Wednesday, January 16, 2008

Marion Lynn Is Wrong (Again)

It was brought to my attention recently that Marion Lynn (yes, him again. Bear with me, I'll try to be brief) is under the erroneous assumption that I am posting all over the place about him, and essentially harassing him in forums unrelated to spam using the nickname "snap_pop_no_crackle".

An example can be found here, in which Marion responds to the user named snap_pop_no_crackle regarding a story about Auschwitz (warning: not a lot of sensible discussion going on over there.)

14 January 2008 at 8:15 p.m.

snap_pop_no_crackle (Anonymous) says...

snap writes:

marion

,

do

you

think

this

book

will

be

more

profitable

than

outingbulkerbiz's

tome

?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

14 January 2008 at 8:34 p.m.

Marion Lynn

Marion (Marion Lynn) says...

Well, Sil, A**hole or "Snap"; whatver is appropriate, I intend to make my recollections and research available as a free downloadable E-book because I believe that it contains infomation which cannot be found elsewhere and that the information is important to our understanding of history.


Just to set the record straight: I am not that user. Nor do I post on ljworld. Nor would I ever.

I also am not the same username (snap_pop_no_crackle) who is posting on Marion's own rather ridiculous forum, rivercitytalk. (I'm not linking to it. You can find it pretty easily yourself.) I personally believe that snap_pop_no_crackle is a user who originally commented on my blog anonymously back in June 2007:

Anonymous

Anonymous said...

See: http://www2.ljworld.com/onthestreet/2007/jun/01/mos_spam/
for a mass spanking of Marion.

6/07/2007 06:32:00 PM


I could be wrong. It could be someone else. I hadn't even seen that posting, and you can see numerous comments by that user. This was the first I'd ever heard of it, or the username snap_pop_no_crackle. It's still a pretty good read, but that is not me.

Just to further clarify: The only monikers I have ever used to identify myself in all things spam-related are:

• SiL (short for SpamIsLame)
• IKS (short for IKillSpammers)
• concerned citizen

Marion can believe what he wants, but he's (as usual) mistaken.

Which calls into question the quality of the information he's been using to out several members of Bulkerforum. I notice all posting has come to a complete halt at spamgossip.blogspot.com since last November. Much of what he posted didn't amount to actual "evidence" in the first place. Just a litany of names. Clearly he was on the right track with a few of them, notably Phantom. But where's the beef?

I've got one for him to try and dig up: the admin of bulkerforum.biz. What's his name? Where does he live? What else does he run besides bulkerforum.biz?

I would bet dollars to donuts that Marion hasn't got a clue. Not that it really matters anyway; that forum has essentially cannibalized itself.

Anyway. Now that that's off my chest, back I go to fight more VPXL spam.

SiL
Posted by at 4 comments:
Labels: , , ,

Monday, January 14, 2008

US Pharmacy (Very American) -> Total Lies

We are seeing a great deal of new spam for this family of illegal websites. I thought it was time to raise the curtain on how these illegal websites operate.

Note that on the front page, the site is selling numerous controlled substances:



A closer look:



Note that they misspell "Hydrocodone". Sounds like a real professional operation they got goin' on there...

Hydrocodone is defined by the US Food and Drug Administration (FDA) as a banned Schedule II narcotic, and further defined by the FDA as a Schedule III controlled substance.

Vicodin ES is a derived product containing Hydrocodone and is similarly classified by the US FDA.

Phentermine, Ambien and Xanax are all defined by the FDA as Schedule IV controlled substances.

Ultram (also known as Tramadol) is not classified as a controlled substance but it is highly addictive.

Controlled substances are considered by the FDA and the international medical community to have a very high risk of addiction.

Further reading:

Schedule III (US)
Schedule IV (US)

For Vicodin ES, the usual dose is 1 tablet, up to a maximum of 5 tablets per day. It is only recommended to take this drug (as well as Hydrocodone) under the strict recommendations and instructions of a doctor or pharmacist. Overdoses can kill people. Addiction is a very strong possibility.

The sale of these substances is considered a federal offence, particularly if one does so with no medical background whatsoever. As we shall see, not only do the operators of these sites have no medical background, they seem to be pretty open about indicating that this is the case, even though they might not recognize that they have done so.

They claim to accept Visa, American Express, Diners Club International and JCB Gold, as well as the online check service ECheck. They even present a special animated banner for the front page, and several large-size icons making this claim:




In reality, when one makes it through to their shopping cart page, it turns out that they only accept Visa and American Express. They also definitely do not accept ECheck, and no such option is present on any of these websites:



The quantity of tablets available for Hydrocodone on all US Pharmacy sites far exceeds any recommended dosage guidelines for this drug:



Clearly these websites do not care what happens to the patients who purchase these products from them. That last entry (180 pills!) is enough to cause serious harm or even death to somebody who is not under the care or supervision of a doctor or pharmacist.

At no point, anywhere on these sites, is there any mention as to who is the registered pharmacist or medical professional who will be providing these drugs to consumers. The sole purpose seems to be to profit as much as possible, even if it means killing the consumers who purchase these dangerous substances.

Throughout the site, a javascript function causes a momentary pop-up graphic to appear which claims: "Please Wait, Secure site loading":



This is of course a lie. There is no secure socket layer encryption technology present anywhere, on any of these websites. They also feature, to the left side of their menu, an image which claims "100% Secure Site":



This is, of course, also a lie.

A typical spam is received in only text format (no html) and featuring very stripped down content with no subject line. A typical message body will read "Get the pian meds you need" (sic) and then feature a link to the target website.

In early January, 2008, the links in the spam messages was almost always a Blogger website whose sole purpose was to redirect the user to the actual target website. For example: The spam received on Jan. 14th, 2008 contained the url:

http://nugiwika29432.blogspot.com/

That url in turn redirected us to:

http://nugiwika29432.blogspot.com/discoveyamazing.com

Which was a mistake in this case, the morons who set up the Blogger site failed to use appropriate url redirection techniques. (Maybe they were high on Vicodin at the time...) It was attempting to redirect us to:

http://discoveyamazing.com/

Several users have received dozens of these messages throughout the month of January. In all cases, the abuse of Blogger urls was reported directly to Blogger.com using their abuse reporting form:

Their "About Us" page makes no mention as to the quality of their products or their legal ability to sell any of them, but they do make a point of saying that they are a popular destination for the purchase of these controlled substances, legal or not:

US Pharmacy is your online pharmacy for FDA approved drugs, specializing in the EXTREMELY POPULAR, yet hard to find High Level Muscle Relaxers, Pain Relief, and prescription Sleeping Aid Meds and MORE!

Join tens of thousands of customers who safely, conveniently, and discreetly order prescription medication including men's health, weight loss, pain relief, diabetes, stop smoking, cholesterol and anti depressant medications and more. Check out our FAQ for more information.


Their FAQ page makes a series of claims which could only be perceived as further lies in light of the fact that they falsely claim to be offering us a secure server.

Q. Is it safe to use my credit card with US Pharmacy ?

A. Absolutely. We have taken every precaution to make sure your transaction is secure. All account information submitted to us is safely isolated from unauthorized access. When you place an order online or with US Pharmacy, your personal information and credit card information are encrypted using SSL encryption technology before being sent over the Internet, making it virtually impossible for your information to be stolen or intercepted while being transferred.

Q. Is my personal information kept confidential?

A. Absolutely the personal information you give us will only be viewed by authorized employees of our company for the purpose of completing your order. We do not sell, trade, or rent your personal information to others.

Q. Are the drugs that you sell safe?

A. Our products are made by overseas pharmaceutical manufacturers. These are the very companies that manufacture (and export in bulk) the drug that goes in to the making of the world's best-selling brands. In the new global economy, manufacturing is increasingly being outsourced to overseas facilities of parent companies or third-party suppliers. Naturally any new advances in manufacturing technology are invested in to these overseas facilities, rather than in to the company's little-used factories. Our drugs are manufactured in state-of-the-art facilities that fully comply with the Good Manufacturing Practices (GMP).


That statement regarding the "GMP" shows the potential for just how dangerous these websites are. The US FDA's Good Manufacturing Practice (GMP) regulation does indeed exist, however it was put in place to regulate the manufacturing of medical devices (think: stethoscopes, scalpels), not pharmaceuticals. The GMP has absolutely no bearing whatsoever on pharmaceutical products. The operators of these sites are clearly not any sort of medical professional, and are only in this to profit at whatever cost. As such all of these websites should be seen as extremely dangerous.

And later in the same FAQ:

Q. Is this legal?

A. There are different laws in different countries for import the drugs for personal use. US FDA regulations allow for the importation of personal medication required for a 3 month period. US residents are already importing medication from Canada, India and South America and US citizens travel to Mexico and Canada to purchase the drugs all the time. Americans are fed up with huge prices at local pharmacies, and Congress is allowing them to buy drugs from other countries to combat this injustice. World-class drugs are now within reach of everybody who is being squeezed by the high cost of prescription drugs.


What this statement conveniently fails to mention is the following:

The United States Federal Food, Drug, and Cosmetic Act (Act) (21 U.S.C. section 331) prohibits the interstate shipment (which includes importation) of unapproved new drugs.

...

"when 1) the intended use [of the drug] is unapproved and for a serious condition for which effective treatment may not be available domestically either through commercial or clinical means; 2) there is no known commercialization or promotion to persons residing in the U.S. by those involved in the distribution of the product at issue; 3) the product is considered not to represent an unreasonable risk; and 4) the individual seeking to import the product affirms in writing that it is for the patient's own use (generally not more than 3 month supply) and provides the name and address of the doctor licensed in the U.S. responsible for his or her treatment with the product or provides evidence that the product is for the continuation of a treatment begun in a foreign country."

...

to ensure that the importation is for personal use only (and not for resale), and to ensure that the use of the unapproved new drug sought to be imported into the U.S. is supervised and does not represent an unreasonable risk, the guidance provides that the individual affirm in writing that the drug is for his or her personal use, and provide either the name and address of the U.S. licensed physician who will supervise its use or some evidence that the treatment was begun in a foreign country and that the drugs are being imported to continue/conclude the already begun treatment. Thus, while not the only documentation, either a U.S. or foreign prescription, along with an affirmation of personal use, could be supplied as evidence that this factor exists.


So no: what these sites are doing IS NOT LEGAL. Purchasing these substances from these sites IS NOT LEGAL. In fact, purchasing from these sites can lead to some serious charges for the consumers under FDA regulations, but this is assuming that the customer survives their likely overdose, given that the quantities which these sites have chosen to sell of these substances is much higher than anyone should ever take of these drugs.

Nobody requires a "three month supply" of Vicodin. That is a sure sign of addiction, and likely a sign that the user is at risk of overdose.

Placement of several control orders resulted in no secure page being accessed at any time, and no real-time validation of credit card information took place. We were immediately forwarded (via javascript) to a thank you page which passed a series of parameters which were easily able to be modified with no adverse effect.

Example url we were forwarded to:

http://discoveyamazing.com/pharmacy_thankyou.php?pending=1&PTxnID=1291602685

We could easily modify this to say:

http://discoveyamazing.com/pharmacy_thankyou.php?pending=1&PTxnID=WeAreIllegalSpammers

It has no problem with our value for the PTxnID paramater, and passes it through to the thank you paragraph:



This further indicates that there is no security whatsoever on these websites.

Placing an order results in a "thank you" page which claims that your order has been placed, and provides a 10-digit numerical tracking id. [eg.: 1291602685] They claim: "average time taken to fulfill an order is somewhere between 2 to 3 weeks."

They state that consumers can send emails regarding their order to the email address: sales@365support.us

The website that they claim users can track their orders at is www.365cansupport.us, however no such domain existed at the time we placed our sample orders.

Finally: even the brand for these illegal websites is a lie. Calling themselves "US Pharmacy" with the tagline "Very American" within their main banner indicates how badly they want to be taken seriously as a US-approved online pharmacy:



In reality the website we were spammed with () was hosted at an IP address located in China:

%whois 210.14.129.233

inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
admin-c: LA100-AP
tech-c: LA100-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20071106
source: APNIC

person: Lei An
nic-hdl: LA100-AP
e-mail: anlei@gwbn.net.cn
address: No. 20, Fuxing Road, Beijing
phone: +86-10-68650064
fax-no: +86-10-66813424
country: CN
changed: ipas@cnnic.cn 20071106
mnt-by: MAINT-CNNIC-AP
source: APNIC

inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
admin-c: LA1-CN
tech-c: LA1-CN
status: ALLOCATED PORTABLE
mnt-lower: MAINT-CN-ZBYD
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20071106
source: CNNIC

person: Lei An
address: 15A build , xixiaoqu road ,shijingshan district ,Beijing
country: cn
phone: +86-10-68610494
fax-no: +86-10-68610495
e-mail: anlei@gwbn.net.cn
nic-hdl: LA1-CN
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20071106
source: CNNIC


The domain itself outputs absolutely no WHOIS information which is in violation of the ICANN accreditation rules. The domain was registered with XIN NET TECHNOLOGY CORPORATION on Jan. 9th, 2008, and the operators of this domain refer WHOIS requests to their own special whois domain (whois.paycenter.com.cn) which is unreachable.

A bit of a rant regarding XIN NET Technology Corporation: They appear to be the domain registrar of choice for all illegal spammers around the world today. Out of thouosands of complaints which have been lodged with them regarding a variety of patently illegally used domain names, not a single one has been responded to or acted upon. We're talking months of complaints here. ICANN apparently doesn't care. I and many others have complained to them regarding this rogue domain registrar with absolutely no response or action taken. You could probably create your own style of snuff porn site, and have it registered via XIN NET, and nobody will do anything about it. ICANN: When are you going to do something about this?

Anyway: Clearly, there is nothing American whatsoever about these websites.

Spammer lie. Criminals also lie. These sites are created and operated by criminals, and promoted via spammers.

Needless to say: Do not purchase from these websites. Among other things, it's "un-American".

SiL / IKS / concerned citizen
Posted by at 13 comments:
Labels: , , ,

Friday, January 4, 2008

Another Day, Another Spammer Indictment: Alan Ralsky

It was only last May when we heard that Robert Alan Soloway was finally arrested for a variety of fraud charges stemming from his rampant illegal spamming. Now comes news that another long-time spammer, Alan Ralsky, has been indicted on very similar charges, this time relating to your typical "pump and dump" stock scamming. He's not alone either: he's only one of ten (10) individuals facing US federal charges including conspiracy, wire fraud, mail fraud, money laundering and computer fraud.

There are distinct similarities between Soloway and Ralsky, not least of which is their continual boasting about how untouchable they were, how they'd never allow themselves to face charges relating to their spamming practices, and that they'd never serve a single day in jail. For Soloway: that last one is already out the window, as he's been in custody since May in a federal penitentiary, and will remain there until his trial begins sometime this year (no date has yet been confirmed.)

Another similarity: These two individuals have been responsible for an overwhelming amount of junk email since approximately 1995.

If you look at Ralsky's Wikipedia entry, you can see a familiar pattern of fraud perpetrated over a very long period of time which actually predates his attraction to the Internet as a method for perpetrating these crimes.

I'm not entirely sure why an FBI raid on Ralsky's property in September of 2005 failed to result in any charges against him. The most often-quoted statement Ralsky made about it at the time sums it up: "They didn't shut us down. They took all our equipment, which had the effect of shutting us down." That definitely impacted his ability to profit quickly, but why weren't there any charges laid then? Whatever it was that has taken from 2005 until early 2008 to culminate in this litany of serious charges must have some serious evidence to back it up, and some lengthy investigations by a large number of law enforcement departments. Obviously that takes time.

Unlike Soloway, Ralsky seems to have made his fraud career into a family affair, involving his son in law Scott K. Bradley. This is not the first time he's involved relatives either: Bradley's home was also raided in September 2005. In stark contrast, Soloway appears to have been a bit of a loner, and virtually barricaded himself inside his posh Seattle apartment to continue his scamming activity.

In both the Soloway and the Ralsky indictments, one thing is clear: anti-spam laws are definitely the weakest link in the entire chain in terms of bringing charges that will stick, and in particular the CAN-SPAM law has absolutely no teeth whatsoever for this purpose. In both cases, the focus is much more distinctly on the material crimes of fraud and money laundering, much less so on the rampant abuse of computer systems (renting / leasing and using botnets, probably using hijacked public servers, etc.) and mass emailing millions of recipients who never wanted any of their crap in the first place, using fake headers the whole way. These crimes unfortunately don't appear to be seen as the serious problems that they are based on previous attempts to charge criminals under CAN-SPAM. Spammers abuse systems around the world and know that the law will never make any charges stick regarding these abuses. It's frustrating to me and many others that this crime is still not taken seriously in the courts.

Having said that: removing such a large scale fraud operation, by whatevere means, is most definitely something to be happy about. I don't care how they chose to promote it: fraud is fraud. Ripping people off is a crime. Ripping people off repeatedly is a crime. Each of their counts carry massive fines (up to $250,000 for each count, and there are several counts each) and lengthy jail terms (up to 20 years in federal prison for each count of many of the charges.) Since Ralsky has been so boastful about how much he loves spamming people, I'm sure that he'll remain in custody for many months leading up to his trial, whenever that takes place.

And it's not even a full week into the New Year. :)

Happy New Year, everyone. Let's hope we see a lot more arrests like these in the coming months.

SiL / IKS / concerned citizen

P.S. All of the stories related to these charges only mention that "Chinese companies" were affected by his stock spamming. I'm going to predict right here that two of those companies were CYTV (China YouTV) and CWTD (China World Trade Corp.). All of us saw rampant spam runs for these two stocks for well over two full years. They both appeared to be totally fictitious "companies" which existed only on paper, and apparently solely for the purposes of stock market fraud and manipulation. (I wrote about CWTD previously.)

If I'm right, you owe me a beer. :)
Posted by at 1 comment:
Labels: , , , ,

Wednesday, January 2, 2008

Crazyremedy (VPXL) Spammers Want To Kill You

I keep seeing tons of spam whcih abuses the Google "I'm feeling lucky" feature in the hopes of redirecting you to websites for the idiotic fake "herbal remedy" product currently known as "VPXL." It was previously known as Elite Herbal, Manster, Megadik and ManXL. I'm sure they'll change their product name yet again. It all amounts to the same thing. It's fake. It doesn't work. It can cause serious health defects to purchase these pills, which of course they don't want you to know. The current domain being spammed in this way is crazyremedy.com. The barrage of spam for this completely bogus product to two of my accounts using this method is up to 42 per day. These idiots are clearly targeting anyone at all, not caring at all who gets their crap messages or whether they ever care to purchase this bogus "remedy."

Don't support these morons. For each attempt that they make, I will create a posting on this blog to subvert their "I'm feeling lucky" abuse of Google. And of course I'm reporting the "crazyremedy.com" domain.

Spammers, as usual, are complete idiots. I hope every last one of the spammers behind this Genbucks / Tulip Lab promotion get arrested and raided, just like Shane Atkinson did.

Stop clicking on spam for VPXL and other such products, and stop supporting them by purchasing from their totally insecure fly-by-night websites.

SiL / IKS / concerned citizen.
Posted by at 23 comments:

Thursday, December 27, 2007

Elite Herbal, GenBucks, SanCash and Tulip Labs

Happy Holidays.

There was a flurry of activity in the weeks of December before the Xmas holiday. I saw a lot of diligent reporting of the activities of what is arguably the most annoying and least-compliant illegal spam operations in the world today: The mailers of the pernicious "Elite Herbal" penis enlargement herbal remedy products.

If you have an email address at all, of any sort, whether you've ever given it out to anyone or not: you've more than likely seen this spam, though fortunately most of it ends up where it belongs, in the junk folder. This doesn't stop the spammers behind this "product" from sending multiple copies of the same messages every single day to you.

Elite Herbal is one of a batch of products promoted via what is known as the SanCash program, a spammer affiliate program sponsored by bulkerforum.biz members Sancash and Azzy. Several members of bulkerforum.biz are active mailers for that program, notably "Moneyminters", a non-compliant mailer going back several months now at least.

Starting in July of 2007, the spam research blog Spam In My Inbox began investigating who was behind the relentlessly high volumes of spam he continued to receive for this unwanted product. He did quite a bit of due diligence and appears to have been very forthright in trying to find specific contact information for who was behind Elite Herbal itself. All initial contact was ignored (of course) whenever posted via one of the spamvertised fly-by-night websites.

He discovered that IP addresses associated with the spammed websites belonged to a company claiming to be called "Tulip Lab Pvt. Ltd.", located in Mumbai, India. He attempted to contact them regarding the mountains of unwanted spam emails. He never once received any kind of response.

Using some clever technological tricks, he entered an order into one of the spamvertised sites, but while doing so he carefully also entered some tracking code of his own (I'm not privy to what he specifically did, but I have my own theories.) This meant that any computer which viewed his order would report back to him regarding its IP address. He reported on this on July 4th, 2007, stating that an IP address belonging to DSL Internet provider known as iHug (now a division of Vodaphone), located in New Zealand. He complained to iHug and provided his evidence. They took action and investigated the offending account, eventually shutting it down. That IP address turned out to be directly related to one Shane Atkinson, a spammer who has been uncovered at least once (back in 2003) and who had claimed to have given up spamming altogether.

He also noticed that an IP address belonging to Tulip Lab also viewed his order. He documented all of this.

In August, 2007, the spam runs for Elite Herbal intensified. I myself noticed an increase from the usual 14 - 22 messages a day which were received to my control monitoring account, to upwards of 24 - 33 per day, all promoting only Elite Herbal.

In September, SpamInMyInbox wrote an open letter to Tulip Lab and those who supported them. He asked why they continue to allow spammers to promote their "products", and asked for verification as to what the correlation was of the Tulip Lab IP address to the order he placed. He sent an email version of that open letter to the operators of Tulip Lab, cc'ing numerous India-based media outlets and newspapers, and the Pharmaceuticals Export Promotion Council in India, of which Tulip Lab was a member.

Nothing happened for a while after that, but the spam maintained its ridiculously high numbers on a daily basis.

Then in December, the BBC4 program "The Investigation" hosted by Simon Cox aired a half hour program which investigated this exact same rampant spam operation. Since it was the BBC, it appears that they got deeper access than an average individual would otherwise get. They took all the same steps as SpamInMyInbox did - placing an order, waiting to see if anything happened, drawing the same conclusions as to the involvement of Tulip Lab, and eventually contacting the author of SpamInMyInbox himself, which provided them the link to the New Zealand spammer behind his particular spam messages, and those received by the BBC themselves. They further correlated that an affiliate program known as GenBucks had several connections to Tulip Lab and Elite Herbal.

They also directly contacted Shane Atkinson, asking why he had spammed them and others. Atkinson answered that he was a spammer in the past, but claimed that "we've closed all that down years ago", before abruptly ending the interview.

The next day, law enforcement in Christchurch, New Zealand performed a raid on four addresses and "seized 22 computers and boxes of documents ... as it investigates an international spamming operation". [scoop.co.nz]

This harsh spotlight has recently caused the spammers behind this setup to hide like a bunch of cockroaches. The day after the BBC investigation aired, the author of SpamInMyInbox was told by the BBC that Tulip Lab was apparently going to sue him for what they claimed to be "harrassment" (likely related to the numerous unanswered inquiries whcih pretty much anybody would like an answer to: why are they still spamming everybody? Why do they condone spamming? Why do they allow it to happen in such high volume related to one specific product of theirs? Etc.?)

This ruffled some feathers over on BulkerForum.biz. One member named "icanspam" posted a link to the story, and made the same assumption that the BBC did: that Shane Atkinson was the spammer behind this particular spate of annoying Elite Herbal spam runs. This caused other bulkerforum members to pipe up, and several of them were definitely in some distress concerning what appeared to be the exposition and shutdown of the Elite Herbal program run by Sancash. Some excerpts:

TOPIC: SANCASH.. What's going on ?
mic141414

Joined: 12 Jul 2007
Posts: 37
Posted: Thu Dec 20, 2007 8:19 am
Post subject: SANCASH.. What's going on ?

they are offline .. been like that the last 3-4 days.
Commissions NOT paid this week.

Anyone has news on that ??

I am a little worried for my $$
thanks


In the thread: General Talks: raided suspected spammers in Christchurch:

ubuntu

Joined: 06 Feb 2007
Posts: 12

Posted: Thu Dec 20, 2007 10:26 am
Post subject:

not sure if this is sancash

this is related to this audition.. and hmm.. looks like GB...

http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

jhood

Joined: 23 Oct 2006
Posts: 151

Posted: Thu Dec 20, 2007 11:51 am
Post subject:

thanks for link ubuntu..

eliteherbal/manster IS SanCash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

icanspam

Joined: 10 Aug 2007
Posts: 52

Posted: Thu Dec 20, 2007 2:22 pm
Post subject:

SA?

Shane Atkinson, bro.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mail4spart

Joined: 15 Sep 2006
Posts: 33

Posted: Thu Dec 20, 2007 5:18 pm
Post subject:

I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.


I guess, in spammer talk, "smart business" translates to: "violating court orders to promote fake products illegally using botnets" because that's precisely what Shane Atkinson was doing.

I checked moments after those postings were made, and the domain sancash.com was unresponsive (and still is.) Suddenly, I saw no spam whatsoever for Elite Herbal. All of a sudden. Just like that. Instead, the spammer who's chosen to keep sending to my control account had switched to stock spam. Many other rather sudden changes also ensued, all very much noticed by SpamInMyInbox in further investigations he pursued, all posted on his blog. It was clear that whoever was responsible for this spam specifically wanted to suddenly and completely remove any trace of connection between Sancash, GenBucks, Elite Herbal and Tulip Lab. It struck me (and others) as a rather clumsy and desperate move.

It's worth mentioning that this is not the first time I and others have investigated and taken action against this group of companies. Last November, in 2006, I and several colleagues performed our own investigation into the operation of several spamvertised sites promoting a bogus product known at that time as "Spur-M". We discovered that they used a third-party back-end server, hosted and owned by GenBucks, for the processing of credit card orders. We also noticed quite a bit of correlation between the domains registered for the Spur-M websites and the GenBucks affiliate program.

The same day, I created what became known as "The Spur-M-Enator™" which allowed for several thousand automated, believable, and completely fake orders to be placed at these back end servers. I released it to a handful of colleagues and we all left it running in the background for several hours.

This definitely made them mad, but never once did they stop spamming us. We increased the volume of fake orders per hour, which we know for a fact caused them to lose a considerable amount of time in processing and verifying the orders themselves. We could tell they were upset by this because the back end servers previously never output anything. Now they were outputting a bogus message about how our hard drives had been completely downloaded, or some such nonsense. It didn't stop us. What did stop, after a few days, was any spam - or indeed any mention - of Spur-M as a product. Instead all such spam numbers were focused on stock spam, a trend we notice they tend to fall back on when something isn't going as planned.

They later created "ManXL" and "Manster" as the replacement name for "Spur-M". In the BBC investigation, the label on the bottle which was eventually received from Elite Herbal said that the product was actually called "Manster." That definitely connected more dots for us, and confirmed that for two straight years now, we'd made it difficult for this pernicious operation to profit from relentless spamming. I should hope that this has cost them considerable effort and lost profits, and that further arrests will be forthcoming.

Over the holidays I noticed that all such "Elite Herbal" spam has now been replaced either with more Stock Spam, or spam initially promoting "Express Herbal" and then later "VPXL", yet another so-called Penis Enlargement herbal remedy (though the header banners on these sites actually still say "Express Herbal". They can't seem to focus much.) The cycle repeats again, apparently.

This is very obviously the same criminal group, and the shutdown of Shane Atkinson's operation has clearly not diminished the amount of spam I continue to receive for this particular product. As happy as I am (and many others are) to see the death of the Elite Herbal "brand", it doesn't appear to be diminishing any of this bogus "herbal remedy" spam at all.

In the days following the raid, SpamInMyInbox dug even deeper into what he had discovered on Tulip Lab and GenBucks. I'll leave you to read it for yourself, but trust me: it's outstanding research, and makes it even clear just how guilty all of these parties are in perpetrating illegal spamming of an unwanted product to the world at large.

I and others are determined to find out who, specifically, is continuing to flood our inboxes with this scourge, and will continue to assist law enforcement in finding and shutting down every last one of these malicious criminals.

Tulip Lab and GenBucks: get the message. We hate you. We hate your "products" and we hate the fact that you seem to employ ONLY illegal spammers to do your promotions for you. Your days are numbered. Count on it.

SiL
Posted by at 6 comments:
Labels: , , , , , ,

Wednesday, December 19, 2007

2007: A Very Bad Year For Illegal Spammers

2007 is winding down, and I thought I'd take a moment to list just how many big achievements were met by the dedicated research and hard work of all the members of the numerous anti-spam forums such as KillSpammers and CastleCops, and organizations such as SpamHaus, the FBI Cybercrime Division, the i-Law Group, IronPort, SecureWorks, Shadowserver, F-Secure and countless others. Just look at how many large-scale arrests, convictions, and media stories regarding cybercrime and illegal spamming came about in the past twelve months.

In this synopsis I will make reference to several key members of what once was the Kill Spammers forum which was DDOS'd out of existence in August, 2007. The loss of that forum has absolutely not diminished or impeded the continued efforts of its members, all of whom continue to investigate and report all manner of illegal spamming, server hijacking and botnet operation. If anything it's only lead to more and more of us banding together via other means.

Make yourself some hot chocolate and join me in a look back at 2007, the worst year so far for any illegal spammers out there.

January 2007:


  • Chris "Rizler" Smith is sentenced to 30 years in prison for drug trafficking, witness tampering and illegal spamming practices.

  • Many members of the KillSpammers forum report on an illegal / fake charity known as "Save Childs". It appears to be related to a spate of spam for both Discount Pharmacy (Vincent Chan) and My Canadian Pharmacy (Yambo.) After reporting their multiple spammed addresses to law enforcement agencies and hosting companies, all of the sites are eventually shut down.



February 2007:


  • Spaminator creates the spamwiki. SiL creates a lengthy report on My Canadian Pharmacy based on a lengthier report which was already widely cirulated to many security companies and law enforcement agencies around the world. Red Dwarf writes and updates numerous sections. A crucial tool for collecting and exposing evidence is made. Law Enforcement and Spamhaus eventually take notice.



March 2007:


  • The Vancouver Sun (among many others) publishes a story about the death of Marcia Bergeron of Quadra Island, BC due to fake drugs purchased from a spamvertised source

  • SiL begins performing research on the Yambo sites in assistance of the i-law group (Jon Praed) and IronPort (Patrick Peterson.) His research and other data are eventually used in a web seminar covering the a-z of the My Canadian Pharmacy spam group (Yambo Financials) including an indepth look at their supply chain processes, message dissemination, botnet size and implementation, and server hijacks.

  • The SEC suspends trading on 35 spamvertised stock symbols in Operation Spamalot. 14 of the stocks are tracable to Vancouver stock traders. International law enforcement is given huge amounts of data on these companies and the illicit trading manipulation that took place.



April 2007:


  • After being inundated with spam for Discount Pharmacy, SiL decides to write a synopsis about their known functionality and operations. AlphaCentauri and Red Dwarf assist greatly.

  • ILoveCrapfloods creates FsckChickenboners! (a bot for crapflooding spammers' forms) It slowly gains a following and is refined and modified throughout the year, sending thousands of fake orders to illegal pharmacy and replica watch sites, resulting in wasted time and lost profits for several illegally promoted websites selling counterfeit products.



May 2007:


  • Renowned bulkerforum member and proxy reseller mcproxy retires from the spam and proxy reselling business after nearly having his personal data exposed by spam-court.com. This indicates that the research posted on that blog is very much on the right track and leads to a lot of illegal DDOS activity against that site on behalf of members of BulkerForum.

  • Notorious repeat spammer Robert Alan Soloway is arrested in Seattle after a federal grand jury indicts him on 35 charges ranging from wire fraud to identity theft. The lawsuit against him is ongoing and he remains in prison in Seattle pending commencement of the trial.

  • The country of Estonia has its entire computer infrastructure come under a massive DDOS attack. Everything from train schedules to utilities and banking is completely knocked off the grid for several days. The investigation into this attack is still ongoing and thought to lead to Russian and Ukranian sources. Several rumors floated around at this time that the Russian government itself was behind these attacks. None of this has been proven. This event has the effect of raising the awareness of DDOS attacks and the criminal groups behind them.



June 2007:


  • SiL posts a lengthy description of the illegal activities of Nick Danger / Marion Lynn to the newsgroup NANAE.

  • AlphaCentauri and SiL begin a coordinated series of reports regarding the Discount Pharmacy hijack of Windows 2000 / 2003 servers. This results in the eventual shut down (or cleanup) of several hundred hijacked servers and a great deal more data on the hijacking process for Windows servers on behalf of Vincent Chan. We eventually see a complete stop in any spam runs for this spamvertised product line around August of 2007.

  • Darrel and Jack Uselton are arrested for "hijacking personal computers across the country to send mass e-mails and inflate prices on at least 13 stocks."



July 2007:


  • SiL is interviewed in Forbes Magazine for an article about Patrick Peterson from Ironport Systems. The article covers Peterson's investigation of the My Canadian Pharmacy operation, run by Yambo Financials.

  • E360 files numerous motions against Spamhaus for labelling them as spammers. All of these charges would later be either withdrawn or dismissed.

  • The FBI's Operation Bot Roast identifies over one million computers as being under the control of illegal botnets. This is the first of two such investigations which later results in several arrests directly related to illegal hacking and owning or operating botnets generally.



August 2007:


  • Several anti-spam and anti-fraud websites come under a huge, unrelenting DDOS attack. Sites attacked include the Kill Spammers forum (whose domain has remained down since then,) CastleCops, 419eater, thescambaiter, and countless others. Kill Spammers operator KyferEz mitigates the attack on the KS forum to the best of his abilities, but the domain eventually folds. Several of us take up temporary residence in CastleCops (many of us stay active there also.) The criminals behind these attacks idiotically think this will slow us down.

  • In what is arguably one of the bigger blows against spammers everywhere, Red Dwarf introduces his diabolical Complainterator™ application for the automated reporting of illegally hosted domains. Over the next several months, several people start using it and it undergoes numerous upgrades and improvements. Use of this tool leads to even some of the more highly unresponsive domain registrars taking notice and removing several thousand offensive domains from their registries.

  • Members of the CastleCops Phishing Incident Reporting and Termination Squad (PIRT) as well as their other Termination Squads for spam (SIRT) and malware (MIRT) begin joining the KillSpammers forum.

  • Red Dwarf releases the AutoSA application for automated reporting of malware phishing and spamming sites to Site Advisor. He inevitably gets several other sites to provide extended services for users of this tool, notably dnsstuff.



September 2007:


  • Red Dwarf begins automating a method of monitoring, researching, collating and ultimately reporting the existence of hijacked PC's using what would eventually become the Botnet scanner. Over a few months he single-handedly reports several tens of thousands of infected IP's, resulting in more of a significant response from ISP's than most of us probably expected.



October 2007:


  • Several news stories from October to November 2007 track the Russian Business Network (RBN), exposing its ties to Russian politicians, their multiple shifts in locations from Russia to China to disappearing completely, and interviewing its so-called representative.

  • Porn spammers Jeffrey Kilbride and James Schaffer are sentenced to five years in prison, convicted of "conspiracy, money laundering, fraud, and transportation of obscene materials".

  • Greg King, 21, of Fairfield California is arrested for performing a DDOS attack on CastleCops in February of 2006. He faces a maximum sentence of ten years in prison and a $250,000 (USD) fine.



November 2007:


  • Spaminator creates numerous international domains for the spam wiki and attempts (where possible) to get several large-scale sections of it translated and duplicated into these mirror sites. This proves to be very helpful in its use as evidence against illegal spam operations, and leads to big changes at several previously spammer-friendly domain registrars.

  • Marion Lynn creates a blog (spamgossip.blogspot.com) which exposes the identity of several known, high-level spammers who were members of bulkerforum.biz, including Phantom (Norman Holmes), Lizza (Steve Joseph), Dollar (Christopher Brown) Dave (David Oleg Barsky), bigjohnson (Igor Shaposhnikov) and others. Notable omissions are Crypto and moneyminters. It's unclear what prompted this sudden need to tell the world about the identity of these spammers, but he did it. SiL works with members of Spamhaus in collecting whatever is posted on spamgossip and sending it back to them (and law enforcement), and correlating it to the already massive amount of collected information on the members of bulkerforum.biz.

  • While we're at it: several other members of bulkerforum.biz begin exposing each other in a spate of scammer outcries on the forum. We didn't even have to do anything.

  • SiL transcribes a lot of the content from the spamgossip blog into his own blog (which you are now reading) which has the curious effect of reaching higher page ranks than Marion's blog. Marion later takes down quite a bit of personal data without any explanation.

  • Jason Michael Downey is arrested for running a botnet consisting of 6,000 compromised PC's.

  • New Zealand law enforcement break up a major international botnet and arrest its ringleader.



December 2007:


  • The FBI's Operation Bot Roast II results in the arrests of 8 individuals who owned or operated large-scale criminal botnets.

  • Secureworks investigates spamming runs in relation to US presidential candidate Ron Paul and discovers a connection with known porn spammer and botnet operator "nenastnyj", aka Andrew Nenastnyj, known on bulkerforum as "Nena".

  • Justin Daniel Medlin is sentenced to 72 months in prison in connection with pump-and-dump stock spam runs he committed during 2004.

  • Akhil Bansal is sentenced to thirty years in prison for illegally distributing medications without any prescription. This followed a lengthy investigation dubbed "Operation Cyberchase", documented in a multi-part investigative series in the Philadelphia Inquirer.

  • BBC 4's "The Investigation" do some digging into the group behind the rampant spam for "Elite Herbals", leading to a very thorough investigation of GenBucks, Tulip Lab, and one of their spammers, Shane Atkinson. Burgeoning illegal spam blog Spam In My Inbox is also consulted for this story, and much of his evidence matches that of the BBC. This eventually leads to a police raid in Christchurch, New Zealand, resulting in the seizure of "22 computers and boxes of documents from four Christchurch addresses", including that of Atkinson.



Definitely a very active year for people who fight online crime in all its facets, and absolutely a very bad year for illegal spammers.

This kind of activity will only continue. As long as people like myself continue to be on the receiving end of unwanted illegal spam from asshole criminals like the ones listed above, we'll continue to do everything we can to get to the bottom of it. There is a difference between general commercial email, and spam for products that are illicit, fake, counterfeit, or outright illegal - and in some cases lethal. We are not going to stand for this any longer, and this year's numerous arrests prove that.

SiL / IKS / concerned citizen
Posted by at 2 comments:
Labels: , , , , , , , , , , , , , ,

Friday, December 14, 2007

Elite Herbal Exposed by BBC4, Blogger

Another quick one. Another intrepid investigator of illegal spammers, Spam In My Inbox, has joined the BBC in investigating the cretins behind the endless flood of unwanted "Elite Herbal" spam, drawing direct links between the Elite Herbal spam type, the GenBucks affiliate program, Tulip Labs in Mumbai, India (who create and ship the bogus "herbal remedies") and the actual spammer who hit the send button: Shane Atkinson of New Zealand.

It's a fascinating story and has apparently led to several new investigations.

You can listen to the show, BBC4's "The Investigation", here.

I have created a temporary download of an mp3 podcast of the show here, and I also created a complete transcript of the show here.

You can read SpamInMyInBox's response to the show here.

This is great news regarding this widely reviled group.

SiL / IKS
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)