Monday, March 31, 2008

"Hello! I am bored this evening."

One of the more persistent types of spam out there lately is for a type of "Russian dating" sites by the name of "UALadys."

Their pitch nearly always looks like this:

Subject lines seen in numerous spam messages:

Hello!
pics
Why aren't you replying to me?
Can we talk?
Long time, no talk
I find you interesting
Where have you been?
We talked on the web.

Hello! I am bored this evening. I am nice girl that would like to chat with you.
Email me at Elizabeth@jolasite.com only, because I am using my friend's email to
write this. Wanna see some pictures of me?


As far back as July 2007, the messages looked like this:

Do not ignore me please,
I found your email somewhere and now decided to write you.
Let me know if you do not mind. If you want I can send you some pictures of me.
I am a nice pretty girl. Don't reply to this email.
Email me direclty at Elena@supervisioncare.info


They've also infiltrated several blogs and comment forms. You can see some examples here and here. As you'd expect, there are thousands of them.

I know this is from UALadys because I infiltrated their affiliate program. It's also very easy to track this down in terms of recruiting of illegal spammers by using that old standby: bulkerforum.biz.

Bulkerforum member "bulker" hits people up on the open forum to mail for his dating program

bulker

Joined: 08 Jun 2007
Posts: 23

Posted: Wed Jun 27, 2007 4:07 am
Post subject: Special dating program

Looking for some good mailers who can push the volume on highly converting dating program. Instant payments.
- you get the results, you get paid the same day


Then in private communication only, he describes how the spamming operation works:

yes, you wanted to find out about the dating program. the thing is pretty simple.
you send an email telling people that some girl wants to talk/chat to them and that if they don't mind, then they need to email at some email address that you get access to. you get paid for every 10k unique replies.
10k replies pays you $1500. i do it with some people. what good about this program is that you get the same minute you achieve something.
so like you do 5k replies today, i can pay the same minute. the other thing is that these kind of emails that contain no link to the website and look like personal emails do pass filters very easily and do not score anything on spamassin and do not get listed on razor for ages.


Which would explain why they routinely keep showing up to several accounts I and many of my colleagues monitor.

So nutshell: the domains are throwaways and bulletproof. They are merely used to capture "live" email addresses which are then fed over to someone to respond to individually.

Why the idiots who are spamming on their behalf don't clean their lists, and further insist on mailing to a large number of people who absolutely have no interest in their crappy "dating service" is unknown to me.

But lets continue.

Attempts to contact anyone at UALadys regarding this spam results in denial of any problem. That's when and if you get a response. See blog posting here, for example.

Assume for a moment that you actually do want to communicate with them? You send a response to Elizabeth@jolasite.com and wait. A few days later you will get a response, which indicates that "she" is interested in learning more about you.

From Marina Pretty

Hi my new friend

Im glad to see that you have decided to reply,I see it is very short letter. It is all right because you are astonished to get my letter. I want you to know that I have only good intentions and I have not any secrets. The thing is that I will work in your country for three months or so and I would like to meet a nice man to fall in love or just be closest friends. I don't want to live in Russia because I have not any chances here, it is hardly possible to explain from first time but I want you to know my plans. I will work in any shop, bar or restaurant the agency that i am going through will suggest me some locations. It will be my choice in the end as to what option to go for.

So I will have a simple work till I improve my English. And I can choose any town of your area,agency will only help me to get a visa and all travel documents + some suggested placed to work in. My best friend last year met the man from the USA when she worked there for three months, too. She had two jobs. From morning till 4 pm she worked in amusement park and after it she worked as a waitress in some bar till midnight.

She was very tired of course but made very good money there.It is special programm for young people who wants to work abroad and I think it is the right way for me , I am lost here,and I think that I look pretty enough to find a better place .I want to repeat the same way,it is only my chance to meet a nice man.I want to work in USA or in Europe or any nice country. I am full of plans and different dreams and I want to share my life with good man because I'm also full of love and tenderness,I know that I am not so beautiful like Hollywood Princess but I do hope to meet my Prince and I am sure he will be not be disappoined to meet me in the real life! This is why I am going to go through the same way. Well,I will close this letter and I do hope to get your reply.

I will leave russia in two weeks or so (I can't tell you everything exactly right now) and I would like to be sure that I have the man who waits for me there. I will work all day and I want to find a man to spend all free time together to get to know each other better.if you have any interest to meet me I will be more than happy to meet you too. I will tell you all details about me and my life if you like my pictures and want to meet me! please send picture of you too!!!

I write to you with my new mailbox [address removed], please write letters now only on this mailbox.

I will wait your next letter.
Kiss you , Marina (this is my name)!
PS here are my pics
I hope they to you will like.
I hope you to me will answer
Kiss Marina


It also includes a couple pictures.

Do a google search for the second sentence in that message ("It is all right because you are astonished to get my letter.", with quotation marks around it, so it's the exact match) and see what comes up: dozens of replies which have been posted in several attempts to figure out who is sending these messages, and why. All of them are related to reporting of marriage agency scams.

See a complete synopsis here. (He even got a response which used the exact same name as mine - Marina!)

UALadys.com temporarily changed their name to "UADreams.com" in January 2008, but quickly switched back. This was apparently due to some kind of conflict with the owners. They also apparently operate "RULadys.com". (Considering they must be profitable, perhaps they can hire someone who knows how to spell the plural of "lady". :) )

How do we know this is from UALadys?

Over the past year or more, I received enough spam for this crap that I was able to correlate a large amount of information about it. (Didn't even take very long.)

For a period of time, the throwaway domains which were used in the email addresses led to websites. At first these were for the long-dead online pharmacy "Pharma Shop" (see the Spam Wiki entry for that one here), then later it led to UALadys.com front-end pages, usually all showing the same fake "ad" for a girl on that site who never was actually present in the site.

If the goal was to turn into a signup on that site, it wasn't a very effective tactic. Instead it appears that they just want to reel you in slowly, eventually getting you to purchase "gifts" for the girl you correspond with. That portion of this scam is well documented on several marriage scam sites on the web. This discussion thread has some of the more interesting comments regarding how the whole thing works. (It's a long discussion, and it uncovers that the company used to be an even scammier operation known as "Confidential Connections". The girls themselves are only allowed to communicate with you via a "handler" who does all the translating and letter writing on their behalf. They also encourage you to purchase gifts for the girls. Apparently any attempt to meet the actual girl leads to a sudden "trip" or other abrupt disappearance with no logical explanation.

In short: there is only one use for these spam addresses: as fodder for filling out fake orders on illegal pharmacy sites you also get spammed with. :)

SiL / IKS / concerned citizen

Monday, March 3, 2008

On The Trail Of SanCash And [so-called] "Infinity Secure"

In my continuing research into the SanCash operation, I have noticed that all SanCash properties have now switched completely to the use of an ordering page which claims to be from "Infinity Secure." There is no such operation, of course. But they now include a page within a subdirectory called "/order". It's not secure, the back end connection it makes to the third party card-processing page is not secure. As usual: they are lying to us. (Just like they are about the contents and quality of their "products."

The "Infinity Secure" page on all SanCash sites now lists the following address on all sites which feature that type of ordering page:

17 Bank St.
Ottawa, ON K1V 7Z5
Canada


Of course, there is no such address. There is an approximate location, but the site itself does not exist. This has been independently verified.

The postal code "K1V 7Z5" is also incorrect, and is in use for a series of addresses several blocks south of "17 Bank St." A quick Google search pulled up 127 Bank St., which houses Currey D S & Son Insurance Brokers Ltd. (Among several other addresses.)

In fact searching for the 17 Bank St. address distinctly only pulls up the "Infinity Secure" page from an "ED Pill Store" site:

http://www.edpillstores.com/order2.php?option=3

Which is handy, since it now ties "ED Pill Store" to the list of SanCash-spammed sites

That list so far:


  • VPXL / Express Herbal

  • Max Herbal

  • Target Pharmacy

  • Diamond Replicas

  • King Replicas

  • Prestige Replicas

  • ED Pill Store



Contact email addresses for these properties:

VPXL / Express Herbal: support@vpxlherbalgrowth.com
Max Herbal: support@maxherbalgrowth.com
Target Pharmacy: support@propharmasales.com
King Replicas: support@kingreplication.com
ED Pill Store: support@edpillstores.com

[For the others, no spamvertised domains are still active, so I'll add those later when I inevitably receive more spam for them.]

Each of those domains appears to be a "top-level" source for each of those properties.

Here is typical completely fake domain registrant contact info for each of those domains:

The Authorizing Registrar for each of these domains, as well as most of the spamvertised throwaways is (as usual, of course) XIN NET Technology Corporation.

vpxlherbalgrowth.com:

jiangjiang
xing xing
liao da lian
dalian Beijing 456123
CN
tel: 101 2345678
fax: 101 2345678
cncliup@21cn.com

maxherbalgrowth.com

jiangjiang
xing xing
liao da lian
dalian Beijing 456123
CN
tel: 101 2345678
fax: 101 2345678
cncliup@21cn.com

propharmasales.com:

liuhai bin
liu haibin
hai kou
hai kou Beijing 891000
CN
tel: 3219001
fax: 3219001
yayun22@21cn.com

kingreplication.com:

liuhai bin
liu haibin
hai kou
hai kou Beijing 891000
CN
tel: 3219001
fax: 3219001
yayun22@21cn.com

edpillstores.com

liuhai bin
liu haibin
hai kou
hai kou Beijing 891000
CN
tel: 3219001
fax: 3219001
yayun22@21cn.com


As you would expect, none of those email addresses do anything in terms of response. None of those phone numbers or addresses are legitimate in any way. It's all 100% fake.

But just in case:

According to Wikipedia, "Dalian "is the governing sub-provincial city in the eastern Liaoning Province of Northeast China." [Wikipedia Link]
Dalian is distinct and separate from Beijing.
"891000" is a legitimate Chinese postal code type, but it is for neither Dalian (whose postal code is 116000) or Beijing (which would feature a range from 100000 to 102100.) In all of China, there is no "891000" postal code.

I could go on, but you get the picture.

SanCash has representatives based in India (notably Sanjay, who has rather suddenly gone underground since the exposition of the links connecting SanCash with Genbucks, Tulip Labs and Elite Herbal.) There are (or were) also representatives located in Christchurch, New Zealand.

The SanCash.com domain name has gone dark since approx. December of 2007. They have instead moved their operation further underground. That isn't stopping NZ law enforcement from continuing their investigation.

I normally would bemoan the sheer volume of spam from one such identifiable sponsor, but in this case the more they spam, the more they lie, the greater the exposure and ease of tracking them down.

SanCash: your days as a sponsor of illegal spammers are numbered. Spammers in the SanCash program: we will find you, and you will lose everything.

SiL / IKS / concerned citizen.