I just won the Microsoft, Toyota, Yahoo and MSN Lottery!

Advance notice: sarcastic use of quotation marks ahead. You have been warned.

As I posted previously, I "win" an awful lot of "lotteries" on a daily basis, and I "inherit" insane amounts of money from total strangers I have never heard of, every single day. So do you, most likely.

I thought I would update this blog to announce that my "lottery / inheritance" tally surpassed the Ten Billion dollar mark earlier today. (In US dollars.) That's Billion, with a bold, capital B.

To put that in perspective, I've been keeping my running total (it's right there in the right-hand column of this blog) since November 17th, 2008. That's only 267 days. That means for every single day since then, without fail, I have been either winning or inheriting or otherwise gaining a total of $37,472,423.71 -- EVERY DAY!

Ask yourself: how likely is that in the real world?

Of course: no I have not actually "won" or "inherited" anything. Nor has anyone else. The sad truth is that numerous unwitting individuals (I would use a far less charitable term here than that, but bear with me) fal for these scams on a daily basis. The only reason I see so much of these is that clearly I happen to have email addresses which are on a very poor list, which some Nigerian idiot spammer continues to send these messages to on a daily basis, unaware that perhaps 99.999998% of all recipients are clearly never going to fall for this.

But every month, we all continue to see news stories about apparently normal, bright individuals who have fallen for these criminal scams. I am asbolutely baffled by this, but the fact remains: people are sending their hard-earned cash to anonymous criminal individuals who they have never met, had never heard from before, under the impression that they will "win" or "inherit" the same kind of money I have been on a daily basis.

There have been recent stories covering the unscrupulous Nigerian (or otherwise West-African) scumbags who perpetrate these criminal acts on a daily basis, making a point to mention how much harder it allegedly must be for them now that the economy has taken a turn for the worse. Note this one, for example:

U.S. authorities say Americans -- the easiest prey, according to Nigerian scammers -- lose hundreds of millions of dollars a year to cybercrimes, including a scheme known as the Nigerian 419 fraud, named for a section of the Nigerian criminal code. Now financially squeezed, Americans succumb even more easily to offers of riches, experts say.

How, I must ask, is this still possible? It isn't like this is some brand-new type of scam. I've been receiving them - as have most people I know - since at least 1998. I knew by the fourth or fifth one that these were fake, and this was at a time when the criminals behind this used to actually set up fake "bank" websites, and send emails using these custom domains. Those days are long gone.

Anyone receiving a message claiming that they are the "beneficiary" of anything featuring a reply address that is based in Gmail, Yahoo, Hotmail, Live.com, Sify Mail, Excite, Mail.ru, jJail.co.za or Indiatimes.com, let me be frank:

USE YOUR BRAIN!

Does YOUR BANK contact you using any of these services?

Does ANY GENUINE LOTTERY contact you via these means?

Would any REAL LAWYER send you a legitimate message using Yahoo.com?

USE YOUR BRAIN!

Honestly! Everytime I hear another story about some moron victim who spends the better part of eight months continually sending more and more money to a complete stranger, via Western Union, I have to ask myself: how do you people remember to do normal things like drive to work every day? Or vote? Or decide not to drink turpentine every morning?

So to summarize:

The following "lotteries" do not exist, have never existed, and in all likelihood will never exist in the future:

• The Microsoft Lottery


• The Microsoft / Yahoo Lottery


• The Microsoft Mega Jackpot


• The Microsoft Security Department (UK) Euro Afro-Asian Lottery [what?!]


• The Microsoft Email Lottery Award Promotion


• The Microsoft and UK National Lottery


• The National Lottery Powered By The Internet [what?!]


• Golden Neo Life Diamite (GNLD) International Lottery Award [what?!]


• Surf Lottery International


• The UK Free Lotto Sweepstakes


• The UK International Lottery


• Beijing 2008 Olympic Promo Lottery


• Chevron Award Programme


• The Microsoft Email Draw


• Microsoft MSN Award Team


• Microsoft Promotion 2008 / 2009 / any future year


• The Yahoo Lottery


• The Yahoo Lottery Award International Program


• Yahoo International Lottery


• The Yahoo / MSN Lottery


• The Yahoo / MSN Lottery Inc & Windows Live


• The Google Lottery International


• The AOL / Microsoft Mega Jackpot Lotto Winnings Programs


• The Nokia Online Lottery


• The FedEx International Lottery


• The Royal Dutch Shell Awards-International Programs


• Euro Millions Promo Lottery


• The Canada Lottery


• The Canada / UK Lottery


• Canada Lottery / Email Draw Ontario 49


• The National Postcode Lottery (From the Netherlands, every time I see this one)


• The iWin Lottery Promotion Company


• Ecowas Donations 2008 Lottery


• Ecowas Donations 2009 Lottery


• The Glo Mobile Africa Lottery


• The BMW Lottery / BMWLand Lottery


• The Toyota Lottery


• The Lefthanders Lottery [seriously?!]


• The Chevron/Texaco International Online Lottery Promo Programme


• The Email Bonus Lotto


• Electronik Lottery International Email Promotion


• The Sponsor Bingo Lottery Email Sweepstakes Programs [what?!]


• The United Nations Lottery


• The FBI Lottery


• The Coca-Cola Lottery Promotion / Coca-Cola Lottery


• Online Lottery Award Promo Board


• The British International Lottery Promo (See below, however)


• The Asia Power Ball Online Lottery Promo

I've "won" the UK National Lottery the most of all of these, averaging 1.21 million GBP (UK Pounds Sterling) on a daily basis, every single day since Nov. 17th, 2008.

The following lotteries do exist, and they have legitimate websites where you can verify whether you have "won" anything or not (hint: you haven't, not if you've been told you did by anyone sending you a message using any freemail-hosted email address.)

* The UK Lottery [note their lottery scam page, so you can tell for sure that they will never email you.]
Note also: the UK National Lottery is located in (duh) the UK. They do not have any "representatives" anywhere else in the world, and they certainly don't have any representatives anywhere in continental Africa (again: USE YOUR BRAIN!)
* The UK Thunderball Lottery
* Stichting Exploitatie Nederlandse Staatsloterij. But please note: they never, not once, not ever, refer to themselves as the Netherlands National Lottery. It is always the "Staatsloterij", and they also feature a scam warning page, in both Dutch and English. Tell your friends.

Lotteries which I consider questionable since they offer no secure means of registering online:

* The Euro Lottery. It features an insecure registration form and no method of verifying their legitimacy.

Here is some further reading to educate yourself, and others you know. Clearly the word hasn't gotten out well enough or I wouldn't still be seeing any of these messages, and therefore would not also be a ten-Billionaire.

• Associated Press, March 2nd, 2006: Renowned doctor duped in Internet scam


• National Post, March 10th, 2008: Police lay 26 charges in multi-million-dollar Nigerian fraud scheme


• KATU, Portland, OR, November 11th, 2008: Woman out $400K to 'Nigerian scam' con artists


• MSNBC, March 5th, 2009: Nigerian scam continues to thrive


• Hindu.com, August 9th, 2009: Nigerian arrested in email scam


• Branford Expositor, July 30th, 2009: Internet scams costing residents thousands


• Global Post, July 22, 2009: Who's behind those Nigerian email scams?

SiL

Yahoo Groups: Wake Up!

Back at last, after a lengthy hiatus. (Although, that does not mean that I haven't still been active in my research or activities against the major criminal spam operations.)

As many of you have no doubt noticed, a great deal of spam which is being delivered and not flagged as spam now routinely contains a Yahoo Groups URL. This is the latest approach that most criminal spam operations have chosen to take in order to evade blacklists and spam filtering systems, riding on the previously good reputation of Yahoo Groups.

Of course the goal is to get the message delivered, have the recipient click on the link, and when they get to the Yahoo Groups page: click on a secondary link which inevitably leads to a Chinese registered and hosted domain. (e.g.: hurrynote.com, win3821.com, sexyrise.com.) Each of these leads to the usual crap these morons continue to shove down our throats: "Canadian Pharmacy" (A Spamit / Glavmed property, as previously covered here and in many other blogs), "Gold VIP Club Casino", "Acai Berry" and "OEM Downloads".

To say that this is a huge problem for Yahoo is a vast understatement. I just checked two mail accounts for the main domain I operate, and over the past eight hours I captured 810 spam messages featuring a Yahoo Groups URL. After sorting and de-duping, I end up with 710 distinct URLs. That's just within eight hours, and this past day or so has actually been a lighter day than most.

As usual this process is 100% automated, as has the creation of fake Yahoo or Hotmail accounts for the use of spamming, "internal mailing" (i.e.: sending spam from within a service like Yahoo Mail to a large number of Yahoo Mail recipients) and automated forum spamming using software such as Xrumer. (That's a separate discussion, but the automated registration of a Yahoo, Hotmail or Gmail account is always tied to this functionality.)

Unfortunately, Yahoo as a company has been extremely resistant to any requests to discuss this epidemic hole in their service. Previously, around mid-2008, we saw the same abuse taking place on Blogger (blogspot.com), MSN Live Spaces, and Google Groups. In each of those cases, I and several of my colleagues were able to contact someone in a high enough position at each of those services to discuss possible solutions and / or faster and more efficient means of stopping this abuse from continuing. In each case, each of the services came up with distinct and very rigorous countermeasures to stop this abuse from continuing. It's now extremely rare that I or anyone else sees any spam featuring a URL from any of those services.

Additionally, again during the same time period, several spam blocking lists chose to highlight the problem by including Blogspot.com and Google Groups domains in their blocklisting services. This is bad news for a previously whitelisted service such as Blogspot, and this made Google and Blogger take notice, and more importantly take very swift and proactive action against this abuse.

Another good example: Bit.ly, a URL-shortening service, was also the subject of sustained auto-registration of spamvertisable URLs starting in May of 2009. Several readers of this blog contacted me noting that after contacting Bit.ly's operators, that domain came up with a very swift and effective means of trapping these illicit URL's, and cancelled them, placing an anti-spam advisory on the resulting page instead. This was a great course of action since it had the added benefit of educating whoever the numbskulls are who actively click on and purchase from spammed domains.

Yahoo Groups, in very stark contrast, has instead chosen to stick their head in the sand regarding this issue.

Attempting to report one single URL requires that you go to their Yahoo General Abuse Reporting Form. The form requires that you break up your complaint into several segments, including the headers, the allged "Yahoo ID" of whoever it was that created the group (which is, again, auto-generated by the criminals behind this activity), post the body of the message, provide details of why this is abusive, and enter a provided Captcha value.

Posting this form can eat up a couple of minutes, and that's assuming the captcha value actually works (my rate is around 7 for every ten that appear to be correct. I have 20/20 vision, so something is definitely wrong with Yahoo's captcha generation scheme.)

Having said all of that: the offending Yahoo Groups URL is shut down fairly quickly. But let's get serious: over the past eight hours I have just over 700 of these to report. At that rate, and this is assuming I have nothing better to do with my day, that would take hours and hours to do. And this is only for me. Who knows how many have actually been registered? It could easily be millions.

When I received the automated response which results from sending these reports, I continued the conversation, asking who I could speak with regarding the huge numbers of abused domains I still had left to report. I was sent another boilerplate response which ironically included the advice that I instead filter my email to exclude any messages containing Yahoo Groups URLS.

Seriously? Yahoo Abuse: Are you high?

Given that Yahoo has recently been the subject of several takeover bids, especially on behalf of Microsoft, and also given that Yahoo as a corporation has undergone several employee shakeups, I can see how this might not be very high on the list of things to take care of, but come on.

As we speak: thousands of Yahoo Groups domains are being used within spam campaigns which are promoting the sale of illegal products. These sites are run by organized criminals. They are sponsored by affiliate groups such as Spamit or Glavmed who profit at the expense of their customers' health, and who often steal the personal and credit card data of their customers.

Yahoo, as we speak, is aiding these criminal activities. Plain and simple.

I wish I had any further information regarding how to report this abuse more efficiently, but even Yahoo themselves have discouraged me from even trying. Nice work, Yahoo.

So I urge Spamhaus and the operators of any of the other Blocklists out there to include groups.yahoo.com on their blocklist. It looks like this is the only way anyone at Yahoo will take this issue seriously, and even that is debatable.

Yahoo Groups: WAKE UP!

SiL / IKS / concerned citizen

P.S. Here are a couple of related articles regarding this persistent problem:

Spamnation: Yahoo vs. .CN
All Spammed Up: Major Spam Attack Hitting Free Web Services

Who Put The "Canadian" in Canadian Health&Care Mall"?

It's alarming just how many lies a single spam message can have. Join me as I dissect just one botnet-delivered spam message on behalf of "Canadian Health&Care Mall", a well known bulker.biz property (aka bulkerbiz.com, currently in transition as previously mentioned.)

******* 0nline Canadian Pharmacy Mall *******
NoPrescription needed for CialisLevitrvViagra, Hairloss treatment, WieghtLoss & all
others..

Right out of the gate: lies.

The domain, which they carefully placed at the end, is:

http://gipg.vbjeozwe.cn

That's ".cn" as in "China." Not Canada. Hosted on IP address: 89.134.141.124. That's in Budapest, Hungary.

That in turn redirects to:

http://canadapharmacymall.com/

A domain which has been especially difficult to shut down, thanks to the deaf ears of ename.com, registrar of choice to many illegal spam operations.

Hosted on ip address: 200.206.237.78

That's in Brasil. And guess what? It's a hijacked unix server. The actual owner of that server has either abandoned it or is otherwise not using it for web hosting purposes.

So: "Canadian"? Lies!

ViagraFrom $1.85
CialiFrom $2.40
SomaFrom $1.06
TramadolFrom $1.39
LevitrvFrom $2.5
& ....

The site says "as low as". I guess this is the first non-lie. But it's all downhill from here.

** How to buy Canada Drugs:

Again: nowhere near Canada.

0rdering Canada drugs from a Canadian Pharmacy Mall, and finding relief, has never been easier! You can place your 0rder online as easy as 1-2-3. Regardless of how you order, your needed drugs will arrive quickly and safely - in about 7 days.

Bait orders were received in a matter of weeks, not days. It sure is easy, though. With no secure server, and no confirmation as to when your order ships, or anything else regarding the use of your personal data or credit card information, I guess that is "easy." It's just that it isn't particularly safe.

Oh and of course: the pills contained only trace amounts of the alleged "active ingredient". The rest was "filler material". You are wasting your money by purchasing from these criminals. But you knew that already, right?

You can also find, view and track your order, or make changes to your personal medical file at any time, from the comfort of your own home.

More lies. "Personal medical file"? They create no such thing. They capture your order using zero security, and throw that information to an as-yet unknown third party host where the order is processed. This is usually a server in Russia, and the fulfillment of the order takes place usually in India. (Again: How close are we to Canada now?)

Order tracking is, at best, spotty. You are only told one of three things:

1) Your order has been received.
2) Your order has been processed.
3) Your order has been denied.

No individualized order tracking in the way that a legitimate company would do. They only use international postal mail (which, by the way, since they sell controlled substances, is a violation of international law, and violates several DEA and FTC guidelines.) As a result: the consumer is left completely in the dark regarding whether the order has shipped, or when it can be expected to be delivered.

Lies!

Why not go shopping on our site and see the wide selection of top Canadian prescriptionDrugs and available discount prices for yourself? We think you'll agree that family values are alive and well at Pharmacy Online!

"Family values"? So far we're up to:

- Lies about where they claim to be located.
- Hosting on hijacked unix servers
- Fake and / or dangerous drugs.
- Lies about how long the order takes to ship
- No security whatsoever.

I don't see any "family values" in any of that. Didn't their mothers ever teach them that lying is wrong?

** Canadian Pharmacy 0nline Testimonials:
Here's what some satisfied customers had to say:

Oh this should be good.

"I reviewed an AARP bulletin online (Sites to See: Getting Prescription Drugs Safely From Canada)... This article suggested checking with the following organizations when buying meds from Canada (Canadian Pharmacies):

1. CIPA: Canadian International Pharmacy Association
2. IMPAC: Internet and Mailorder Pharmacy Accreditation Commission
3. Pharmacy Checker

I highly recommend Pharmacy 0nline for all meds purchased from Canada... Most important, I ordered on the 20th of January and received them on the 27th of January... Thank you again for being there..."

Wow. They just don't know when to quit.

Bait purchases had Indian postal stamps on them. That's some 6,902 miles or 11,108 kilometres from Canada. Nice try, though, "I".

AARP: That's the American Association of Retired People. There is a report, as mentioned, and it lists each of the three organizations listed above (article available here). No representatives from the AARP responded to a request for comments on this claim, but try and find a single report that mentions "Canadian Health&Care Mall", or bulker.biz in a positive light. Go ahead I'll wait... :)

CIPA, if you contact them, are very much aware of this illegal online pharmacy and do not endorse or support this group, or any of the sites that they promote via illegal spam or otherwise. They're also well aware of the abuse of their logos and organization name within these illegally sent spam messages, and on the websites they drive to.
In reviewing all the above, I could only find two Pharmacies that were recommended
by all three... and one was Pharmacy Online.

IMPAC (Internet and Mail-Order Pharmacy Accreditation Commission) also is aware and (hey guess what!) also deny any endorsement for this site, or this affiliate program. Their site also features a list of actual IMPAC accredited pharmacies (located here) and (hey guess what!!) "Canadian Health&Care Mall" is nowhere to be found. There are only three online pharmacies on that list, so it doesn't take much time to figure out that this group is telling outright lies.

Pharmacy Checker, as you might expect, also says that they do not at all endorse this group, and further that their logos and organization name are being used illegally by this group.

By the way: who is this quotation from? Who is this "I" they refer to? And why do they suddenly refer to this site as "Pharmacy Online"?

Lies.

"I got on the Internet looking for (Canadian 0nline Pharmacy) alternatives and most of the companies were either not registered with the Better Business Bureau or had bad reports. Yours was registered and had a very good report..."

Really? (Again with this nondescript "I" person.)

If you do a simple, non-strategic search for "Better Business Bureau Canadian Health&Care Mall" the first link you get has a headline of "Online Pharmacy Questionable: Canadian Health&Care Mall" (here.) Separately, correspondence I and many others have had with the Better Business Bureau in numerous states has resulted in statements from their representatives stating outright that they do not recommend these sites, that they lie, that they pose a genuine risk to the public, and that they are notoriously difficult to shut down. They also state that their logos and organization name are being used by this group without any authorization or consent.

But hey: so is their hosting. So is their domain registration, which uses stolen identities and credit cards. So why stop there?

If I were to write a testimonial with some truth in it, it might sound more like this:

All of the research I could find on this shady "pharmacy" indicated that they were lying to me, but I purchased from them anyway. I know it sounds silly, since the only way I ever heard about this company was via hundreds of unwanted spam messages which I never asked to receive. I guess I figured "why not"? They certainly weren't going to remove me from their lists. After weeks of waiting I did finally get some pills but they weren't packaged very safely, and when I brought them to my doctor he said that these were essentially fake pills.

But people generally don't do this type of research before they hand over their credit card information. They should.

Please visit our Big Discount Canada Pharmacy Mall via below links
http://gipg.vbjeozwe.cn
http://gzts.vbjeozwe.cn

How about: please don't.

The days of this criminal group must be numbered. If this were a legitimat company with a head office and a CEO, they would be hauled into court for publishing lies like this. Because they are illegal spammers, and have operatives located in numerous offshore locations: they get away with it.

It is time for international law enforcement to recognize this group and others like it as more than a mere "nuisance" for spamming. They are commiting numerous serious crimes without spamming even entering into the picture, and most of all, they are filthy liars.

Please tell anyone you know who has a requirement for pharmaceuticals that they should never, ever, buy from organized criminals, which is essentially what this group is.

SiL / IKS / concerned citizen

What Is Going On At Bulker.biz?

As many of you who follow my blog know, Bulker.biz (more recently known as "bulkerbiz.com" due to coincidental shutdown of their previous domain in November 2008) is a spam-friendly affiliate I've talked about quite a bit.

The list of illegal acts they routinely take part in is available in the spamtrackers wiki entry devoted to their most popular spammable illegal online pharmacy My Canadian Pharmacy.

I noticed that rather suddenly, they have decided to secure their current affiliate portal, replacing it with an authorization setup, and a default message indicating they are changing their name yet again.

Site is closed. Please contact ICQ 333192431 for new address.

To see what it used to look like, even a mere four days ago, check out the Spamtrackers wiki entry here.



Isn't that interesting?

That ICQ address belongs to an individual who used to post on a variety of forums, notably Russian ones, using the username "ebulker". He specifically mentions in most of these postings that bulker.biz "doesn't care where your traffic comes from", indicating that they're very much aware that they spam illegally. But really, spamming is just the tip of the iceberg. These guys break so many laws on a daily basis that it's hard to believe nobody's gone after them. It would literally be like shooting fish in a barrel.

More as it happens, I suppose...

SiL / IKS / concerned citizen

An open letter to new US FTC Chairman Jon Leibowitz

The following is a letter which has been drafted by many of the members of the Fight Spammers Forum at InBoxRevenge.com to Jon Leibowitz, who was appointed as the new chairman for the Federal Trade Commission. I think it deserves some exposure.

---

We very much support the efforts the FTC is taking to educate consumers about internet fraud and identity theft, and we recommend that everyone view the excellent materials online at ftc.gov. However, those types of problems require a level of coordinated effort beyond what any one individual or business can accomplish. We urge the next head of the FTC to see the big picture. And one obvious part of the picture is spam.

Spam is like a flashing light alerting us to far more serious criminal activity beneath the surface. By minimizing the severity of spammers' offenses, you lose the ability to expose and investigate much deeper risks to the US, even impacting on national security.

Spam -- unsolicited commercial email -- is a nuisance. Because it is so inexpensive to advertise through email, spam volume has ballooned to comprise the vast majority of email messages. And the majority of the spam being mailed advertises products that are fraudulent or illegal, whose sponsors do not care about building a positive brand image. Most users have little idea how much spam would be arriving in their inboxes if their internet service providers were not using strategies to block the worst of it.

This is obviously a problem in terms of time/money spent on spam filtering systems and in deleting spams that pass through filters. More importantly, the loss of valid emails due to spam filtering is making some types of email communication extremely difficult. Legitimate commercial email is lost in the deluge of spam messages.

But the problem in the inbox pales by comparison to the multiple layers of illegal activity spammers employ to circumvent users' attempts to avoid their garbage. Spammers are hijacking the computers of innocent users to send their email and host their web sites. They are using stolen identities to register their website domain names, and using stolen credit/debit/PayPal accounts to pay for them. Their websites flagrantly violate trademarks, fraudulently claim approval from agencies like the FDA and Better Business Bureau, use stock photos of buildings and people to create imaginary locations and corporate officers for themselves, display forged pharmacy licenses, and sell counterfeit copies of drugs still protected by patents within the US. They abuse voice-over-internet phone service, using US local phone numbers to give unwitting consumers the impression they are located within the US. They transmit protected health information and credit card numbers via insecure connections, and use fake images of SSL icons to deceive consumers about that fact. They require no prescription for drugs that require one in the US, often including controlled narcotics. They ship pills of questionable content into the US, competing with those produced under FDA oversight, and they smuggle them through customs via fraudulent declarations. They use spam emails to lure additional people to websites where their computers will become infected with malicious programs like computer viruses and Trojan horses, allowing the spammers to continue to expand their power to abuse the internet.

While CAN-SPAM attempted to provide a safe haven for legitimate emailers, it is totally ignored by the criminal spammers whose products would still be illegal no matter how "compliant" their emails might be. Enforcement is hampered because spammers can maintain anonymity by using other people's hijacked computers, and because many of the most prolific spammers operate in countries which tolerate or even condone their activities.

But the situation is not as hopeless as it would appear. Not all reasonable measures are being taken to control the problem. Spammers could not continue at this level of activity without the passive cooperation of legitimate businesses. For instance, there are multiple systems in existence to identify the hijacked computers and illegally registered domain names that spammers rely on to conduct their business. Spam filtering products rely on them to obtain the necessary information to identify spam. Yet that information is often ignored by the otherwise legitimate registrars, hosting companies and telecommunications services which have the power to do something about it.

Does anyone really believe the spammer smuggling counterfeit Viagra into the US is sitting at home at the address provided in the domain registration, waiting for law enforcement to drop by? Then why is there unwillingness to investigate and suspend these domains? Do internet service providers think their customers would rather not know their computers are controlled by strangers in foreign countries, sending spam and helping themselves to users' personal information? Then why are they so unreceptive to reports of hijacked servers within their own networks? Do banks consider it acceptable for their clients' credit card numbers to be stolen to register illegal domains? Then why is there no effort to identify and close the credit card merchant accounts being used to process orders at those same sites? And when it would be simple to block all traffic from rogue countries which allow these criminals to operate, why are US internet companies so lax at shutting down bots on their own networks, making it impractical for American companies to block traffic from the worst spam-spewing IP address ranges?

The other issue is that these armies of zombie computers, called "botnets," do more than just send spam or host websites. They are also used to conduct Distributed Denial of Service attacks. In such attacks, large numbers of computers access the resources of an internet target simultaneously, making it impossible for that web site to continue to operate without spending large sums of money for mitigation.

We in the antispam community saw an extreme example of such an attack in 2006 when angry spammers attacked the company Blue Security, whose product submitted automated unsubscribe request for its members. The high volume of that DDoS attack not only shut down Blue Security, it knocked many other innocent firms off-line as well. Yet this was apparently dismissed as a private matter between Blue Security and the spammers, and there was no notice given of the potential risk to national security posed by criminals with control of such a powerful botnet. A year later, a DDoS was used to attack government agencies in the nation of Estonia. While our government expressed concern, there was little evidence of action. Now similar attacks on the nations of Georgia and Kyrgyzstan have been in the news, and non-governmental targets continue to be attacked for the purpose of extortion or harassment. This is more than merely a commercial or consumer nuisance; it is a threat to national security.

These botnets are in fact being purchased and maintained by the spam economy. That's the "military budget" keeping those "standing armies" available for rental by any terrorists who might wish to attack the US. There is serious potential for cyberterrorism to cripple significant parts of the US government and private sector, and spam is just one particularly visible part of the problem. The silly messages and sexually oriented products should not deceive anyone about the danger. We ask you to work to coordinate the various companies whose actions and inaction enable spammers to operate, so that the current state of extreme lawlessness can be brought under control.

-- from the spam and
internet security investigators
at InboxRevenge.com.

SiL / IKS / concerned citizen

Glavmed responds - re: my Open Letter.

Welcome Glavmed affiliates who are linking here directly from the Glavmed site. :)

For a very brief period of time yesterday (Feb. 4th, 2009) the following claims were posted on many pages of the glavmed portal site, and it makes it clear that they are seeing some negative attention as a result of my open letter:

We've received a few links from our partners, containing an open letter. This letter was published at http://ikillspammers.blogspot.com/2009/02/glavmed-open-letter-to-law-enforcement.html. This is far from the last time, when apparently our business rivals try to defame our partnership programme. But this is the first time, when they appeal to The FTC, The FDA and other law organisations.

We, Glavmed, want to make a statement, that all the allegations of this letter are absolutely false and incorrect. They denigrate the honour, dignity and business reputation of our company.

We'd like to answer this open letter item by item:

1.Glavmed don't sell, have never sold and will never sell any pills. Glavmed are CEO partnership programme, which run a network of online-shops. Its main task is accepting of buyers' order und data. We have a few commission contracts with well-known, absolutely licensed drug stores. We transfer this order to them for its execution. Glavmed's task is attracting of new customers and transferring their orders to these drug stores. After receiving the commission from these drug stores we share it with our partners. We don't sell pills. That makes a great difference.

2.Glavmed have clear rules against spam and viral spreaders. We've never accepted such traffic. All such accounts have been instantly banned or cancelled. It's very easy to check. Just register and try to spread spam!

3.Glavmed are really well-known long existing partnership programme. Unfortunately we have some problems. The schemes and designs of our sites are being constantly copied and stolen. A lot of our dishonest business rivals give their sites to be ours, copying everything - graphic designs, file names and product descriptions.

4.Our rivals allege that our drug stores' products have low quality. This is totally lie and defamation. We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.

Unfortunately we can foresee the further organized pressure against our partnership programme, because normal business competition can't be provided by them. We really take care of our partners and our customers.

This message was removed sometime between yesterday and today. It is unclear why, although I would guess that they didn't want their own affiliates reading my posting. I and other researchers have also noticed that they are now blocking very specific IP addresses from viewing the Glavmed website.

A couple of obvious corrections need to be made right off the bat:

a) The letter was not written to you, Glavmed representatives. It was written to law and drug enforcement agencies, as well as the media who has been researching this.

b) I am absolutely not a "business rival".

c) I am not the only one who has been researching your organization. My letter is a an account of the known, researched, verifiable facts regarding the scourge of unwanted Canadian Pharmacy websites. If I were trying to defame you, I wouldn't have nearly as much factual evidence in my letter.

So in response, I'll counter their bogus response point by point.

1. Glavmed claims on their front page (and I'm of course not altering their horrendous spelling and grammatical mistakes):

GlavMed is a BEST way to convert your pharmacy traffic into real money. Forget about miserable sums you're getting sending your visitors to PPC pharmacy results.

You're loosing at least half of YOUR money converting traffic like this. GlavMed offers you a possibility to eliminate any agents and sell most popular pharmacy products directly. It means 30-40% revenue share. features & benefits

Note: sell most popular pharmacy products directly. Which is it? Are they selling them or not?

Whether they sell the drugs themselves or not is ultimately irrelevant. They are part of a long chain that gets illegally-produced FAKE and harmful versions of these products into the hands of unwitting members of the public. There is copious amounts of evidence to support this, and they know it.

Glavmed is an affiliate program. They get their affiliates (aka: spammers) to promote (aka: spam) the websites (hosted via rampant viral PC infections) to sell fake drugs to unwitting victim customers. Who do they send that order data to? They don't say. But they know who that is, and they know that they are taking these orders without any consultation with any pharmacist. They also do all of this with absolutely ZERO security or encryption, so you can imagine how they're treating the rest of your personal data.

2. Sure, they state on their website that they don't allow spamming, but as I mentioned: they removed any of the postings which made it clear that very actve spammers are indeed a part of their program. Nowhere do we find ANY postings within their forum about any actual action taken against spammers. Literally everyone with an email address will know that Canadian Pharmacy is THE most spammed property on the Internet today, and has been for three years and counting. If they don't allow spammers, why is it still the most commonly found spam in the world today? You can have rules all you like. If you're not enforcing them: what does it matter?

As an aside, I and many other individuals have been complaining to Glavmed under numerous identities starting in May of 2008. I have personally sent, using numerous of my accounts, at least 25 very detailed complaints regarding spam messages I have received between May 2008 and January 2009. Guess how many responses I've gotten? Guess how much "action" I've seen on behalf of Glavmed, or anyone else claiming to represent this operation? ZERO! Guess where their abuse-reporting pages are on their site? THEY DON'T HAVE ANY!

This claim is utterly false. They take zero action regarding their KNOWN spamming affiliates, and they never will.

3. If Glavmed has been aware all this time that so-called third parties were ripping off their site designs, functionality and everything else: why haven't they drastically changed their entire design, branding, etc., or made ANY public statement regarding any of this? Why did they wait until someone like me exposes the whole setup for the obviously fraudulent operation that it is? This is an outright lie.

4. Again I will link to actual evidence (source), on behalf of a reputable company -- Ironport -- who placed orders from one of these sites, and gave the pills they received to a lab for analysis:

False Drugs Purchased

IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.

A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.

IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.

So in light of this report: I don't believe a single word Glavmed says, and I don't think anyone else should either.

Keep in mind: this is only one such report. There are others.

I notice that they completely ignore any mention of concern over the rampant illegal spamming which continues on behalf of Canadian Pharmacy, nor do they even broach the subject that as recently as October 2008 their site templates still contained bogus "sponsorship logos" on behalf of the Better Business Bureau, Verified By Visa, and Pharma Checker, nor do they mention that they were making very public statements that they knew full well that all of these logos were not being used appropriately.

The Spamtrackers wiki entry for Glavmed contains a screenshot of the Glavmed sites page dating from July 2008 which shows the Canadian Pharmacy layout still featuring the bogus sponsor logos. (source.)

In addition: this howler of a claim:

"We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality."

Their claim that they have all kinds of feedback saying how great they are is meaningless.

Which "indinan laboratories"? Which "independent test results"? On behalf of whom? Published where, exactly?

Of course they will never say.

What about third-party, verified claims and lab tests that your products are genuine? What about third-party reports that your servers actually are secure? If I'm selling you a car and you ask me for verification that the car is in road-ready shape and is safe to drive, I can't just start typing you a recommendation myself. I would need a third party inspector to verify that my claims that this vehicle was safe were in fact true. Glavmed doesn't do this, nor have they ever.

"We really take care of our partners and our customers."

Really? I know for a fact that numerous of your customers would very much beg to differ.

Clearly my letter has hit a nerve. As usual, their response, as with many obvious spam operations, is more concerned with damage to their profits than anything to do with public safety, or the security of your personal data.

Glavmed's claims are theirs alone, verifiable by nobody, and easily countered point by point as being verifiably false.

I stand behind every word of my posting. This is not defamation. Again: I am only one individual, but my posting links to research performed by literally dozens of others, from a very wide variety of technical, medical, security and other backgrounds.

Use your own judgement: Glavmed, and the entire operation they support, are liars and part of a criminal operation. The proof isn't just in my open letter. It's all over the place.

SiL / IKS / concerned citizen

Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA

To whom it may concern (and ultimately it concerns all of you.)

I write today to petition your attention towards a large-scale international illegal pharmacy operation known as Glavmed.

Glavmed are the sponsor program promoting the very-widely-spammed property known as "Canadian Pharmacy". (Hereinafter referred to as "CPh".) If you have an email address of any sort, it is very likely that you're at least mildly aware of Canadian Pharmacy. It's the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years. Here is a screenshot of a currently spammed domain, dadsymbol.com:



Please note that depending on your geographic location, this same domain will appear as "Canadian Pharmacy", "European Pharmacy", and a variety of other variations on that brand name. They do this by using geographic sensing of inbound IP addresses to the site. The overall layout and functionality remains the same.

The Websites

On the surface this appears to be a fairly innocuous website selling what appear to be legitimate pharmaceutical products. However a little further examination proves that this is a site selling fake, knock-off, imitation versions of some fairly widely-sold pharmaceutical products such as Viagra and Cialis. The clue that this is not legitimate is that they also sell the following products:

• Viagra Professional


• Cialis Professional


• Viagra Super Active


• Cialis Super Active


• Viagra Soft Tabs


• Cialis Soft Tabs


• VPXL


• Levitra Professional


• Levitra Super Active

None of these products have ever been produced by the actual originators of the original Viagra or Cialis. These products have only been sold from shady, illegitimate online pharmacies.

Add to this that they have creatively spelled the names of one or more dangerously addictive and harmful products such as "Phentrimine", and offer another bogus version of this same product named "Herbal Phentermine", and it becomes clear that this is a company which is distributing products of dubious origin and manufacture.

All of these products are sold without the need for any prescription, whcih violates several FDA regulations, especially for the sale of controlled substances such as phentermine.

Further (although technically speaking this is less of an issue than the risk to public health and safety): these sites' continued use of the brand name "Viagra" is in violation of the trademark and intellectual property rights of Pfizer, who owns the Viagra name and the patent on its particular medicinal formula. There is no such thing as "generic" Viagra, nor has there ever been. It is not legal to make -- or claim to make -- Viagra while Pfizer still holds the patent. The same is true of Cialis and Levitra.

Sales of these alleged "generic" pharmaceuticals violates the law in most countries around the world. Sale of these products in their legitimate form without consultation with a physician or a registered pharmacist is also illegal, and violates several sections of the FDA act.

Finally: sale of controlled substances - phentermine definitely qualifies, but again: who knows what's actually in the pills this "company" is selling to you? - is also against the law when done so without any registered pharmacist or a valid, authorized prescription.

This organization breaks several international laws, but more importantly it poses a very serious threat to the public's health.

Promotion Via Illegal Spam

The only way that perhaps 70% or more of the world has heard of Canadian Pharmacy is via the unrelenting, large-scale receipt of illegally-sent spam email messages. By "illegally-sent", I refer specifically to the fact that they (or someone or some group working on their behalf) send these emails using very large scale "botnets" (definition) comprising several thousand of exploited public computers. Over the past three years, no fewer than six (6) IT security organizations have performed research on a variety of these botnets, most notably the Storm botnet, and discovered that one of the primary uses of this botnet was to send spam email messages promoting these CPh websites.

I myself have written on this blog and on numerous spam- and cybercrime-related forums regarding Canadian Pharmacy, and I've specifically been researching their operations starting in mid-2006. (previous posting) However I am far from the only individual researching this organization.

Finnish Security Company "F-Secure" posted research tying spam messages promoting spamvertised websites for CPh on November 11th, 2006. (source) In this research they discovered that a PC exploit then known as "Warezov" was capable of sending spam. That spam contained urls for websites promoting what was then known as "Pharmacy Express." Pharmacy Express turned into Canadian Pharmacy in early 2007. The spam runs promoting these websites would often send tens of millions of messages to addresses around the world. The domain names for the Pharmacy Express sites were virtually identical in naming structure to those used as name servers for other sites which were being used as infection points for the Warezov virus, as well as domains used as name servers for both the warezov infection sites and the CPh websites. More on Warezov and it's functionality later.

Fast-Flux Hosting Via Hijacked Public Computers (Storm Worm)

Focusing again on the abovementioned domain, we can see that some unique hosting solution is being used for the "dadsymbol.com" domain by running a "dig" command against that domain:



As you can see from this simple check, the website itself is hosted on rotating IP addresses. This is a technique known as "fast flux" hosting (definition), and it's used by these CPh sites to hide their true location. Research has shown that these IP addresses are, invariably, infected household PC's owned by individuals who are unaware that their computer has been taken over to be used in support of these illegally-operating websites.

The IP addresses in this particular example are all located in Beijing, China, hosted at three distinct companies:

China Network Communications Group Corporation
CHINANET hebei province network / China Telecom
Beijing Zhongbangyatong Telecom Technology Co.,Ltd

This is not often the case. Several researchers have discovered some CPh sites using household dsl connections in the US Midwest, cable internet connections in Poland, and numerous other types of always-on cable or dsl connections around the world. All of this is believe to be provided by the Storm worm.

100% False Claims

Canadian Pharmacy has made numerous completely false claims throughout nearly every word they say in every spam message sent, and on every page of their websites. Among these are claims that they offer security when processing credit cards (they do not, and never have, and this is something you can see by investigating any of the domains spammed to promote this operation,) that their products are safe (numerous researchers have found that they either contain no active ingredient, or that they contain only trace amounts of the active ingredient, or that they actually contain harmful elements or materials,) and they often listed contact information which was actually for the College of Pharmacists of British Columbia, who strenuously denied having anything to do with this operation or its continued illegal spamming practices. They also listed icons for the Better Business Bureau, Verified by Visa and an organization known as "Pharma Checker", none of whom actually supported or endorsed any of these sites. (And in all cases, representatives from all three expressed frustration in being able to get this group to remove their icons from their sites.) Only in the past four months have they removed these icons. It is unclear why, although one could surmise that the increased investigations into their operations are to blame.

In fact even the very name of these sites, Canadian Pharmacy, is a lie. They aren't located anywhere near Canada, the products often ship from India, and the domains and name servers are hosted around the world. There isn't any Canadian source for any of these websites.

Further: the contact information used to register websites and nameserver domains routinely feature 100% fake information. This is true for literally every single website registered for the promotion of Canadian Pharmacy.

These websites represent a very serious risk to the public's health, no matter which country the unwitting customers of these malicious websites happen to live in.

But I encourage you to join me in digging deeper into what other illicit activities this series of illegal websites is tied to.

Glavmed's Connection to Storm / Warezov Infections

I mentioned Warezov in an earlier paragraph.

Over the past 2 years, Warezov has come to be known alternately as Storm or Asprox. There are other names for this type of PC infection. It has continued to grow in size, and has continued to be used for all manner of illicit online activity ranging from the aforementioned spamming, through to plainly illegal activity such as performing large-scale Distributed Denial Of Service attacks (aka: DDOS attacks) against any site the botnet operator chooses (source), performing SQL injection attacks (source,) and most importantly for providing hosting and infrastructure for these Canadian Pharmacy websites, including name servers. Storm worm has also occasionally been used in phishing attempts. (source)

As far back as Jan. 31, 2008, tech news stories abounded that law enforcement authorities knew who had created and continued to operate the Storm worm (source), yet nearly a full year later absolutely no action has been taken against them. Further research by a variety of individuals as well as Wired Magazine tied Storm worm to a shadowy criminal organization known as the Russian Business Network, or "RBN". (source)

No less a source than the Washington Post's Brian Krebs has previously posted in great detail about who is behind the Storm Worm, and boldly declared he had connected all the dots in a story dating from January 29th, 2008. (source, with extensive background research.)

Glavmed Affiliate Program

In the past year, after monitoring numerous spam-friendly forums, many of which now no longer exist, I discovered one website which was responsible for acquiring new affiliates to promote the Canadian Pharmacy brand: a site called Glavmed.com. This is not immediately obvious from just visiting their main website, glavmed.com. (Although they do of course mention that the sites being promoted are pharmacy websites.) Their sites page features no mention of the brand "Canadian Pharmacy", only vague descriptions of what the sites sell, and that anyone can join this program. Their sign up form features no section where anyone needs to disclose whether they are a medical professional or a pharmacist at all, or whether they are retaining one for the purposes of fulfilling prescriptions for the pharmaceuticals these sites sell.

So how did I discover the link between Glavmed's affiliate program and Canadian Pharmacy? I joined their affiliate program. I will not disclose the details of my affiliate account other than to say that I have never used it for any promotional purposes on behalf of glavmed or Canadian pharmacy. Once I was approved, I was sent a link to their site templates which made it very clear that this was a very large-scale, highly organized operation, and that they are indeed 100% responsible for Canadian Pharmacy, and therefore responsible for the relentless spamming which occurs on their behalf.

As it turns out, apparently one of their supporters or affiliates posted a very Glavmed-friendly piece on a website known as atlantea.com (source), which alleges to rate the various online pharmacies promoted by Glavmed. They of course make absolutely no mention of the fact that these sites are easily the most prolifically-spammed properties on the Internet today. That entire domain appears to be a very spam-friendly site, and it links to a known base-domain which glavmed sites have been using for payment processing for three years now, rx-partners.biz.

Some interesting additional notes: They have modified several threads in their forums. These threads previously contained postings by several members which made it very clear that not only were Glavmed and their affiliates aware that many of their ranks were involved in large-scale spamming, but that they also knew they were lying about the use of logos such as that of Pharma Checker.

This thread previously had a posting (following posting #4, which is now the final posting in that thread) which stated that there was no valid Pharma Checker account for the Canadian Pharmacy websites. (A valid Pharma Checker is required in order to place a link to any pharmaceutical sites within a Google Adsense campaign, among many others. One affiliate was refused. I feel certain that many others must have been refused as well.) Another thread regarding spamming (source) had several pro-spam postings dating back to late 2007. These were removed sometime between December 2008 and January 2009. That was previously located after posting #3. Clearly someone is removing any expository evidence. (I and many others have archives of this forum however.)

Glavmed / Spamit / Storm / Canadian Pharmacy / RBN

Further, no less an authority than Ironport, a major spam-fighting corporation, made direct connections between Storm worm, Canadian Pharmacy, Glavmed, and their underground affiliate portal (and likely the real smoking gun) known as Spamit.com. (source) Ironport also placed several orders to verify what would happen with their bait credit card information, and to see whether they would actually receive anything from the order. They did receive a package containing pills which contained sugar and what was referred to as "inert filler". Another contained "high metal content". This is clearly a very high risk to the public's health.

I and many other researchers and security professionals believe it is time for someone to take decisive action against this operation, which has profited for at least four years now and is only continuing to grow. Research and evidence abounds regarding the connections between Canadian Pharmacy, Glavmed, The Storm Worm and the Russian Business Network. All of these are known by numerous security and law enforcement agencies to be operating in flagrant violation of international law. I and the citizens of my country and those of pretty much every other country are fed up with continual bombardment of these spam messages, promoting websites which lie in every word of their content, which sell fake and harmful products, and which endanger the lives of the general public. We are fed up with the complete lack of action on behalf of anyone in Law Enforcement to go after Glavmed, their affiliates, their site operators, their payment processors, their hosting providers and their domain registrars. The time for action is now, especially with the abundance of available research into this organization and their practices.

Please take this appeal very seriously. I welcome your feedback.

Very sincerely,

SiL / IKS / concerned citizen

Further research into Canadian Pharmacy

Spam Wiki: Canadian Pharmacy
http://spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy

Further research into the Storm Worm

Storm Worm Botnet Cracked Wide Open
http://www.heise-online.co.uk/security/Storm-Worm-botnet-cracked-wide-open--/news/112385

Russian Business Network (RBN): Georgia Cyberwarfare - Attribution & Spam Botnets
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-attribution.html

Full-disclosure: It's time to get serious about Storm Worm / RBN
http://seclists.org/fulldisclosure/2008/Mar/0300.html

Slashdot: We Know Who's Behind Storm Worm
http://it.slashdot.org/article.pl?sid=08/01/29/1823242