Thursday, December 27, 2007

Elite Herbal, GenBucks, SanCash and Tulip Labs

Happy Holidays.

There was a flurry of activity in the weeks of December before the Xmas holiday. I saw a lot of diligent reporting of the activities of what is arguably the most annoying and least-compliant illegal spam operations in the world today: The mailers of the pernicious "Elite Herbal" penis enlargement herbal remedy products.

If you have an email address at all, of any sort, whether you've ever given it out to anyone or not: you've more than likely seen this spam, though fortunately most of it ends up where it belongs, in the junk folder. This doesn't stop the spammers behind this "product" from sending multiple copies of the same messages every single day to you.

Elite Herbal is one of a batch of products promoted via what is known as the SanCash program, a spammer affiliate program sponsored by members Sancash and Azzy. Several members of are active mailers for that program, notably "Moneyminters", a non-compliant mailer going back several months now at least.

Starting in July of 2007, the spam research blog Spam In My Inbox began investigating who was behind the relentlessly high volumes of spam he continued to receive for this unwanted product. He did quite a bit of due diligence and appears to have been very forthright in trying to find specific contact information for who was behind Elite Herbal itself. All initial contact was ignored (of course) whenever posted via one of the spamvertised fly-by-night websites.

He discovered that IP addresses associated with the spammed websites belonged to a company claiming to be called "Tulip Lab Pvt. Ltd.", located in Mumbai, India. He attempted to contact them regarding the mountains of unwanted spam emails. He never once received any kind of response.

Using some clever technological tricks, he entered an order into one of the spamvertised sites, but while doing so he carefully also entered some tracking code of his own (I'm not privy to what he specifically did, but I have my own theories.) This meant that any computer which viewed his order would report back to him regarding its IP address. He reported on this on July 4th, 2007, stating that an IP address belonging to DSL Internet provider known as iHug (now a division of Vodaphone), located in New Zealand. He complained to iHug and provided his evidence. They took action and investigated the offending account, eventually shutting it down. That IP address turned out to be directly related to one Shane Atkinson, a spammer who has been uncovered at least once (back in 2003) and who had claimed to have given up spamming altogether.

He also noticed that an IP address belonging to Tulip Lab also viewed his order. He documented all of this.

In August, 2007, the spam runs for Elite Herbal intensified. I myself noticed an increase from the usual 14 - 22 messages a day which were received to my control monitoring account, to upwards of 24 - 33 per day, all promoting only Elite Herbal.

In September, SpamInMyInbox wrote an open letter to Tulip Lab and those who supported them. He asked why they continue to allow spammers to promote their "products", and asked for verification as to what the correlation was of the Tulip Lab IP address to the order he placed. He sent an email version of that open letter to the operators of Tulip Lab, cc'ing numerous India-based media outlets and newspapers, and the Pharmaceuticals Export Promotion Council in India, of which Tulip Lab was a member.

Nothing happened for a while after that, but the spam maintained its ridiculously high numbers on a daily basis.

Then in December, the BBC4 program "The Investigation" hosted by Simon Cox aired a half hour program which investigated this exact same rampant spam operation. Since it was the BBC, it appears that they got deeper access than an average individual would otherwise get. They took all the same steps as SpamInMyInbox did - placing an order, waiting to see if anything happened, drawing the same conclusions as to the involvement of Tulip Lab, and eventually contacting the author of SpamInMyInbox himself, which provided them the link to the New Zealand spammer behind his particular spam messages, and those received by the BBC themselves. They further correlated that an affiliate program known as GenBucks had several connections to Tulip Lab and Elite Herbal.

They also directly contacted Shane Atkinson, asking why he had spammed them and others. Atkinson answered that he was a spammer in the past, but claimed that "we've closed all that down years ago", before abruptly ending the interview.

The next day, law enforcement in Christchurch, New Zealand performed a raid on four addresses and "seized 22 computers and boxes of documents ... as it investigates an international spamming operation". []

This harsh spotlight has recently caused the spammers behind this setup to hide like a bunch of cockroaches. The day after the BBC investigation aired, the author of SpamInMyInbox was told by the BBC that Tulip Lab was apparently going to sue him for what they claimed to be "harrassment" (likely related to the numerous unanswered inquiries whcih pretty much anybody would like an answer to: why are they still spamming everybody? Why do they condone spamming? Why do they allow it to happen in such high volume related to one specific product of theirs? Etc.?)

This ruffled some feathers over on One member named "icanspam" posted a link to the story, and made the same assumption that the BBC did: that Shane Atkinson was the spammer behind this particular spate of annoying Elite Herbal spam runs. This caused other bulkerforum members to pipe up, and several of them were definitely in some distress concerning what appeared to be the exposition and shutdown of the Elite Herbal program run by Sancash. Some excerpts:

TOPIC: SANCASH.. What's going on ?

Joined: 12 Jul 2007
Posts: 37
Posted: Thu Dec 20, 2007 8:19 am
Post subject: SANCASH.. What's going on ?

they are offline .. been like that the last 3-4 days.
Commissions NOT paid this week.

Anyone has news on that ??

I am a little worried for my $$

In the thread: General Talks: raided suspected spammers in Christchurch:


Joined: 06 Feb 2007
Posts: 12

Posted: Thu Dec 20, 2007 10:26 am
Post subject:

not sure if this is sancash

this is related to this audition.. and hmm.. looks like GB...



Joined: 23 Oct 2006
Posts: 151

Posted: Thu Dec 20, 2007 11:51 am
Post subject:

thanks for link ubuntu..

eliteherbal/manster IS SanCash



Joined: 10 Aug 2007
Posts: 52

Posted: Thu Dec 20, 2007 2:22 pm
Post subject:


Shane Atkinson, bro.



Joined: 15 Sep 2006
Posts: 33

Posted: Thu Dec 20, 2007 5:18 pm
Post subject:

I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.

I guess, in spammer talk, "smart business" translates to: "violating court orders to promote fake products illegally using botnets" because that's precisely what Shane Atkinson was doing.

I checked moments after those postings were made, and the domain was unresponsive (and still is.) Suddenly, I saw no spam whatsoever for Elite Herbal. All of a sudden. Just like that. Instead, the spammer who's chosen to keep sending to my control account had switched to stock spam. Many other rather sudden changes also ensued, all very much noticed by SpamInMyInbox in further investigations he pursued, all posted on his blog. It was clear that whoever was responsible for this spam specifically wanted to suddenly and completely remove any trace of connection between Sancash, GenBucks, Elite Herbal and Tulip Lab. It struck me (and others) as a rather clumsy and desperate move.

It's worth mentioning that this is not the first time I and others have investigated and taken action against this group of companies. Last November, in 2006, I and several colleagues performed our own investigation into the operation of several spamvertised sites promoting a bogus product known at that time as "Spur-M". We discovered that they used a third-party back-end server, hosted and owned by GenBucks, for the processing of credit card orders. We also noticed quite a bit of correlation between the domains registered for the Spur-M websites and the GenBucks affiliate program.

The same day, I created what became known as "The Spur-M-Enator™" which allowed for several thousand automated, believable, and completely fake orders to be placed at these back end servers. I released it to a handful of colleagues and we all left it running in the background for several hours.

This definitely made them mad, but never once did they stop spamming us. We increased the volume of fake orders per hour, which we know for a fact caused them to lose a considerable amount of time in processing and verifying the orders themselves. We could tell they were upset by this because the back end servers previously never output anything. Now they were outputting a bogus message about how our hard drives had been completely downloaded, or some such nonsense. It didn't stop us. What did stop, after a few days, was any spam - or indeed any mention - of Spur-M as a product. Instead all such spam numbers were focused on stock spam, a trend we notice they tend to fall back on when something isn't going as planned.

They later created "ManXL" and "Manster" as the replacement name for "Spur-M". In the BBC investigation, the label on the bottle which was eventually received from Elite Herbal said that the product was actually called "Manster." That definitely connected more dots for us, and confirmed that for two straight years now, we'd made it difficult for this pernicious operation to profit from relentless spamming. I should hope that this has cost them considerable effort and lost profits, and that further arrests will be forthcoming.

Over the holidays I noticed that all such "Elite Herbal" spam has now been replaced either with more Stock Spam, or spam initially promoting "Express Herbal" and then later "VPXL", yet another so-called Penis Enlargement herbal remedy (though the header banners on these sites actually still say "Express Herbal". They can't seem to focus much.) The cycle repeats again, apparently.

This is very obviously the same criminal group, and the shutdown of Shane Atkinson's operation has clearly not diminished the amount of spam I continue to receive for this particular product. As happy as I am (and many others are) to see the death of the Elite Herbal "brand", it doesn't appear to be diminishing any of this bogus "herbal remedy" spam at all.

In the days following the raid, SpamInMyInbox dug even deeper into what he had discovered on Tulip Lab and GenBucks. I'll leave you to read it for yourself, but trust me: it's outstanding research, and makes it even clear just how guilty all of these parties are in perpetrating illegal spamming of an unwanted product to the world at large.

I and others are determined to find out who, specifically, is continuing to flood our inboxes with this scourge, and will continue to assist law enforcement in finding and shutting down every last one of these malicious criminals.

Tulip Lab and GenBucks: get the message. We hate you. We hate your "products" and we hate the fact that you seem to employ ONLY illegal spammers to do your promotions for you. Your days are numbered. Count on it.


Wednesday, December 19, 2007

2007: A Very Bad Year For Illegal Spammers

2007 is winding down, and I thought I'd take a moment to list just how many big achievements were met by the dedicated research and hard work of all the members of the numerous anti-spam forums such as KillSpammers and CastleCops, and organizations such as SpamHaus, the FBI Cybercrime Division, the i-Law Group, IronPort, SecureWorks, Shadowserver, F-Secure and countless others. Just look at how many large-scale arrests, convictions, and media stories regarding cybercrime and illegal spamming came about in the past twelve months.

In this synopsis I will make reference to several key members of what once was the Kill Spammers forum which was DDOS'd out of existence in August, 2007. The loss of that forum has absolutely not diminished or impeded the continued efforts of its members, all of whom continue to investigate and report all manner of illegal spamming, server hijacking and botnet operation. If anything it's only lead to more and more of us banding together via other means.

Make yourself some hot chocolate and join me in a look back at 2007, the worst year so far for any illegal spammers out there.

January 2007:

  • Chris "Rizler" Smith is sentenced to 30 years in prison for drug trafficking, witness tampering and illegal spamming practices.

  • Many members of the KillSpammers forum report on an illegal / fake charity known as "Save Childs". It appears to be related to a spate of spam for both Discount Pharmacy (Vincent Chan) and My Canadian Pharmacy (Yambo.) After reporting their multiple spammed addresses to law enforcement agencies and hosting companies, all of the sites are eventually shut down.

February 2007:

  • Spaminator creates the spamwiki. SiL creates a lengthy report on My Canadian Pharmacy based on a lengthier report which was already widely cirulated to many security companies and law enforcement agencies around the world. Red Dwarf writes and updates numerous sections. A crucial tool for collecting and exposing evidence is made. Law Enforcement and Spamhaus eventually take notice.

March 2007:

  • The Vancouver Sun (among many others) publishes a story about the death of Marcia Bergeron of Quadra Island, BC due to fake drugs purchased from a spamvertised source

  • SiL begins performing research on the Yambo sites in assistance of the i-law group (Jon Praed) and IronPort (Patrick Peterson.) His research and other data are eventually used in a web seminar covering the a-z of the My Canadian Pharmacy spam group (Yambo Financials) including an indepth look at their supply chain processes, message dissemination, botnet size and implementation, and server hijacks.

  • The SEC suspends trading on 35 spamvertised stock symbols in Operation Spamalot. 14 of the stocks are tracable to Vancouver stock traders. International law enforcement is given huge amounts of data on these companies and the illicit trading manipulation that took place.

April 2007:

  • After being inundated with spam for Discount Pharmacy, SiL decides to write a synopsis about their known functionality and operations. AlphaCentauri and Red Dwarf assist greatly.

  • ILoveCrapfloods creates FsckChickenboners! (a bot for crapflooding spammers' forms) It slowly gains a following and is refined and modified throughout the year, sending thousands of fake orders to illegal pharmacy and replica watch sites, resulting in wasted time and lost profits for several illegally promoted websites selling counterfeit products.

May 2007:

  • Renowned bulkerforum member and proxy reseller mcproxy retires from the spam and proxy reselling business after nearly having his personal data exposed by This indicates that the research posted on that blog is very much on the right track and leads to a lot of illegal DDOS activity against that site on behalf of members of BulkerForum.

  • Notorious repeat spammer Robert Alan Soloway is arrested in Seattle after a federal grand jury indicts him on 35 charges ranging from wire fraud to identity theft. The lawsuit against him is ongoing and he remains in prison in Seattle pending commencement of the trial.

  • The country of Estonia has its entire computer infrastructure come under a massive DDOS attack. Everything from train schedules to utilities and banking is completely knocked off the grid for several days. The investigation into this attack is still ongoing and thought to lead to Russian and Ukranian sources. Several rumors floated around at this time that the Russian government itself was behind these attacks. None of this has been proven. This event has the effect of raising the awareness of DDOS attacks and the criminal groups behind them.

June 2007:

  • SiL posts a lengthy description of the illegal activities of Nick Danger / Marion Lynn to the newsgroup NANAE.

  • AlphaCentauri and SiL begin a coordinated series of reports regarding the Discount Pharmacy hijack of Windows 2000 / 2003 servers. This results in the eventual shut down (or cleanup) of several hundred hijacked servers and a great deal more data on the hijacking process for Windows servers on behalf of Vincent Chan. We eventually see a complete stop in any spam runs for this spamvertised product line around August of 2007.

  • Darrel and Jack Uselton are arrested for "hijacking personal computers across the country to send mass e-mails and inflate prices on at least 13 stocks."

July 2007:

  • SiL is interviewed in Forbes Magazine for an article about Patrick Peterson from Ironport Systems. The article covers Peterson's investigation of the My Canadian Pharmacy operation, run by Yambo Financials.

  • E360 files numerous motions against Spamhaus for labelling them as spammers. All of these charges would later be either withdrawn or dismissed.

  • The FBI's Operation Bot Roast identifies over one million computers as being under the control of illegal botnets. This is the first of two such investigations which later results in several arrests directly related to illegal hacking and owning or operating botnets generally.

August 2007:

  • Several anti-spam and anti-fraud websites come under a huge, unrelenting DDOS attack. Sites attacked include the Kill Spammers forum (whose domain has remained down since then,) CastleCops, 419eater, thescambaiter, and countless others. Kill Spammers operator KyferEz mitigates the attack on the KS forum to the best of his abilities, but the domain eventually folds. Several of us take up temporary residence in CastleCops (many of us stay active there also.) The criminals behind these attacks idiotically think this will slow us down.

  • In what is arguably one of the bigger blows against spammers everywhere, Red Dwarf introduces his diabolical Complainterator™ application for the automated reporting of illegally hosted domains. Over the next several months, several people start using it and it undergoes numerous upgrades and improvements. Use of this tool leads to even some of the more highly unresponsive domain registrars taking notice and removing several thousand offensive domains from their registries.

  • Members of the CastleCops Phishing Incident Reporting and Termination Squad (PIRT) as well as their other Termination Squads for spam (SIRT) and malware (MIRT) begin joining the KillSpammers forum.

  • Red Dwarf releases the AutoSA application for automated reporting of malware phishing and spamming sites to Site Advisor. He inevitably gets several other sites to provide extended services for users of this tool, notably dnsstuff.

September 2007:

  • Red Dwarf begins automating a method of monitoring, researching, collating and ultimately reporting the existence of hijacked PC's using what would eventually become the Botnet scanner. Over a few months he single-handedly reports several tens of thousands of infected IP's, resulting in more of a significant response from ISP's than most of us probably expected.

October 2007:

  • Several news stories from October to November 2007 track the Russian Business Network (RBN), exposing its ties to Russian politicians, their multiple shifts in locations from Russia to China to disappearing completely, and interviewing its so-called representative.

  • Porn spammers Jeffrey Kilbride and James Schaffer are sentenced to five years in prison, convicted of "conspiracy, money laundering, fraud, and transportation of obscene materials".

  • Greg King, 21, of Fairfield California is arrested for performing a DDOS attack on CastleCops in February of 2006. He faces a maximum sentence of ten years in prison and a $250,000 (USD) fine.

November 2007:

  • Spaminator creates numerous international domains for the spam wiki and attempts (where possible) to get several large-scale sections of it translated and duplicated into these mirror sites. This proves to be very helpful in its use as evidence against illegal spam operations, and leads to big changes at several previously spammer-friendly domain registrars.

  • Marion Lynn creates a blog ( which exposes the identity of several known, high-level spammers who were members of, including Phantom (Norman Holmes), Lizza (Steve Joseph), Dollar (Christopher Brown) Dave (David Oleg Barsky), bigjohnson (Igor Shaposhnikov) and others. Notable omissions are Crypto and moneyminters. It's unclear what prompted this sudden need to tell the world about the identity of these spammers, but he did it. SiL works with members of Spamhaus in collecting whatever is posted on spamgossip and sending it back to them (and law enforcement), and correlating it to the already massive amount of collected information on the members of

  • While we're at it: several other members of begin exposing each other in a spate of scammer outcries on the forum. We didn't even have to do anything.

  • SiL transcribes a lot of the content from the spamgossip blog into his own blog (which you are now reading) which has the curious effect of reaching higher page ranks than Marion's blog. Marion later takes down quite a bit of personal data without any explanation.

  • Jason Michael Downey is arrested for running a botnet consisting of 6,000 compromised PC's.

  • New Zealand law enforcement break up a major international botnet and arrest its ringleader.

December 2007:

  • The FBI's Operation Bot Roast II results in the arrests of 8 individuals who owned or operated large-scale criminal botnets.

  • Secureworks investigates spamming runs in relation to US presidential candidate Ron Paul and discovers a connection with known porn spammer and botnet operator "nenastnyj", aka Andrew Nenastnyj, known on bulkerforum as "Nena".

  • Justin Daniel Medlin is sentenced to 72 months in prison in connection with pump-and-dump stock spam runs he committed during 2004.

  • Akhil Bansal is sentenced to thirty years in prison for illegally distributing medications without any prescription. This followed a lengthy investigation dubbed "Operation Cyberchase", documented in a multi-part investigative series in the Philadelphia Inquirer.

  • BBC 4's "The Investigation" do some digging into the group behind the rampant spam for "Elite Herbals", leading to a very thorough investigation of GenBucks, Tulip Lab, and one of their spammers, Shane Atkinson. Burgeoning illegal spam blog Spam In My Inbox is also consulted for this story, and much of his evidence matches that of the BBC. This eventually leads to a police raid in Christchurch, New Zealand, resulting in the seizure of "22 computers and boxes of documents from four Christchurch addresses", including that of Atkinson.

Definitely a very active year for people who fight online crime in all its facets, and absolutely a very bad year for illegal spammers.

This kind of activity will only continue. As long as people like myself continue to be on the receiving end of unwanted illegal spam from asshole criminals like the ones listed above, we'll continue to do everything we can to get to the bottom of it. There is a difference between general commercial email, and spam for products that are illicit, fake, counterfeit, or outright illegal - and in some cases lethal. We are not going to stand for this any longer, and this year's numerous arrests prove that.

SiL / IKS / concerned citizen

Friday, December 14, 2007

Elite Herbal Exposed by BBC4, Blogger

Another quick one. Another intrepid investigator of illegal spammers, Spam In My Inbox, has joined the BBC in investigating the cretins behind the endless flood of unwanted "Elite Herbal" spam, drawing direct links between the Elite Herbal spam type, the GenBucks affiliate program, Tulip Labs in Mumbai, India (who create and ship the bogus "herbal remedies") and the actual spammer who hit the send button: Shane Atkinson of New Zealand.

It's a fascinating story and has apparently led to several new investigations.

You can listen to the show, BBC4's "The Investigation", here.

I have created a temporary download of an mp3 podcast of the show here, and I also created a complete transcript of the show here.

You can read SpamInMyInBox's response to the show here.

This is great news regarding this widely reviled group.


Saturday, December 8, 2007

Is Phantom Really Norman Holmes?

Just a quick one since I noticed that spamgossip has vastly modified its content.

All posts referencing anything but LIZZA have been taken down!.

Indeed. When did that happen, Marion? And for what reason? Someone bringing more heat than you expected?

Looks like his identification of Phantom as one Norman Holmes of Perth, Australia was probably correct, and this appears to be reflected in Phantom's complete silence on bulkerforum and most other places we'd expect to find him.

That may also mean that he's been correct about the identification of many others. How did he get this information? Who would trust an idiot like Marion Lynn with their personal data? He certainly wasn't welcome on bulkerforum for most of the time he was there, and in a relatively short span of time he managed to completely piss off most of that forum's members. I can't fathom who would openly share this kind of data with him, but clearly whoever they were: they were successful in providing a ton of evidence to the completely wrong guy. (It's apparent that a lot of the info came from Lizza aka Steve Joseph, as evidenced in the remaining AIM chat transcripts, but there must have been others, as this info paints a far from complete picture on its own.)

This whole thing looks fishy, and in the grand scheme of things proves that no real heavy hitters were actively posting on bulkerforum anyway.

Phantom's last posting in the public areas of bulkerforum back on Nov. 15th was mostly a whiny rant about Nick Danger and his original posting on the NANAE newsgroup. He further alleges that Marion Lynn is now guilty of computer hacking. That's a pretty ridiculous conclusion to come to, Norm. :) We all know that Marion's computer expertise does not extend beyond the most basic workings of frikkin' AOL for christ's sake.

Anyway it's interesting, and I'm certain that I'm not the only one who has noticed this stunned silence from the bulk (get it?) of bulkerforum members.

You may have heard about the scads of recent arrests of individuals involved in botnet ownership and operation, theft of personal data and credit card fraud just in the past two weeks. This has been a banner year for cracking down on the scum that continue to send everyone illegally propogated spam messages to people who don't want them, promoting products which are not only unwanted by 99.99999% of its recipients but are also fraudulent, counterfeit, and in some cases fatal. I fully expect to see more arrests in the coming months, and who knows: maybe we'll see a Mr. Norman Holmes behind bars for enabling so many mailers to illegally use services which are not theirs for the propogation of illegal spam using his infamous WarpSpeedMailer software.

The old adage is true that whenever you shine a light on a bunch of cockroaches, they scatter and hide in record time. Spammers, apparently, are absolutely no different.

SiL / IKS / concerned citizen

P.S. Of course I and many others have complete sequential backups of spamgossip including all of the personal data which was posted regarding Norm Holmes and others. I won't repost all of it here just yet, but it's definitely still out there. Also: that original NANAE posting and several others still contain this same information including all of the images of his household, the location of his house, and his god-awful taste in furniture and upholstery. None of that is going away anytime soon.

Friday, December 7, 2007

Fake Diplomas Are Illegal

Many people wonder what the deal is with ridiculous spam messages such as these:

F A S T T R A C K D E G R E E P R O G R A M Obtain the degree you=
deserve, based on your present knowledge and life experience. A prospero=
us future, money earning power, and the Admiration of all. Degrees from a=
n Established, Prestigious, Leading Institution. Your Degree will show ex=
actly what you really can do. Get the Job, Promotion, Business Opportunit=
y and Social Advancement you Desire! Eliminates classrooms and traveling.=
Achieve your Bachelors, Masters, MBA, or PhDin the field of your experti=
se Professional and affordable Call now - your Graduation is a phone call=
away. Please call:1-206-888-2083

This is what's referred to as "Diploma Mill" spam. If it sounds shady, that's because it is. In fact it's 100% illegal to sell fake diplomas, and more importantly it's a crime to represent yourself as having earned such a degree when applying for work.

The spam operation works like this:

- A sponsor handles the printing and shipping of the fake diplomas.
- Sponsor contacts spammers / mailers in the hopes of drumming up leads
- Spammer sends a message to millions of recipients (who probably, like me, don't want them)
- Inevitably one or two of them call the number, which is a voicemail prompt which reads as follows (for the number above, anyway - it varies):

Thank you for calling the university degree program. After the tone, please leave your name and two telephone numbers. One where you can be reached during the daytime hours and one for evenings.

Please do speak clearly after the tone. One of the registrars will be in touch with you shortly. Thank you and have a nice day.

From there, the spammer provides your voicemail response to the diploma sponsor. Lately that process has become a bit more labor intensive for the spammer, since (of course) so many people DON'T want to be contacted regarding this so-called "offer." As a result, several angry recipients of these emails have left voicemails in the hopes of tracking down who is behind them. This leads to issues for the spammer, who previously used to just hand over the voicemails only to be told by a pissed-off diploma sponsor that 4 out of 5 of the calls were angry complaints, or legitimate sounding responses that led to an angry person at the other end of the phone when it came time to reel them in.

So now the spammers have to filter out the complainers from the legitimate people who want to illegally purchase their fake diplomas.

An example of a fake diplomaYou'll notice that they word the voicemail in such a way as to indicate that you're undergoing some University-style admissions process. In reality this is, as one might expect, a purely commercial process. You want the piece of paper. They want your money. No background check takes place. No school transcripts of any sort are required. All you need is a credit card and an address to ship the phony diploma to. And you're done.

The hazards involved with this flatly illegal practice should be obvious to anyone. Would you trust any new doctor with a diploma on their wall if you were aware that any percentage of real people actively spend their money on these documents? Would you trust a new hire in any field if they presented you with this document as evidence of their expertise? Would you trust a contractor to make any repairs or modifications to your property if they claimed to have a degree or diploma claiming their excellence at what they do?

This kind of fraudulent representation has already happened, and led to some horrifying consequences. In 2003 one Laurence Perry was convicted of manslaughter. He took an 8 year old girl off her insulin and she died. Later, it was discovered that he represented himself with fake medical degrees. That's an old story, so in all likelihood he's out of jail by now.

A similar story unfolded as recently as a week ago, when "Doctor" John Curran was convicted of wire fraud and money laundering, after he "treated" 18 year old Taylor Alves in 2002 for terminal ovarian cancer. He basically ruined her life, which was already in jeopardy after such a crushing diagnosis. He's behind bars for 12 years.

Certainly it's not only medical degrees or MBA's which are on offer from these operations.

The sponsors behind these illegal documents treat it as though it's any other product. One member of (among numerous others) who goes by the name of "Princess" is clearly very experienced in this field. She posted the following back in October of 2007, and apparently generated quite a bit of interest:

Topic: Mailers needed


Joined: 15 Sep 2006
Posts: 25

PostPosted: Thu Oct 04, 2007 2:24 pm
Post subject: Mailers needed

Hi all.
for those who do not already know :)
I Sponsor a University program.
I am looking for more mailers to join our mailing group because my program is expanding.
A leads related program.
Pay starts at $18 to $20 depending on volume, for a good lead.

Q: What is a good lead?
A: A person who responds to your non URL adds who calls the phone number and leaves his contact information with a working phone number. It's so simple just too good to be true.

I use a non URL add that works through an email voice mail system, there is a phone number in our adds.
Only USA or Canada leads needed.
A qualified Mailer should be able to generate at least 10-20 good leads per day.
12 leads *$20 = 240$ USD a day
The conversion our good mailers have, is 70% good leads and about 30% bad. They make from $500 to $1500 weekly.
Payments, sent weekly via Bank Wire or WU.

I have a very good relationship with all our mailers and treat them well because I recognize that they are the fuel that helps run my business.
Please look me up and we can discuss this further.
You can contact me on ICQ # 338-284-118

Thanks Dianna

Cute. "Princess" Dianna wants to sell us fake degrees.

She continued to push this promotion several more times right through November 2007.

Note the specificity of what constitutes a "good lead". No websites, period. This is probably due to the arrest, prosecution and conviction of sponsors such as Craig and Alton Poe, back in December 2004. You can read a brief description of their conviction here. The story itself is quite entertaining not only because it involves lowlife criminal spammers going to jail, but also because of how it came to the attention of the Pennsylvania Deputy Attorney General:

Colby Nolan (pictured, left) is probably the first animal to hold this distinction -- an executive MBA from a university.

Pennsylvania Attorney General Jerry Pappert isn't amused, since Colby is a pet cat and a Texas-based online college allegedly gave the feline a degree for $399.


Pappert's office used the pet cat to investigate an alleged scheme designed to promote and sell bogus online academic degrees.

The main reason it was so easy to prosecute them and send them to jail is because they gathered their so-called "diploma leads" via easy to identify websites. Diploma sponsors couldn't ignore this and so they adopted a variety of alternate methods of generating the leads, most notably via throwaway voicemail phone numbers.

None of this makes the practice any more legal, or any more legitimate. If you attempt to use a fake document to gain employment, that's a crime. in the United States: It's a federal offence. Several states have begun cracking down on these illicit operations, and more than half of the states in the US have specific laws on the books regarding the sale of these documents, or the use of them as personal documentation.

As with most other types of spam-related crime, this is generally considered a variety of fraud.

In the case of the Poe brothers, they also generated fake grades transcripts, which is a further federal offence.

As with most other products promoted via illegal spammers: you should avoid these at all costs. Princess said it herself: "It's so simple just too good to be true."

There is a fantastic blog which tracks illegal diploma mills called (appropriately) Definitely worth a read.

One can only hope that spammers convicted of this type of fraud end up being represented by lawyers with similar "credentials."

SiL / IKS / concerned citizen

Wednesday, November 28, 2007

One More Dangerzone Transcript

I forgot one last one from yesterday, so here it is:

AOL IM Session between Steve Joseph and Marion Lynn, Wednesday August 22nd, 2007
StaySpamming1 = Steve Joseph (bulkerforum username: Lizza and flores9xx)
SpringLilCobra = Marion Lynn (bulkerforum username Nick Danger)
Screen capture image of this chat session as posted by Marion Lynn on Nov. 24, 2007 on

SpringLilCobra [11:57 A.M.]: Let's go down and get dollar drunk so that we can have a talk
StaySpamming1 [11:57 A.M.]: yeah
StaySpamming1 [11:57 A.M.]: id hit him in head wammer
StaySpamming1 [11:57 A.M.]: won't be peaceful w/me an him
StaySpamming1 [11:58 A.M.]: I got anger built in for him
SpringLilCobra [11:58 A.M.]: Yeah, DDOS HIS ASS!
StaySpamming1 [11:58 A.M.]: an his fake god ass!
StaySpamming1 [11:58 A.M.]: oh yeah w/my fist
StaySpamming1 [11:58 A.M.]: He hasn't been out the house in 30 years
SpringLilCobra [11:58 A.M.]: :)
StaySpamming1 [11:58 A.M.]: gonna walk him around the block like my puppy
StaySpamming1 [11:58 A.M.]: hands an feet, dont obey I kick thatk id in the ass!!!!
StaySpamming1 [11:58 A.M.]: boy do I hate dollar
StaySpamming1 [11:58 A.M.]: hes so fake, and people worship this shit. he was once a Blood/Crip
StaySpamming1 [11:58 A.M.]: gang member
StaySpamming1 [11:58 A.M.]: drug addict
StaySpamming1 [11:58 A.M.]: now hes a god spammer? lol
SpringLilCobra [11:59 A.M.]: Yeah that is a bit funny. Is he black?
StaySpamming1 [11:59 A.M.]: white as snow
StaySpamming1 [11:59 A.M.]: chubby child
StaySpamming1 [11:59 A.M.]: Real nerdy, lots of acne
SpringLilCobra [11:59 A.M.]: that's what I thought. How he be a crip?
StaySpamming1 [11:59 A.M.]: he just acts the part on line
StaySpamming1 [11:59 A.M.]: lol
StaySpamming1 [11:59 A.M.]: He always used to come on aol talking about
SpringLilCobra [11:59 A.M.]: I thought only niggaz was Crips
StaySpamming1 [11:59 A.M.]: 'Yo nigga Ill ice you couzz'
StaySpamming1 [12:00 P.M.]: 'Yo son Ill ice you up nigga fo real mayn'
SpringLilCobra [12:00 P.M.]: I'll shove ice up his ass!
StaySpamming1 [12:00 P.M.]: god I remember him
StaySpamming1 [12:00 P.M.]: then two weeks later he came in
StaySpamming1 [12:00 P.M.]: wannabe
StaySpamming1 [12:00 P.M.]: cKilla
StaySpamming1 [12:00 P.M.]: blood gang!
StaySpamming1 [12:00 P.M.]: ii said ahh shit
StaySpamming1 [12:00 P.M.]: mental DISORDER!
StaySpamming1 [12:00 P.M.]: x-socs on line but cant answer his own posts
StaySpamming1 [12:00 P.M.]: i love it
StaySpamming1 [12:00 P.M.]: LOL
StaySpamming1 [12:00 P.M.]: X-COCKS
SpringLilCobra [12:00 P.M.]: Yeah, he is most likely a very unhappy person
SpringLilCobra [12:01 P.M.]: I notice that everyone but mega is leaving me alone pretty much
StaySpamming1 [12:01 P.M.]: lol
StaySpamming1 [12:01 P.M.]: id love him to post
SpringLilCobra [12:01 P.M.]: mega is really pissed
SpringLilCobra [12:01 P.M.]: scared actually
StaySpamming1 [12:02 P.M.]: id say Uh, Don't you got enough issues from scamming your clients? Then sending a confirmed no good guy like email4marketer money? which you never sent? You had ronn send it? then you go bitch a storm after the guy when he clearly scammed you? Why not get a job or spam for your services and earn money, instead of borrowing money for your services
StaySpamming1 [12:02 P.M.]: Stop trusting people and do your own damn work, Lastly, Mind your dman Business and answer your own threads!
StaySpamming1 [12:02 P.M.]: ya bitch!
StaySpamming1 [12:02 P.M.]: :D
StaySpamming1 [12:02 P.M.]: god id love these kids in my room
StaySpamming1 [12:02 P.M.]: ;[

Again: mostly so that it becomes searchable text as opposed to just a jpg, which is all that Marion Lynn posted.

Not terribly much insight in this one other than to further underscore what a ridiculous soap opera Bulkerforum has become. I think we all thought they were pretty small fry before, but these kinds of discussions only further that impression.


Tuesday, November 27, 2007

Monday, November 19, 2007

[] XtraSize / Elite Herbal Supplements Will Kill You!

I keep getting spam which abuses Google's "I'm Feeling Lucky" button. Usually a url just like this:

The goal is to rank the domain up high enough that it is automatically the first choice for Google, a domain which is whitelisted and very commonly accepted by most email domains.

It is of course yet another feeble, desperate attempt to "hit inbox" (as the spammers call it) of as many people as possible, especially those who never wanted it in the first place.

If you remove the segment at the end which wants to include the "I'm Feeling Lucky" button, you can see that they even tried monitoring its page rank for a few days, and those results are part of the urls which are referenced by that search.

Fortunately in this case it is redirecting to a domain ( which has already stopped being hosted. And possibly is automatically redirecting you here. :) (It's happened before.)

The sad truth is: some people out there get suckered into this scam and assume that they will be able to enlarge their penises. Not only do they NOT end up with the desired results, there is significant evidence that these "herbal supplements", spammed en masse on behalf of "Elite Herbal" and "ManXL", can lead to death, particularly for members of their target audience (males aged 40 and up who experience erectile dysfunction.) Many men at that age experience blood pressure issues, making the taking of these so-called "supplements" an extremely dangerous proposition.

This is nothing new, of course. Spammers have been promoting lethal fake pharmacies for years now. It's just surprising the lengths that they will go to to reach people who rather obviously have absolutely no interest in their "products."

They can all go to hell as far as I'm concerned.

SiL / IKS / concerned citizen

Thursday, November 15, 2007

Bulkerforum Exposition (Again)

I guess that saying really is true: when it rains, it pours.

Our old wackjob - I meannnn - pal, Marion S. Lynn, aka Nick Danger, continues to blow a gasket and has created a fabulous blog of his own at, and went and told everyone about it at the revered newsgroup: NANAE. Trust me when I say that for once it makes for some interesting reading, but that is not thanks to any pearls of wisdom from Mr. Lynn. Instead it's from the hidden sections he's chosen to post. Bulkerforum created a hidden / private forum where I'm sure the privileged members who are able to see and contribute have all been either happily patting each other on their backs about how devilishly clever they all are, or more likely lamenting what a ghost town bulkerforum has become over the past several months. None of use ever thought they would all become so untrustworthy that nobody would ever want to do business at that forum, but wow: they've really outdone themselves.

Well it turns out that the private forum is really just "more of the same" from what I see posted on spamgossip (all of which I am of course saving, mostly for posterity. Law enforcement probably already had most of the info Mr. Lynn carefully selected for posting on his fabulous blog.

Well it certainly has raised the ire of a few of the members. The only realy drawback to all of this is that it came from Nick Danger in the first place. The man is an imbecile who probably couldn't figure out how to hit "send" on his very first spam run. Why couldn't it be someone like mcproxy, or perhaps dollar (long missing from that forum) who dropped the dime? Or rackspace?

Anyway for your further reading enjoyment, here are a few of the catty responses posted to bulkerforum in the wake of today's expository blog creation (some of the urls will wrap, unfortunately. Blogger's layouts are pretty rigid.) I notice they use a lot of my very own research in exposing Nick Danger / Marion Lynn all over again. I'm sure Lynn will again claim how all of this is just dandy for his business.

Enjoy (?)




Joined: 15 Sep 2006
Posts: 286

Posted: Thu Nov 15, 2007 4:09 am


It was Nick Danger real name Marion Lynn that stole Rackspace's login/password and stole info from the forum and posted it on an anti informant site and has now just bragged to NANAE how fucking smart he is


Anyway back to the story .. Nick was not smart at all he was fucking dumb he
showed his real IP in the message : ( that's Kansas City where Nick Lives ..

Here is complete details we have so far and his family feel free to call this
piece of shit or go visit him :

913-766-5168 his phone number where he lives with his aged mother.

1021 1/4 Mass.Lawrence, KS 66073
201 West Bridge
PO Box 23
Lawrence, KS 66073
785-856-6200 fax: 785-856-6200 www.rivercitytalk - nick danger

ex wife = SHERI RAYE LYNN (Age: 55)

Ben Campbell-Bradley is his bum boy
in photo.

MARION J LYNN (Age: 75) Daddy
Braeden J Lynn
Shirley J Lynn
Smith Shirley Lynn
Kenneth G Lynn
Sheri Lynn
Shirley J Lynn
Smith Shirley Lynn
Braeden J Lynn
Kenneth G Lynn
Marion S Lynn

Holdings, RJ
6324 N Chatham Ave Suite #300
Kansas City, MO 64151-2473
Investigative Reporter Marion Sydney Lynn
m_84704d3a1141ca924d6336927c5b50f1.jpg (with bum boy Ben)

It has been suggested from prominent member who knows police procedures that we should drop dime on nick danger from several places in the country we need folks to call his local CRIMESTOPPERS (ANONYMOUS) and tell them hes running a hacking operation from his home.
All calls to local crime stoppers are anonymous.

4 or 5 complaints and they should be able to get a warrant to search his home and take his systems and they find all the hacking EVIDENCE.. stealing identities, etc probably kiddy porn, bye bye for 15 years Smile

This wierdo is a total psycho and a dedicated anti informant he got amonst us earlier and we befriended him although we were a bit suspicious of him from the start, and he turns on us and informs and brags about it how smart he is.

Hope karma gets him big time.



Joined: 15 Sep 2006
Posts: 433

Posted: Thu Nov 15, 2007 6:45 am
Post subject:

Hmmm... could it be this is the same k00k with the alias "TheUnknown" who made the post about me on hxxp:// The same guy who tried so hard to gain my trust on specialham and on IRC a few years back? The same guy who also tried so hard to pose as a bulkmailer on both SH and on IRC asking everyone for info? The same guy I exposed and humiliated on IRC and specialham? The one who someone had the aim convo with which within it he claimed he was in college and his mommy wouldnt let him leave at... 9pm CST US time to meet someone off... wasnt it 74th .. or 55th and paseo in KC? aahahahaa... Huh Marion/Bradley? Come on, come ride the PASEO some night in the red suburban with those fine chaps off 55th then hit 29th N to the bridge.. Really. I think theyd hit it off with you great. ;-)

I think there is a good chance this KC MO punk and his young buddy he lives with are possibly the former alias "TheUnknown" as well. Question is whho does what, who posts and who poses as the elite h4x0r? Who is the retarded nut who comes up with the posts? wait... theyre probably both mentally challenged.

I hear Kansas is lovely around this time of year.
*Marketing Advice* Need something? Don't want to get ripped off? I can send you the right direction.

I don't like intellectual midgets having any sway over how successful I am, with some silly insult or false accusation on the boards.



Joined: 10 Nov 2006
Posts: 12

Posted: Thu Nov 15, 2007 10:08 am
Post subject:

Thanks phantom. nice work

P.S. I wish someone would do this for the Russian forums out there. Everyone knows that's where the real meat is.

Tuesday, September 18, 2007

Do Not Buy Pharmaceuticals Online!

Among the myriad spam messages I receive from the Russian criminals behind "Canadian Pharmacy", came this idiotic missive:
There's a lot of information online but people continue to ask us whether they can trust online drugstores.

We present you the official results of the research made by Independent Research Organization.

All medications are supplied from the leading manufacturers known in pharmaceutical field. The selection of drugs is impressive.

"Canadian Phamacy" site

Our major goal is to make your life easier and happier!

Lora Goulette

Also this one for Elite Herbals, from the same individual spammer if not the same exact criminal organization:
Greeting INFO
Whoever said that Doctors are the only ones that can treat all health =
related matters obviously never did their homework..

debbie Wayt

As everyone has mentioned before: spammers lie. They lie constantly. They lie with every single word that they send us, and every website that they build. These messages are no different.

Doctors, as we all know, are "the only ones that can treat all health related matters." The statement from these spammers is a flat-out lie. They know this. They don't care.

There is a lot of information online. But that information very stringently recommends against purchasing pharmaceuticals online, especially the more dangerous ones. Viagra most definitely falls into this category due to its vascular and hormonal side effects.

They obviously are presenting us no "results of the research" (who, precisely is the "Independent Research Organization"? Could they be any more obvious in their lies?)

As we all know: their "major goal" is not to make our lives easier and happier. Their major goal is to drain our wallets and bank accounts, and possibly to kill us all in the process. The number of reported deaths this year due to fake or counterfeit pharmaceuticals has risen to a point where news media outlets are reporting them more often, and with a broader spotlight. It's not merely a band of clandestine reporters focused on illegal spammers and their dangerous and provably lethal "products", it's Reuters, the New York Times, the Canadian Press, and of course Law Enforcement entities around the world.

Today, the Canadian Press released a news story that was on the front page of a very popular daily newspaper in my city. The story is available here and is definitely worth a read. That daily paper is read by some 300,000 people in my city. That's only one of several major newspapers which carried the story.

Canadian Pharmacy's days have got to be numbered. It's been ages since I saw anything from the My Canadian Pharmacy, or International Legal RX sites. The Russian morons behind this patently illegal operation have chosen to focus almost exclusively on the Canadian Pharmacy front end. I'm watching them, and so are many members of law enforcement. They are becoming increasingly desperate in their attempts to get a message past spam filters. (Neither of the messages above did, by the way.) They have co-opted templates from major email campaigns from legitimate companies in the hopes of both poisoning those companies' whitelist status, and planting even more spam in your inbox instead of your spam folder.

Consumers have overwhelmingly made it clear that they don't want to keep seeing this crap, but these Russian scumbags don't care. They think it's their right to continue sending dozens of messages repeatedly every day to millions of people who have already stated very firmly: we don't want this.

What kind of brilliant minds are behind this obviously misguided marketing technique? This is absolutely the stupidest methodology I've ever heard of. And it probably isn't even working, judging by how quickly the sites go down and how varied the message style seems to be.

Don't ever purchase anything from these criminals. You'll be funding what amounts to terrorists in my opinion, and very likely endangering your health. You also are very likely to have your personal data stolen. These assholes run phishing websites on the side and have ties to child porn operations. If you think they're careful with your personal data you are in for a very rude awakening.

Until I stop seeing spam from Canadian Pharmacy and their family of illegal websites, I will not stop warning people never to spend their money there.

Don't support Russian criminal gangs and their dangerous illegal pharmacy operations.

SiL / IKS / concerned citizen

Monday, September 17, 2007

Nick Danger's Mouth Rides Again (by night)

So as I mentioned, Nick Danger (aka: Marion Sidney Lynn) has been blabbing away on NANAE regarding the alleged treasure trove he claims to have regarding the personal data of several high-ranking members of

On Sept. 15th, he created what appears to be a very crude site outlining the personal data and recent malicious activity of bulkerforum member "lizza", who he claims is actually named Stephen Joseph. He posted a new entry to NANAE featuring a link to his glorious creation. I thought I'd take a gander and outline some of the details of the posting here in the event it all goes down (which these things have a nasty habit of doing.)

As I mentioned before: Nick Danger is both a gasbag and a small fry, and my subsequent research, tempered with his own blatherings, has borne out that he probably hasn't ever sent email 1 for promotional purposes. This doesn't preclude him from acting illegally of course. Aggravated identity theft and fraud, not to mention stock manipulation, are still very serious crimes -- at least: the last time I checked. He's still never disavowed performing any of those acts despite boasting loudly on bulkerforum about alllll the sordid instructions concerning how to do so and never get caught.

So. First off, here's a screenshot of the site as he created it (oh and of course, this is definitely NSFW, knowing mr. Danger's prowess with the profanity):

[Edit, June 2008: Due to changes at HideBehind, this screenshot is missing. It will be re-uploaded momentarily.]

Note: it's rather long. This is Marion Lynn we're talking about. The man needs to hire an editor. I have an entire copy of the page should anyone require its full contents. I have not altered a single line of it.

In the lengthy one-pager, he outlines where Lizza / Joseph lives, and that on a certain night between 1:13 AM and 1:21 AM, lizza boasted about ddos'ing or otherwise attacking the bulkerforum website, at ip address That IP address is in Brasil, and is one of five ip addresses which the forum has routinely bounced between since I started doing my own research on them (Sep. 2006.)

He lists some very non-threatening personal details such as where he went to highschool, and what his MySpace identity is. Not much anyone can dig up from that.

He alleges that Joseph lives in Chula Vista, California. How does he know this? Likely from a variety of lengthy conversations they may have had via a variety of means. It sounds like Marion and Steve had some kind of close contact in the past while. I'm not sure what that would be regarding but it certainly seems to point that way.

He also divulges one of lizza's email addresses ( I'm sure by now even lizza doesn't even use email for any legitimate communication, thanx to the damage done to that medium by scumbag spammers like him.

The more interesting stuff is in the variety of postings which Marion has posted below that. It's a lengthy re-posting of what appear to be forum postings from a variety of members. I'm not sure if this is from bulkerforum or what, but there are conversations between a variety of members. It's possible that these are even private messages from bulkerforum, or another forum. I can't be sure. The members which are quoted include:

  • lizza

  • icanspam

  • Third Eye

How did he get this information? And who gave it to him?

He also divulges that lizza (on bulkerforum) also goes by the usernames "Flores9xxx" and "nugs". In the previous NANAE posting he also lists the usernames "proyboy", and the nick names "Stevie" or "shorty". He also claims (apparently erroneously) that lizza also went by the name "seven" at one point.

Then "Nick Danger" claims to be quoting a pm between lizza and himself, but using the username "Third Eye". He goes into a great deal of detail about lizza's connection to a company called Lead Point ( lizza claims that's a red herring but who knows? This is either good research or a massive, meandering wild goose chase.

Also: Does everyone on bulkerforum have this many usernames and aliases?! It's a bit ridiculous event to me. You'd think this was the Lucchese crime family family for god's sake.

Finally: the geocities site makes it clear that bulkerforum appears to be a leaky boat at the very least, and that several higher-up members seem to be sharing private member information in a very loose fashion. Nick Danger wants to make it sound like a problem of some urgency ("IS PHANTOM GIVING OUT YOUR INFO?", etc.) but again: since phantom barely ever says anything on there lately, it's hard to be sure whether Nick is on the right track or not. But clearly: somebody got this info via some means unknown to members of that forum, and it somehow made its way to Marion Lynn. I guess only he will know who gave it to him, or when, or why. I don't personally care. As long as law enforcement are watching all of this it's just fine by me. :)

Since the chat transcript makes it at least semi-clear that lizza is willing to perform a cyber attack against a forum he's already a member of (!!), this makes him a pretty prime target for folks like me whose forum is currently under an anonymous sustained attack (week #5, and my threat still stands.) As I mentioned, this is only one of several attacks currently underway.

So I have handed all of this over to law enforcement in the event it turns out to be useful. :)

I personally feel that the sustained attacks against all of the spam and fraud research sites are being coordinated from Russian sources, and I am narrowing down a list of who that might be. I'll obviously post more as I get it. (Though not before notifying several legal channels first.)

I've also begun several investigations into the background of Steve Joseph / flores99x / nugs / lizza in the event anything can be turned up in that regard. He probably knows enough shady scumbags to pull off one or more of these types of events.

Lizza has always struck me as easily the most paranoid of the bulkerforum members (a close second would be phantom or Crypto, but they now post so seldom it's impossible to tell anymore.)

An aside: a representative of spamhaus named Susan responded to Nick Danger's NANAE posting (linked above), referring to bulkerforum member phantom as "the Australian megalomaniac". That's tantalizing. He rarely gives up any information whatsoever, so I'm digging into that also. (And handing whatever I find over to Spamhaus and Australian law enforcement, if that's where he truly is located.)

This is a bad year to be a spammer of any sort. By my count there have been 7 major arrests just since March of 2007, and three very large-scale court cases (two of which are still pending.) On a daily basis we see new news items of several investigations discovering new suspects and illegal operations, all fed by spam. It's a zero-sum game which just appears to be taking longer than usual to be taken down from the inside out. Why on earth would anyone knowingly become an email spammer in this climate? Why would anyone want to keep doing it? The profits are outweighed by the obvious risks. Apparently nobody in that community appears to be aware of any of this.

Which is a good thing, ultimately. I hope they lock up the whole lot of them and throw away the key. I've never in my life been bombarded on such a frequent basis by illegal advertisements from such a huge group of idiot scum in my entire life.

Keep it up, spamming morons. You'll see exactly where it gets you.

SiL / IKS / concerned citizen.

Thursday, September 13, 2007

Spammers = Still Whiny - But Also Somewhat Startled.

Well it turns out I didn't even have to do anything! (Or at least: not as much. :) )

Of all people: Nick Danger went and posted this on NANAE.

Curiouser and curiouser...

I guess he has recently been kicked off of a variety of spammer forums. (Nice job on that one, btw.)

My statement still holds true. I'll make sure the very wrongest of people get the very most of several people's personal information until these attacks stop.


Wednesday, September 12, 2007

DDOS Attackers = Whiny, Spoiled Little Children

One would have to assume that the recent arrests, convictions, charges, domain and DNS reporting, and general retaliation against several hundred spam operations has finally had the desired effect on these scumbag's bottom line.

As I write this, numerous websites are under sustained attacks from a botnet numbering in the hundreds of thousands (very likely the Storm Worm botnet.):

  • Castlecops

  • KillSpammers

  • Spamnation




Several of them are mitigating the attacks, some with a great deal of success.

Whoever it is that's doing this, you sure are exposing yourself by attacking so many anti-spam websites in one go. But since you're an idiot, you probably didn't think about covering your tracks very well.

If you think we won't find you: you're wrong.

If you think international law enforcement isn't watching this: you're wrong.

I will start releasing VERY personal data on known spammers very soon if this attack doesn't stop, one way or another. Damaging personal information which will make life very very difficult for several known spammers and their business interests. It might be here on this blog, or on any number of other blogs, or it might just be via clandestine messages to private individuals who you likely do not want this information getting to.

If you think I'm kidding around: you're wrong.

Keep it up. For all the stealth you're employing during this attack, you might as well walk into the middle of a public square, drop your pants and scream out: "Look at me! I'm a DDOS attacker! I am so dangerous!" What kind of childish idiots are you?

One day, very soon, your profits are going straight into the toilet. We all know this. You can cry about it via DDOS'ing all you like: it changes nothing.

Spammers are idiotic little brats.

SiL / IKS / concerned citizen

Wednesday, September 5, 2007

Registrars: The Weakest Link

Why are registrars allowing blatantly fake information to be provided when registering a domain name?

Right now, with virtually any registrar you care to name, you can register a domain name using the name Mickey Mouse and you'll probably be approved. You can do so without ever speaking to a representative of the company who's registering the domain, and your hilarious fake registrant entry will indeed show up once your domain is approved.

Why is this the case?

For several years now, I and several of my colleagues have been documenting and reporting domains used by illegal pharmacy spammers which were registered using the following completely fake personal data:

Paul Gregoire (
175 Montreal Road #304
Vanier, ONTARIO K1L 6E4

175 Montreal Road is actually the address of a single level building housing the Playmate Club, a strip joint on the outskirts of Ottawa. Nobody at that address has ever heard of anyone named "Paul Gregoire."

gary reed
3495 Cambie Street
V5Z 4R3
Phone: +1.6047678695

That phone number leads to nothing but a voicemail box with the robotically slow voice prompt: "Garrrrry..... Reeeed". Nobody will ever call you back if you leave a message there. The postal address is a UPS dropoff location in a tiny mall in Vancouver. Nobody there has any record of anyone named Gary Reed on any of their customer lists. (It's a small list.)

Kevin Benson
1098 Queen St
Halifax, Nova Scotia B3H 2R9

Another bogus address. Nobody there has ever heard of this alleged person either. Phone number never connects.

I could go on and on. Others have. Do a search for Paul Gregoire and you see nothing but complaints about spam, and yet on a daily basis several thousand new domains continue to be registered using this completely fake identity. This is simply not acceptable.

If I know right now that I can register any domain I want - like for example "" - using whatever I want as the personal data, what kind of recourse is there for ordinary citizens to shut down these domains? In the real world, you have to be a living, breathing human being to register a business, and you have to be reachable via tangible physical means, whether that's a postal address, a phone number or a fax number. If not: it throws into question your ability to be trusted, as it should. No such boundaries exist in the domain registration game, which is really a shame since it's the biggest loophole which illegal spammers use to get around having to be held accountable for anything.

Several recent domains were registered using laughably fake personal information, and several hundred thousand domains were all registered and approved even though their only contact phone numbers was (555) 555-5555. Take this one for example


Technical Contact:
Holdings, RJ
6324 N Chatham Ave Suite #300
Kansas City, MO 64151-2473

All fake as well.

Another trick is to use arguably fake personal data from a foreign country, in the hopes that nobody will notice or follow up on it. How legitimate do you think this data is?

Admin Name........... huan huan
Admin Address........ chaoyang avenue 468
Admin Address........
Admin Address........ beijing
Admin Address........ 100438
Admin Address........ BJ
Admin Address........ CN
Admin Email..........
Admin Phone.......... +86.1045875892
Admin Fax............ +86.1093859833

That actually becomes a lot easier to track down thanks to the fact that the phone number doesn't exist, and the email address never responds to a single query as to its legitimacy. It helps to have friends who are familiar with Chinese naming, though. That is a laughably fake name.

Of course, as usual, that email address is pointlessly fake.

If I were out to overhaul any one point of contact in terms of how scammers get away with profiting via sales of illegal drugs, domain registration is the first place I'd start. Want to register a domain? You have to do it manually, and you have to wait for me to verify that you are who you say you are. This would be via phone first, email second. If that fails: no go, buddy. Try again. Further: once I have verified that you are who you say you are, re-verify whenever a change is made. Real, legitimate businesspeople will generally have no problem with this. Scammers definitely will.

I'd also ensure that the whois data contains a genuine abuse contact, which is active and does respond, and not just to test contacts.

Why more registrars are not doing this is beyond me, but rest assured criminal spammers are abusing this gaping loophole in the process. They are well aware that it takes several days of contact to get through to a registrar that something is amiss with a domain which is being used in a rampant spam campaign. They also know that in the time it takes to get someone's attention, investigate the issue, attempt to contact the fake domain and eventually (hopefully) shut it down, they will already have profited several thousand dollars. Large-scale criminals lose very little money from the way things work today. This has to change. Failing tha: ICANN really needs to step up and enforce their accreditation rules. Registering a domain with false contact information is flatly fraudulent behavior.

SiL / IKS / concerned citizen

Monday, August 27, 2007

Yet Another Attack, Plus More On The Bogus Hoodia Spammers.

Yet Another Attack, Plus More On The Bogus Hoodia Spammers.

The carpcstore forum is once again under attack, as is

Spammers who are happy to perform DDOS attacks have always struck me as whiny little brats. They didn't get what they want, so they just wander around kicking over everyone else's sandcastles, etc. It's ridiculous.

The stupidest part about these morons is that they think it will shut us up. Or that we'll stop reporting or monitoring them. They could not be more wrong. Not only does this make sure that we don't stop researching and reporting every last one of them, it practically ensures that we'll do so with even more diligence, since it's fairly clear that we're having the desired effect of killing their ability to profit. Law enforcement will also monitor these attacks very closely, since they are a criminal act. With each attack they decide to launch, the evidence mounts and it becomes easier and easier to tell who is behind them, where they are located, etc.

One of these days, someone like me, or one of my colleagues, or possibly some third party none of us are even aware of will eventually become fed up enough about these stupid, childish attacks that they will actually spill farrrr more information on blogs like this one than they ever thought we knew. You can ask mcproxy about that. He knows the depth of research several people have done on his identity, his background, etc. I and others like me have compiled a lo-o-o-ot of background information on many others like him. The mere threat of exposition caused mcproxy to get out of the spamming business entirely. (That wasn't me, btw.) If you're a spammer and you're behind this attack? Or assisted in it? Or donated money towards it? You should really think about that. You should also seriously consider whether you want to be on the receiving end of one of the multiple lawsuits and arrests which have taken place this year alone. There are only going to be more of them, and exposing yourself so publicly with something as ridiculous as a DDOS attack is only going to make that happen much sooner. You obviously failed to glean this from the previous three years' worth of arrests of other botnet operators.

Also: there are a lot of us. Shutting down one piddly form won't silence us. Shutting down my single blog won't shut down the hundreds or thousands of others out there which are all poised to duplicate the exact same data. One way or another: we will continue to thrive.

We, the recipients of your crap emails for fake drugs and "herbal remedies", are sick of you ignoring our pleas to stop spamming us. If you don't like us researching you, maybe you should find a different line of work.

This attack gives me more time to dig even deeper into some research I hadn't had time to pursue anyway. It's also not stopping any of that forum's members to continue to communicate with each other regarding our ongoing investigations.

I just thought that several of you would probably want to keep all of this in mind.

Also as a followup to my previous posting on bogus Hoodia / Anatrim / whatever the hell they're calling this bullshit product this week: Many of you may be aware that the US's Federal Trade Commission has ordered one Brian McDade and his company Neutraceuticals LLC to stop sending Hoodia spam in the hopes of promoting exactly these provably bogus products. The original complaint makes for some pretty good reading.

False Claims for the Hoodia Products

Through the means described in Paragraphs 18-23 above, Defendants have represented, expressly or by implication, that:
a. the Hoodia Products cause rapid and substantial weight loss, including as much as forty pounds in a month;
b. the Hoodia Products cause users to lose safely three or more pounds per week for multiple weeks;
c. the Hoodia Products cause permanent weight loss; and/or
d. scientific research establishes that the Hoodia Products cause substantial weight loss.

In truth and in fact:
a. the Hoodia Products do not cause rapid and substantial weight loss, including as much as forty pounds in a month;
b. the Hoodia Products do not cause users to lose safely three or more pounds per week for multiple weeks;
c. the Hoodia Products do not cause permanent weight loss; and/or
d. scientific research does not establish that the Hoodia Products cause substantial weight loss.

36. Therefore, Defendants' representations as set forth in Paragraph 34 above are false or misleading and constitute a deceptive practice, and the making of false advertisements, in or affecting commerce...

Couldn't have said it better myself.

Hope the rest of you are also having a splendid day.

SiL / IKS / concerned citizen