Who is Servman? (now that Bulkerforum is down)

Since Feb. 12th, bulkerforum.biz has been dormant. Domain does not resolve and it's not hosted on any of the previously known hijacked IP's. That's interesting in itself, in light of the slew of recent arrests involving illegal spammers.

But there's other interesting news regarding that site. Several members have suddenly been unceremoniously removed. I'll report back on a few of them in the coming weeks, but for now I thought I'd cover one particular member who seems to have actively wanted to cover his tracks: ServMan.

Back in November when Marion Lynn created his blog, spamgossip, he began exposing individual members of bulkerforum.biz, the go-to forum for illegal spammers.

Initially he listed handfuls of people per day, then removed a bunch, then removed a bunch more. Since then it's remained pretty dead, and numerous postings have been removed altogether. As one would expect, this caused people (like me) to dig a little deeper. I checked out some of the postings of the exposed users. At the time, none of it seemed particularly important.

I and many others had recently noticed (before the forum was shut down, if that's what's taken place) that some of those members have suddenly "gone dark" on that forum, notably Phantom (aka: Norman Keith Holmes.)

Then in mid-January I noticed that one of the members, ServMan, had either been systematically deleting any postings he had on the forum, or getting someone else to. (Or, alternatively, one of the admins of that forum may feel that having his particular info on that forum is a bad idea.)

Whenever I see this kind of thing happen, it definitely seems to indicate that there is truth to the exposed information. Why would somebody suddenly shut up unless the name was correct? Especially in light of how that group has acted whenever someone like myself has done this in the past (claiming libel, claiming my info is way off base, etc.) it is stunning just how silent some of the members have become.

Servman was listed as one Adam J. Minic. Searching for that turns up very few hits, but there is one interesting one from the NANAE newsgroup:

Newsgroups: news.admin.net-abuse.email
From: DarkFiber
Date: Sat, 24 Nov 2007 20:46:21 -0000
Local: Sat, Nov 24 2007 3:46 pm
Subject: Re: TURKEY STUFFING: ANOTHER SHITBAG!

On Thu, 22 Nov 2007 19:46:51 -0800, spamgossip wrote:
> SPAM AND EGGS! On Thu, 22 Nov 2007 19:46:51 -0800, spamgossip wrote:
> SPAM AND EGGS!

> The spam is in your mail and the egg is on the faces of these Bulker
> Forum members!

> servman - Adam J Minic - Boise, ID

Highly believable as there is evidence as recent as summer 2007 that Adam Minic associates with veteran spammer Todd Springer of the S & S Global LLC spam business that Todd and his brother, Scott used to run. Adam is perhaps a protege of theirs.

Kind of makes one wonder if Todd and Scott Springer didn't really retire from the spam business.

One also has to wonder if KEVIN JAMES MINIC #18299 who was discharged (as an inmate) from the Idaho Department Of Correction on 03/21/2005 is any relation.

On Dec. 27th, 2007 - the last time I bothered to check into it, Servman was responsible for 11 postings. Prior to that the number was much higher, around 30 or so.



I checked it on Jan. 28th, 2008, just out of curiosity. There were zero postings from Servman. None.



As it happens, I still have copies of some of his postings on the forum. In my opinion, while they are definitely damning evidence pointing to a string of the usual offences associated with illegal spamming, they aren't terribly different from those of numerous other members of the site. Nonetheless, either Servman or someone else must have assumed that this was too much exposure for him.

Here are the details I managed to glean from the postings I was able to archive from bulkerforum.biz last year following the exposition of Servman:

• He expressed interest in Hotmail and Yahoo email list verifier software.


• He was interested in purchasing lists from numerous members.


• He offered a new RX program (ie: Pharmacy spam, like we needed more of this crap.) He paid a 45% commission per sale.


• He used (or uses) DarkMailer (aka: DM) to perform his spam runs.


• He was (or still is) an active member of Sancash, the now-renowned "herbal remedy" spammer affiliate program with ties to Genbucks and Tulip Lab. (yes, VPXL / Elite Herbal / Manster / Megadik, again: like any of us wants to hear about it.) He liked spamming for them and made okay commission apparently. His conversion ratio indicates that he's spamming lots of people who definitely do not want to hear about these products: "My conversions started at 1:80 and have been at 1:150-1:250 ever since." More on this below.


• He was also a member of the bulker.biz affiliate program. (Canadian Pharmacy, I believe, is one of their properties.)


• He has dealt with diploma spamming in the past. Whether he actually mailed it himself is unknown. This is very obviously illegal activity.


• He was in need of new servers in Sept. 2007. He had very specific requests as to the specs of these servers, which were to be used for "proxy mailing", in other words: to use a botnet to send spam, which is illegal. It appears that he may have done a deal with RackSpace06 for those servers, and that he got ripped off by him (or nearly so.)


• In March 2007 he stated "We have entered a new era in mailing. Botnet is your best canidate for re-entering this industry." He then outlined how to get started in the bot-spamming business. It's pretty clear he knows a lot about how to send spam using hijacked and infected computers, to lists of people who very likely don't want to hear from him.


• He hates "antis" (such a stupid term.) Yet he continues to mail to people he knows would prefer not to hear from him. Their complaints make him angry.

What other dealings does Mr. Minic feel would be threatened by exposing him as a spammer? A google search for "Adam Minic" (with quotes) and "boise idaho" (without quotes) turns up a posting dated Jan. 23rd, 2008 on the forum "averyoutdoors.com" from a user named Camo Coatings discussing goose hunting. He is also located in Boise Idaho. I had previously suspended this posting because someone claiming to be Mr. Minic complained that someone was threatening his life based solely on my posting on this blog, ignoring completely that this information was already widely publicized last year by Marion Lynn on his spamgossip blog.

Since he has not shown me any proof of these alleged threats, this posting has been reactivated, with his comments intact. I have excised the contact info, which as mentioned before is already available elsewhere.

I mentioned his "conversion ratio." Conversions are the meat and potatoes of the spam industry if you spam on behalf of an affiliate program. A ratio of 1:80 is not good, by legitimate marketing standards. That means that for every 80 people who end up clicking through to your site, only one of them bought something. Legitimate companies, companies like (let's say) Amazon.com, or Lavalife.com, or any other above-board business which relies on third parties for some of their marketing needs would be hoping to see conversions more along the lines of 1:4, or 1:10. Even 1:10 is not considered a good ratio by legitimate companies. This goes quite a way to explaining the spammer mentality. They don't care how many people (like me) don't want to hear from them, they want money. They want the money for as little effort as possible. They want to follow only two steps:

1. Hit "send"
2. Get paid

Your complaints mean nothing to a guy like Adam Minic / Servman. He can't be bothered to clean his lists because that involves more steps than the two outlined above. Steps like: cleaning your list. Or possibly: choosing NOT to promote fake herbal remedies or illegally supplied fake pharmaceuticals which have no proven medicinal value.

A posting from January 2007 is probably the biggest indicator as to why he doesn't want his personal data out there. It's in response to a posting by mcproxy regarding exposing the personal data of someone who scams you in the spam industry:

The thing is, maybe not posting personal info. but enough to get the point across. Ie: icq, alias, etc.. In a perticular section of the forum. I was just expressing my idea in hopes that we could build something workable. I vote for a scammer section for misconduct and wrong-dooing un-becoming of a valid contact in this biz type of section.. hehe.

Currently if any of us get scammed, I can speak for myself anyways, I will post their alias info at least. I have never posted anyone's personal info. and I am sure never will. But many of us know each other past our alias. So therfor thats the assumed risk we take in business through gui interface..

Maybe my "quick reference section to scammers" is not a great or even good idea, but just wanted to convey my thoughts about this issue.

Any-thoughts guys???

Maybe he's worried about being perceived as a scammer. Or maybe he does business in other areas which would be impacted by having his real name associated with activities like spamming or using a botnet. Aside from the purely legal ramifications, I guess that would definitely impact his bottom line. But then why continue to spam? Why knowingly participate in these activities if you weren't already well aware of the risks?

I'm intrigued to see if he appears anywhere else out there in terms of forum postings. Having said that: I have a life. I'm not going to knock myself out about it. Digging this bit of info didn't take long at all. I like to keep it that way.

It appears that Lynn was correct in identifying Servman. (Surprise!) I'm still not sold that he's effectively identified anyone else, or that doing so has had the desired effect.

SiL / IKS / concerned citizen

Elite Herbal, GenBucks, SanCash and Tulip Labs

Happy Holidays.

There was a flurry of activity in the weeks of December before the Xmas holiday. I saw a lot of diligent reporting of the activities of what is arguably the most annoying and least-compliant illegal spam operations in the world today: The mailers of the pernicious "Elite Herbal" penis enlargement herbal remedy products.

If you have an email address at all, of any sort, whether you've ever given it out to anyone or not: you've more than likely seen this spam, though fortunately most of it ends up where it belongs, in the junk folder. This doesn't stop the spammers behind this "product" from sending multiple copies of the same messages every single day to you.

Elite Herbal is one of a batch of products promoted via what is known as the SanCash program, a spammer affiliate program sponsored by bulkerforum.biz members Sancash and Azzy. Several members of bulkerforum.biz are active mailers for that program, notably "Moneyminters", a non-compliant mailer going back several months now at least.

Starting in July of 2007, the spam research blog Spam In My Inbox began investigating who was behind the relentlessly high volumes of spam he continued to receive for this unwanted product. He did quite a bit of due diligence and appears to have been very forthright in trying to find specific contact information for who was behind Elite Herbal itself. All initial contact was ignored (of course) whenever posted via one of the spamvertised fly-by-night websites.

He discovered that IP addresses associated with the spammed websites belonged to a company claiming to be called "Tulip Lab Pvt. Ltd.", located in Mumbai, India. He attempted to contact them regarding the mountains of unwanted spam emails. He never once received any kind of response.

Using some clever technological tricks, he entered an order into one of the spamvertised sites, but while doing so he carefully also entered some tracking code of his own (I'm not privy to what he specifically did, but I have my own theories.) This meant that any computer which viewed his order would report back to him regarding its IP address. He reported on this on July 4th, 2007, stating that an IP address belonging to DSL Internet provider known as iHug (now a division of Vodaphone), located in New Zealand. He complained to iHug and provided his evidence. They took action and investigated the offending account, eventually shutting it down. That IP address turned out to be directly related to one Shane Atkinson, a spammer who has been uncovered at least once (back in 2003) and who had claimed to have given up spamming altogether.

He also noticed that an IP address belonging to Tulip Lab also viewed his order. He documented all of this.

In August, 2007, the spam runs for Elite Herbal intensified. I myself noticed an increase from the usual 14 - 22 messages a day which were received to my control monitoring account, to upwards of 24 - 33 per day, all promoting only Elite Herbal.

In September, SpamInMyInbox wrote an open letter to Tulip Lab and those who supported them. He asked why they continue to allow spammers to promote their "products", and asked for verification as to what the correlation was of the Tulip Lab IP address to the order he placed. He sent an email version of that open letter to the operators of Tulip Lab, cc'ing numerous India-based media outlets and newspapers, and the Pharmaceuticals Export Promotion Council in India, of which Tulip Lab was a member.

Nothing happened for a while after that, but the spam maintained its ridiculously high numbers on a daily basis.

Then in December, the BBC4 program "The Investigation" hosted by Simon Cox aired a half hour program which investigated this exact same rampant spam operation. Since it was the BBC, it appears that they got deeper access than an average individual would otherwise get. They took all the same steps as SpamInMyInbox did - placing an order, waiting to see if anything happened, drawing the same conclusions as to the involvement of Tulip Lab, and eventually contacting the author of SpamInMyInbox himself, which provided them the link to the New Zealand spammer behind his particular spam messages, and those received by the BBC themselves. They further correlated that an affiliate program known as GenBucks had several connections to Tulip Lab and Elite Herbal.

They also directly contacted Shane Atkinson, asking why he had spammed them and others. Atkinson answered that he was a spammer in the past, but claimed that "we've closed all that down years ago", before abruptly ending the interview.

The next day, law enforcement in Christchurch, New Zealand performed a raid on four addresses and "seized 22 computers and boxes of documents ... as it investigates an international spamming operation". [scoop.co.nz]

This harsh spotlight has recently caused the spammers behind this setup to hide like a bunch of cockroaches. The day after the BBC investigation aired, the author of SpamInMyInbox was told by the BBC that Tulip Lab was apparently going to sue him for what they claimed to be "harrassment" (likely related to the numerous unanswered inquiries whcih pretty much anybody would like an answer to: why are they still spamming everybody? Why do they condone spamming? Why do they allow it to happen in such high volume related to one specific product of theirs? Etc.?)

This ruffled some feathers over on BulkerForum.biz. One member named "icanspam" posted a link to the story, and made the same assumption that the BBC did: that Shane Atkinson was the spammer behind this particular spate of annoying Elite Herbal spam runs. This caused other bulkerforum members to pipe up, and several of them were definitely in some distress concerning what appeared to be the exposition and shutdown of the Elite Herbal program run by Sancash. Some excerpts:

TOPIC: SANCASH.. What's going on ?
mic141414

Joined: 12 Jul 2007
Posts: 37
Posted: Thu Dec 20, 2007 8:19 am
Post subject: SANCASH.. What's going on ?

they are offline .. been like that the last 3-4 days.
Commissions NOT paid this week.

Anyone has news on that ??

I am a little worried for my $$
thanks

In the thread: General Talks: raided suspected spammers in Christchurch:

ubuntu

Joined: 06 Feb 2007
Posts: 12

Posted: Thu Dec 20, 2007 10:26 am
Post subject:

not sure if this is sancash

this is related to this audition.. and hmm.. looks like GB...

http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

jhood

Joined: 23 Oct 2006
Posts: 151

Posted: Thu Dec 20, 2007 11:51 am
Post subject:

thanks for link ubuntu..

eliteherbal/manster IS SanCash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

icanspam

Joined: 10 Aug 2007
Posts: 52

Posted: Thu Dec 20, 2007 2:22 pm
Post subject:

SA?

Shane Atkinson, bro.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mail4spart

Joined: 15 Sep 2006
Posts: 33

Posted: Thu Dec 20, 2007 5:18 pm
Post subject:

I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.

I guess, in spammer talk, "smart business" translates to: "violating court orders to promote fake products illegally using botnets" because that's precisely what Shane Atkinson was doing.

I checked moments after those postings were made, and the domain sancash.com was unresponsive (and still is.) Suddenly, I saw no spam whatsoever for Elite Herbal. All of a sudden. Just like that. Instead, the spammer who's chosen to keep sending to my control account had switched to stock spam. Many other rather sudden changes also ensued, all very much noticed by SpamInMyInbox in further investigations he pursued, all posted on his blog. It was clear that whoever was responsible for this spam specifically wanted to suddenly and completely remove any trace of connection between Sancash, GenBucks, Elite Herbal and Tulip Lab. It struck me (and others) as a rather clumsy and desperate move.

It's worth mentioning that this is not the first time I and others have investigated and taken action against this group of companies. Last November, in 2006, I and several colleagues performed our own investigation into the operation of several spamvertised sites promoting a bogus product known at that time as "Spur-M". We discovered that they used a third-party back-end server, hosted and owned by GenBucks, for the processing of credit card orders. We also noticed quite a bit of correlation between the domains registered for the Spur-M websites and the GenBucks affiliate program.

The same day, I created what became known as "The Spur-M-Enator™" which allowed for several thousand automated, believable, and completely fake orders to be placed at these back end servers. I released it to a handful of colleagues and we all left it running in the background for several hours.

This definitely made them mad, but never once did they stop spamming us. We increased the volume of fake orders per hour, which we know for a fact caused them to lose a considerable amount of time in processing and verifying the orders themselves. We could tell they were upset by this because the back end servers previously never output anything. Now they were outputting a bogus message about how our hard drives had been completely downloaded, or some such nonsense. It didn't stop us. What did stop, after a few days, was any spam - or indeed any mention - of Spur-M as a product. Instead all such spam numbers were focused on stock spam, a trend we notice they tend to fall back on when something isn't going as planned.

They later created "ManXL" and "Manster" as the replacement name for "Spur-M". In the BBC investigation, the label on the bottle which was eventually received from Elite Herbal said that the product was actually called "Manster." That definitely connected more dots for us, and confirmed that for two straight years now, we'd made it difficult for this pernicious operation to profit from relentless spamming. I should hope that this has cost them considerable effort and lost profits, and that further arrests will be forthcoming.

Over the holidays I noticed that all such "Elite Herbal" spam has now been replaced either with more Stock Spam, or spam initially promoting "Express Herbal" and then later "VPXL", yet another so-called Penis Enlargement herbal remedy (though the header banners on these sites actually still say "Express Herbal". They can't seem to focus much.) The cycle repeats again, apparently.

This is very obviously the same criminal group, and the shutdown of Shane Atkinson's operation has clearly not diminished the amount of spam I continue to receive for this particular product. As happy as I am (and many others are) to see the death of the Elite Herbal "brand", it doesn't appear to be diminishing any of this bogus "herbal remedy" spam at all.

In the days following the raid, SpamInMyInbox dug even deeper into what he had discovered on Tulip Lab and GenBucks. I'll leave you to read it for yourself, but trust me: it's outstanding research, and makes it even clear just how guilty all of these parties are in perpetrating illegal spamming of an unwanted product to the world at large.

I and others are determined to find out who, specifically, is continuing to flood our inboxes with this scourge, and will continue to assist law enforcement in finding and shutting down every last one of these malicious criminals.

Tulip Lab and GenBucks: get the message. We hate you. We hate your "products" and we hate the fact that you seem to employ ONLY illegal spammers to do your promotions for you. Your days are numbered. Count on it.

SiL