticed that an IP address belonging to Tulip Lab also viewed his order. He documented all of this.

In August, 2007, the spam runs for Elite Herbal intensified. I myself noticed an increase from the usual 14 - 22 messages a day which were received to my control monitoring account, to upwards of 24 - 33 per day, all promoting only Elite Herbal.

In September, SpamInMyInbox wrote an open letter to Tulip Lab and those who supported them. He asked why they continue to allow spammers to promote their "products", and asked for verification as to what the correlation was of the Tulip Lab IP address to the order he placed. He sent an email version of that open letter to the operators of Tulip Lab, cc'ing numerous India-based media outlets and newspapers, and the Pharmaceuticals Export Promotion Council in India, of which Tulip Lab was a member.

Nothing happened for a while after that, but the spam maintained its ridiculously high numbers on a daily basis.

Then in December, the BBC4 program "The Investigation" hosted by Simon Cox aired a half hour program which investigated this exact same rampant spam operation. Since it was the BBC, it appears that they got deeper access than an average individual would otherwise get. They took all the same steps as SpamInMyInbox did - placing an order, waiting to see if anything happened, drawing the same conclusions as to the involvement of Tulip Lab, and eventually contacting the author of SpamInMyInbox himself, which provided them the link to the New Zealand spammer behind his particular spam messages, and those received by the BBC themselves. They further correlated that an affiliate program known as GenBucks had several connections to Tulip Lab and Elite Herbal.

They also directly contacted Shane Atkinson, asking why he had spammed them and others. Atkinson answered that he was a spammer in the past, but claimed that "we've closed all that down years ago", before abruptly ending the interview.

The next day, law enforcement in Christchurch, New Zealand performed a raid on four addresses and "seized 22 computers and boxes of documents ... as it investigates an international spamming operation". [scoop.co.nz]

This harsh spotlight has recently caused the spammers behind this setup to hide like a bunch of cockroaches. The day after the BBC investigation aired, the author of SpamInMyInbox was told by the BBC that Tulip Lab was apparently going to sue him for what they claimed to be "harrassment" (likely related to the numerous unanswered inquiries whcih pretty much anybody would like an answer to: why are they still spamming everybody? Why do they condone spamming? Why do they allow it to happen in such high volume related to one specific product of theirs? Etc.?)

This ruffled some feathers over on BulkerForum.biz. One member named "icanspam" posted a link to the story, and made the same assumption that the BBC did: that Shane Atkinson was the spammer behind this particular spate of annoying Elite Herbal spam runs. This caused other bulkerforum members to pipe up, and several of them were definitely in some distress concerning what appeared to be the exposition and shutdown of the Elite Herbal program run by Sancash. Some excerpts:

TOPIC: SANCASH.. What's going on ?
mic141414

Joined: 12 Jul 2007
Posts: 37
Posted: Thu Dec 20, 2007 8:19 am
Post subject: SANCASH.. What's going on ?

they are offline .. been like that the last 3-4 days.
Commissions NOT paid this week.

Anyone has news on that ??

I am a little worried for my $$
thanks

In the thread: General Talks: raided suspected spammers in Christchurch:

ubuntu

Joined: 06 Feb 2007
Posts: 12

Posted: Thu Dec 20, 2007 10:26 am
Post subject:

not sure if this is sancash

this is related to this audition.. and hmm.. looks like GB...

http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

jhood

Joined: 23 Oct 2006
Posts: 151

Posted: Thu Dec 20, 2007 11:51 am
Post subject:

thanks for link ubuntu..

eliteherbal/manster IS SanCash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

icanspam

Joined: 10 Aug 2007
Posts: 52

Posted: Thu Dec 20, 2007 2:22 pm
Post subject:

SA?

Shane Atkinson, bro.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mail4spart

Joined: 15 Sep 2006
Posts: 33

Posted: Thu Dec 20, 2007 5:18 pm
Post subject:

I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.

I guess, in spammer talk, "smart business" translates to: "violating court orders to promote fake products illegally using botnets" because that's precisely what Shane Atkinson was doing.

I checked moments after those postings were made, and the domain sancash.com was unresponsive (and still is.) Suddenly, I saw no spam whatsoever for Elite Herbal. All of a sudden. Just like that. Instead, the spammer who's chosen to keep sending to my control account had switched to stock spam. Many other rather sudden changes also ensued, all very much noticed by SpamInMyInbox in further investigations he pursued, all posted on his blog. It was clear that whoever was responsible for this spam specifically wanted to suddenly and completely remove any trace of connection between Sancash, GenBucks, Elite Herbal and Tulip Lab. It struck me (and others) as a rather clumsy and desperate move.

It's worth mentioning that this is not the first time I and others have investigated and taken action against this group of companies. Last November, in 2006, I and several colleagues performed our own investigation into the operation of several spamvertised sites promoting a bogus product known at that time as "Spur-M". We discovered that they used a third-party back-end server, hosted and owned by GenBucks, for the processing of credit card orders. We also noticed quite a bit of correlation between the domains registered for the Spur-M websites and the GenBucks affiliate program.

The same day, I created what became known as "The Spur-M-Enator™" which allowed for several thousand automated, believable, and completely fake orders to be placed at these back end servers. I released it to a handful of colleagues and we all left it running in the background for several hours.

This definitely made them mad, but never once did they stop spamming us. We increased the volume of fake orders per hour, which we know for a fact caused them to lose a considerable amount of time in processing and verifying the orders themselves. We could tell they were upset by this because the back end servers previously never output anything. Now they were outputting a bogus message about how our hard drives had been completely downloaded, or some such nonsense. It didn't stop us. What did stop, after a few days, was any spam - or indeed any mention - of Spur-M as a product. Instead all such spam numbers were focused on stock spam, a trend we notice they tend to fall back on when something isn't going as planned.

They later created "ManXL" and "Manster" as the replacement name for "Spur-M". In the BBC investigation, the label on the bottle which was eventually received from Elite Herbal said that the product was actually called "Manster." That definitely connected more dots for us, and confirmed that for two straight years now, we'd made it difficult for this pernicious operation to profit from relentless spamming. I should hope that this has cost them considerable effort and lost profits, and that further arrests will be forthcoming.

Over the holidays I noticed that all such "Elite Herbal" spam has now been replaced either with more Stock Spam, or spam initially promoting "Express Herbal" and then later "VPXL", yet another so-called Penis Enlargement herbal remedy (though the header banners on these sites actually still say "Express Herbal". They can't seem to focus much.) The cycle repeats again, apparently.

This is very obviously the same criminal group, and the shutdown of Shane Atkinson's operation has clearly not diminished the amount of spam I continue to receive for this particular product. As happy as I am (and many others are) to see the death of the Elite Herbal "brand", it doesn't appear to be diminishing any of this bogus "herbal remedy" spam at all.

In the days following the raid, SpamInMyInbox dug even deeper into what he had discovered on Tulip Lab and GenBucks. I'll leave you to read it for yourself, but trust me: it's outstanding research, and makes it even clear just how guilty all of these parties are in perpetrating illegal spamming of an unwanted product to the world at large.

I and others are determined to find out who, specifically, is continuing to flood our inboxes with this scourge, and will continue to assist law enforcement in finding and shutting down every last one of these malicious criminals.

Tulip Lab and GenBucks: get the message. We hate you. We hate your "products" and we hate the fact that you seem to employ ONLY illegal spammers to do your promotions for you. Your days are numbered. Count on it.

SiL

2007: A Very Bad Year For Illegal Spammers

2007 is winding down, and I thought I'd take a moment to list just how many big achievements were met by the dedicated research and hard work of all the members of the numerous anti-spam forums such as KillSpammers and CastleCops, and organizations such as SpamHaus, the FBI Cybercrime Division, the i-Law Group, IronPort, SecureWorks, Shadowserver, F-Secure and countless others. Just look at how many large-scale arrests, convictions, and media stories regarding cybercrime and illegal spamming came about in the past twelve months.

In this synopsis I will make reference to several key members of what once was the Kill Spammers forum which was DDOS'd out of existence in August, 2007. The loss of that forum has absolutely not diminished or impeded the continued efforts of its members, all of whom continue to investigate and report all manner of illegal spamming, server hijacking and botnet operation. If anything it's only lead to more and more of us banding together via other means.

Make yourself some hot chocolate and join me in a look back at 2007, the worst year so far for any illegal spammers out there.

January 2007:

• Chris "Rizler" Smith is sentenced to 30 years in prison for drug trafficking, witness tampering and illegal spamming practices.


• Many members of the KillSpammers forum report on an illegal / fake charity known as "Save Childs". It appears to be related to a spate of spam for both Discount Pharmacy (Vincent Chan) and My Canadian Pharmacy (Yambo.) After reporting their multiple spammed addresses to law enforcement agencies and hosting companies, all of the sites are eventually shut down.

February 2007:

• Spaminator creates the spamwiki. SiL creates a lengthy report on My Canadian Pharmacy based on a lengthier report which was already widely cirulated to many security companies and law enforcement agencies around the world. Red Dwarf writes and updates numerous sections. A crucial tool for collecting and exposing evidence is made. Law Enforcement and Spamhaus eventually take notice.

March 2007:

• The Vancouver Sun (among many others) publishes a story about the death of Marcia Bergeron of Quadra Island, BC due to fake drugs purchased from a spamvertised source


• SiL begins performing research on the Yambo sites in assistance of the i-law group (Jon Praed) and IronPort (Patrick Peterson.) His research and other data are eventually used in a web seminar covering the a-z of the My Canadian Pharmacy spam group (Yambo Financials) including an indepth look at their supply chain processes, message dissemination, botnet size and implementation, and server hijacks.


• The SEC suspends trading on 35 spamvertised stock symbols in Operation Spamalot. 14 of the stocks are tracable to Vancouver stock traders. International law enforcement is given huge amounts of data on these companies and the illicit trading manipulation that took place.

April 2007:

• After being inundated with spam for Discount Pharmacy, SiL decides to write a synopsis about their known functionality and operations. AlphaCentauri and Red Dwarf assist greatly.


• ILoveCrapfloods creates FsckChickenboners! (a bot for crapflooding spammers' forms) It slowly gains a following and is refined and modified throughout the year, sending thousands of fake orders to illegal pharmacy and replica watch sites, resulting in wasted time and lost profits for several illegally promoted websites selling counterfeit products.

May 2007:

• Renowned bulkerforum member and proxy reseller mcproxy retires from the spam and proxy reselling business after nearly having his personal data exposed by spam-court.com. This indicates that the research posted on that blog is very much on the right track and leads to a lot of illegal DDOS activity against that site on behalf of members of BulkerForum.


• Notorious repeat spammer Robert Alan Soloway is arrested in Seattle after a federal grand jury indicts him on 35 charges ranging from wire fraud to identity theft. The lawsuit against him is ongoing and he remains in prison in Seattle pending commencement of the trial.


• The country of Estonia has its entire computer infrastructure come under a massive DDOS attack. Everything from train schedules to utilities and banking is completely knocked off the grid for several days. The investigation into this attack is still ongoing and thought to lead to Russian and Ukranian sources. Several rumors floated around at this time that the Russian government itself was behind these attacks. None of this has been proven. This event has the effect of raising the awareness of DDOS attacks and the criminal groups behind them.

June 2007:

• SiL posts a lengthy description of the illegal activities of Nick Danger / Marion Lynn to the newsgroup NANAE.


• AlphaCentauri and SiL begin a coordinated series of reports regarding the Discount Pharmacy hijack of Windows 2000 / 2003 servers. This results in the eventual shut down (or cleanup) of several hundred hijacked servers and a great deal more data on the hijacking process for Windows servers on behalf of Vincent Chan. We eventually see a complete stop in any spam runs for this spamvertised product line around August of 2007.


• Darrel and Jack Uselton are arrested for "hijacking personal computers across the country to send mass e-mails and inflate prices on at least 13 stocks."

July 2007:

• SiL is interviewed in Forbes Magazine for an article about Patrick Peterson from Ironport Systems. The article covers Peterson's investigation of the My Canadian Pharmacy operation, run by Yambo Financials.


• E360 files numerous motions against Spamhaus for labelling them as spammers. All of these charges would later be either withdrawn or dismissed.


• The FBI's Operation Bot Roast identifies over one million computers as being under the control of illegal botnets. This is the first of two such investigations which later results in several arrests directly related to illegal hacking and owning or operating botnets generally.

August 2007:

• Several anti-spam and anti-fraud websites come under a huge, unrelenting DDOS attack. Sites attacked include the Kill Spammers forum (whose domain has remained down since then,) CastleCops, 419eater, thescambaiter, and countless others. Kill Spammers operator KyferEz mitigates the attack on the KS forum to the best of his abilities, but the domain eventually folds. Several of us take up temporary residence in CastleCops (many of us stay active there also.) The criminals behind these attacks idiotically think this will slow us down.


• In what is arguably one of the bigger blows against spammers everywhere, Red Dwarf introduces his diabolical Complainterator™ application for the automated reporting of illegally hosted domains. Over the next several months, several people start using it and it undergoes numerous upgrades and improvements. Use of this tool leads to even some of the more highly unresponsive domain registrars taking notice and removing several thousand offensive domains from their registries.


• Members of the CastleCops Phishing Incident Reporting and Termination Squad (PIRT) as well as their other Termination Squads for spam (SIRT) and malware (MIRT) begin joining the KillSpammers forum.


• Red Dwarf releases the AutoSA application for automated reporting of malware phishing and spamming sites to Site Advisor. He inevitably gets several other sites to provide extended services for users of this tool, notably dnsstuff.

September 2007:

• Red Dwarf begins automating a method of monitoring, researching, collating and ultimately reporting the existence of hijacked PC's using what would eventually become the Botnet scanner. Over a few months he single-handedly reports several tens of thousands of infected IP's, resulting in more of a significant response from ISP's than most of us probably expected.

October 2007:

• Several news stories from October to November 2007 track the Russian Business Network (RBN), exposing its ties to Russian politicians, their multiple shifts in locations from Russia to China to disappearing completely, and interviewing its so-called representative.


• Porn spammers Jeffrey Kilbride and James Schaffer are sentenced to five years in prison, convicted of "conspiracy, money laundering, fraud, and transportation of obscene materials".


• Greg King, 21, of Fairfield California is arrested for performing a DDOS attack on CastleCops in February of 2006. He faces a maximum sentence of ten years in prison and a $250,000 (USD) fine.

November 2007:

• Spaminator creates numerous international domains for the spam wiki and attempts (where possible) to get several large-scale sections of it translated and duplicated into these mirror sites. This proves to be very helpful in its use as evidence against illegal spam operations, and leads to big changes at several previously spammer-friendly domain registrars.


• Marion Lynn creates a blog (spamgossip.blogspot.com) which exposes the identity of several known, high-level spammers who were members of bulkerforum.biz, including Phantom (Norman Holmes), Lizza (Steve Joseph), Dollar (Christopher Brown) Dave (David Oleg Barsky), bigjohnson (Igor Shaposhnikov) and others. Notable omissions are Crypto and moneyminters. It's unclear what prompted this sudden need to tell the world about the identity of these spammers, but he did it. SiL works with members of Spamhaus in collecting whatever is posted on spamgossip and sending it back to them (and law enforcement), and correlating it to the already massive amount of collected information on the members of bulkerforum.biz.


• While we're at it: several other members of bulkerforum.biz begin exposing each other in a spate of scammer outcries on the forum. We didn't even have to do anything.


• SiL transcribes a lot of the content from the spamgossip blog into his own blog (which you are now reading) which has the curious effect of reaching higher page ranks than Marion's blog. Marion later takes down quite a bit of personal data without any explanation.


• Jason Michael Downey is arrested for running a botnet consisting of 6,000 compromised PC's.


• New Zealand law enforcement break up a major international botnet and arrest its ringleader.

December 2007:

• The FBI's Operation Bot Roast II results in the arrests of 8 individuals who owned or operated large-scale criminal botnets.


• Secureworks investigates spamming runs in relation to US presidential candidate Ron Paul and discovers a connection with known porn spammer and botnet operator "nenastnyj", aka Andrew Nenastnyj, known on bulkerforum as "Nena".


• Justin Daniel Medlin is sentenced to 72 months in prison in connection with pump-and-dump stock spam runs he committed during 2004.


• Akhil Bansal is sentenced to thirty years in prison for illegally distributing medications without any prescription. This followed a lengthy investigation dubbed "Operation Cyberchase", documented in a multi-part investigative series in the Philadelphia Inquirer.


• BBC 4's "The Investigation" do some digging into the group behind the rampant spam for "Elite Herbals", leading to a very thorough investigation of GenBucks, Tulip Lab, and one of their spammers, Shane Atkinson. Burgeoning illegal spam blog Spam In My Inbox is also consulted for this story, and much of his evidence matches that of the BBC. This eventually leads to a police raid in Christchurch, New Zealand, resulting in the seizure of "22 computers and boxes of documents from four Christchurch addresses", including that of Atkinson.

Definitely a very active year for people who fight online crime in all its facets, and absolutely a very bad year for illegal spammers.

This kind of activity will only continue. As long as people like myself continue to be on the receiving end of unwanted illegal spam from asshole criminals like the ones listed above, we'll continue to do everything we can to get to the bottom of it. There is a difference between general commercial email, and spam for products that are illicit, fake, counterfeit, or outright illegal - and in some cases lethal. We are not going to stand for this any longer, and this year's numerous arrests prove that.

SiL / IKS / concerned citizen

Elite Herbal Exposed by BBC4, Blogger

Another quick one. Another intrepid investigator of illegal spammers, Spam In My Inbox, has joined the BBC in investigating the cretins behind the endless flood of unwanted "Elite Herbal" spam, drawing direct links between the Elite Herbal spam type, the GenBucks affiliate program, Tulip Labs in Mumbai, India (who create and ship the bogus "herbal remedies") and the actual spammer who hit the send button: Shane Atkinson of New Zealand.

It's a fascinating story and has apparently led to several new investigations.

You can listen to the show, BBC4's "The Investigation", here.

I have created a temporary download of an mp3 podcast of the show here, and I also created a complete transcript of the show here.

You can read SpamInMyInBox's response to the show here.

This is great news regarding this widely reviled group.

SiL / IKS