Unwanted email spam has been with us for so long now that I think we all, as recipients, tend to associate the incoming messages with one individual, or possibly one group or organization. For years now, even well-respected groups such as spamhaus have referred to these entities - individually or as a group - as "spam gangs" or "spam kings." They've often used teminology or nomenclature such as "Yambo Financial" or "Badcow" to refer to ghostly, unseen groups of criminals. My feeling is (and maybe it's just my feeling): This is no longer an accurate way to refer to the groups of individuals who spend their livelihoods crafting randomized emails promoting illegal fly-by-night urls.
A key turning point came when I was exposed to several discussion groups used by spammers, many of which I will not refer to directly due to the clandestine nature of how I came across them. In these discussions, many of the mailers or sponsors were essentially mocking any references to "spam gangs." In a nutshell: there is no "gang." There likely is no "Yambo financials". While "Alex Polyakov" or "Leo Kuvayev" may indeed be real people, with possible verifiable connections to one or more of the criminal entities who support and thrive upon illegal spam email, my feeling is: that's likely a red herring, put there to divert attention away from the real responsible parties.
Another turning point came during the investigation and raids upon properties directly related to Sancash or Genbucks. (By the BBC and New Zealand law enforcement, respectively.) This really raised the point of who stands to profit the most in these million-message spam runs: sponsors.
Sponsors is not a sexy term when discussing spamming, generally. Usually the press and individual recipients tend to focus on two things: mailers (spammers) and botnets. They make the press most often because it's probably too complicated to go into the depth of detail required to expose precisely who is behind that "p3n1s-p|ll" message you just received. People don't have the time. Referring to a "sponsor" will only confuse them.
The truth is: sponsors, or sponsor organizations (as I commonly refer to them) are the big fish in the spammer economy. They take the most risk, provide the most resources to mailers, and profit the most from spamming. They control everything from the design and functionality of their sites, to their affiliate front-ends, statistics, domain registration, fast-flux hosting and in some cases even the design or copy of the messages being sent.
Who are these sponsors? There are a handful of them in the upper ranks of the spam messages we receive every day. The top three (based on my own research) are as follows:
- SanCash
- Spamit
- Bulker.biz
Pretty much everybody in the world is receiving spam on behalf of these three organizations. They are well-established, have ties to numerous individuals (remember: no gangs. Everyone is an island) who provide them everything from "bulletproof hosting" to botnet infections. They are the ones most responsible for the 90+ percent of crap we all receive every single day.
So let's examine each of them briefly.
SanCash
SanCash is responsible for that old standby: VPXL (also known throughout the past three years as a variety of names including "Manster", "ManXL" and "Elite Herbal." It's all the exact same useless crap. Despite their claims of it elongating your "member", it does nothing. There is tons of evidence out there to support this.)
SanCash was investigated first by an individual blogger [spaminmyinbox], and subsequently by the BBC [see their article here or download the podcast of the investigation here.], only the BBC weren't aware that that's who they were actually investigating. That's because they focused on the entity they could find out in the wild: GenBucks. Genbucks is a publicly available marketing affiliate group. You won't find any mention anywhere on their sites related to "VPXL" (et al.) You will find mention of a variety of other products for which practically nobody has ever received email spam. Their forums discuss banner advertising or "SEO" (search engine optimization) marketing. This is so that it appears that they have absolutely no connection to the rather obviously rampant amounts of spam being sent worldwide.
The first connection comes from how and where certain domains are registered, and how certain sites operate. During much of last year, domains used for the processing of orders on behalf of ManXL and Elite Herbal sites (domains like "mysecurepaysite.net", now long since out of use) featured a registrant's email address of "pilldude@gmail.com". Do a search for "pilldude" and you'll inevitably find the Genbucks forum (http://genbucks.com/forum/search.php?searchid=720) and his own genbucks blog (http://pilldude.genblogger.com/).
It is no coincidence that all posting on behalf of "pilldude" stopped abruptly at precisely the same moment that members of New Zealand law enforcement executed a raid on 20 properties in Christchurch, New Zealand as a direct result of the information uncovered by the BBC and spaminmyinbox. (See story here.)
But look around and you'll see people openly discussing SanCash, making no mention of Genbucks. Clearly the connection is there. They just want people to (wrongly) focus on GenBucks, when in reality it's SanCash that's profiting from VPXL spam.
Following the New Zealand raids, several people posted on Bulkerforum.biz regarding the raids and the investigation, making it extremely clear that the investigation was definitely on the right track:
ubuntu
Joined: 06 Feb 2007
Posts: 12
Posted: Thu Dec 20, 2007 10:26 am
Post subject:
not sure if this is sancash
this is related to this audition.. and hmm.. looks like GB...
http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jhood
Joined: 23 Oct 2006
Posts: 151
Posted: Thu Dec 20, 2007 11:51 am
Post subject:
thanks for link ubuntu..
eliteherbal/manster IS SanCash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
icanspam
Joined: 10 Aug 2007
Posts: 52
Posted: Thu Dec 20, 2007 2:22 pm
Post subject:
SA?
Shane Atkinson, bro.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mail4spart
Joined: 15 Sep 2006
Posts: 33
Posted: Thu Dec 20, 2007 5:18 pm
Post subject:
I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.
"jhood" puts a very fine point on it: "eliteherbal/manster IS SanCash". So it's clear: they knew this operation was in trouble due to the investigation.
It didn't stop the spam at all, of course. And in the meantime "spaminmyinbox" has been sued and placed under a restraining order by Genbucks' offices in India, meaning he can't post more detail about his indepth investigation.
Following the raids, sancash.com as a domain completely shut down and I and other individuals noticed that new names began floating around, among them "etranzmu." As we speak, the new location of SanCash is unknown and their representatives (on bulkerforum.biz: azzy and sanjay) have taken all discussion regarding SanCash "off-forum". This is a clear sign of two things:
1) They must be feeling some heat.
2) They know they're operating in violation of the law.
You can read much, much more about this operation by reading the SanCash entry on the spam wiki.
Products they are known to spam (based on domain registrations and the use of the "Infinity Secure" order processing page):
- VPXL (Also known as Express Herbal)
- King Replica
- Diamond Replicas
- Prestige Replicas
- ED Pill Store / ED Pill Shop
And previously-spammed products going back at least two years or so:
- Manster
- ManXL
- Elite Herbal
- Extra-Time
- More-Size
- Wondercum
- Spur-M
- Personal Pussy
- Penis Enlargement Pills
- Penis Enlargement PatchRX
- Vigramax
- FatBlaster
- Hoodia
Spamit
As we've seen with SanCash, Spamit also has a shell, publicly available front-end company which is easy to find but which (again) doesn't discuss email spamming in any form whatsoever. That "company"'s name is Glavmed.
Spamit, unlike SanCash, still has a publicly available affiliate portal, but not much else is known regarding their operations. Their representatives on bulkerforum.biz were named kref and spamit. I say "were" because with absolutely no fanfare at all, their bulkerforum accounts and all postings were completely deleted on or about Feb. 11th, 2008.
Spamit is behind several very malicious forms of spam. They're probably best known as the sponsors of "Canadian Pharmacy" or "US Pharmacy", both very prolifically spammed, and notable for their focus on the sale of controlled pharmaceuticals such as Hydrocodone and Ambien. Mailers who send on behalf of this group have abused so many systems and so many trademarks and email templates that at some point I should think that a variety of large corporations should be able to serve a class-action corporate lawsuit against them. Here's only a few examples of the abuse that they are known to perpetrate in the name of landing even a single message into an individuals email inbox:
- Hijacking or hacking of publicly owned web servers to be used as redirectors or image hosts.
- Use of whitelisted corporate email templates to bypass spam filters, predominantly used only in Hotmail mailings.
- Use of the same domain to redirect to a Canadian Pharmacy website, present a dynamic / randomized stock spam gif image, or download an infection exe for Storm worm.
- Hijacking / hacking of a publicly owned web server to perform either a redirect to a Canadian Pharmacy website, or to download a new infection exe for Storm worm.
- Automated creation of several hundreds of thousands of redirection pages on free web services such as Geocities, Google Pages, Lycos Tripod and Blogspot.
- Persistent spamming to newly-created gmail accounts, even ones which have never been used at all, within days of creation.
- Persistent spamming to any and all "catchall" addresses, to any domain in the world, several dozen times per day. (Often several times per hour.)
- Completely false claims throughout all spamvertised properties. Everything: their claims of security and safety of offered products, who is on their staff, where they are located, who supports them -- all claims are 100% false.
What a bunch of charmers.
They are known to register several hundreds of thousands of throwaway domains using completely fictitious or nonsensical contact information, and they have been known to register domains using either stolen credit cards or stolen paypal accounts.
Spam sent on behalf of SanCash and Spamit represent some 97% of all the spam messages I receive to any account I control. I know this to also be true of many friends and colleagues.
Products they are known to spam (based on domain registrations and the use of the "Infinity Secure" order processing page):
- Canadian Pharmacy
- US Pharmacy
- Downloadable Software
Note also that "Canadian Pharmacy" will revert to "European Pharmacy" upon auto-sensing of your IP address's geographic location. It's the same site, though.
There are probably many more, but these are the top three for this sponsor.
An additional note regarding Spamit and the Storm worm.
Spamit have been directly tied to infection attempts for the Storm botnet as listed above. We can still see evidence of this even now. Here's two urls I was spammed today [omitting their use of Google ads click linking].
http://westphoto.org/video.exe [do not visit this link on an unprotected computer]
http://scramignon.com/redir.html
As mentioned above, both of these domains are publicly owned, legitimate websites whose servers have been hacked and had these files (video.exe, redir.html) placed on them.
video.exe claims to be the "storm codec", and spam for it usually contains some kind of social engineering copy to fool you into thinking you're downloading a naughty or voyeuristic video. It is of course an infection file for Storm worm.
The redirect in this case points to "sugaronly.com", a Canadian Pharmacy domain.
But let's switch the two around:
http://scramignon.com/video.exe [Again: do not visit this link on an unprotected computer]
http://westphoto.org/redir.html
They both still work. This means that these domains (and several thousand other such hijacked domains) can be re-used in parallel spam runs.
This indicated that Spamit as a company, and Canadian Pharmacy as a brand, rely heavily on high numbers of infections of the Storm worm.
Spamit also has a spam wiki entry, but it is currently missing a lot of this detail.
Bulker.biz
Bulker.biz is possibly one of the older sponsors of illegal spam in existence today. Thanks to the above-mentioned illegal activity of Spamit in relation to Canadian Pharmacy, Bulker.biz is no longer the most malicious spam sponsor organization around.
It's only recently that I noticed that representatives of bulker.biz publicly stated that bulkerforum.biz is mainly in existence because of their sponsorship. It makes sense (and was so obvious that I'm surprised nobody picked up on it earlier.)
Bulker.biz is perhaps best known for that old standby, "My Canadian Pharmacy," which I'll refer to as "MCP". At one point, MCP was the most prolifically-spammed property in existence, accounting for several million spam messages per day, and even peaking at an estimated 20 billion messages sent in a 24 hour period. (Based on research by the i-Law group in May, 2006. [Summary available here.] At that time it was unknown that bulker.biz was responsible for the MCP "brand".
MCP was the first criminal spam operation I researched, which culminated in a report which I provided to law enforcement in seven countries, and a revised summary entry in the spam wiki. You can see from this entry that just like spamit, bulker.biz is responsible for quite a bit of abuse to this day. A sampling of their illegal activity:
- Hijacking of publicly owned Unix servers for everything from DNS hosting, to website hosting, redirections, and image hosting. [This continues to this day.]
- Completely false claims throughout all spamvertised properties.
- Automated creation of several hundreds of thousands of redirection pages on free web services such as Geocities, Google Pages, Lycos Tripod and Blogspot.
Again: charming.
The unique targetting of Unix servers is of particular note, since it's the same method of hosting used by bulkerforum.biz, further tightening the link between the two. You can obviously read much more about them in the spam wiki entry.
Bulker.biz is responsible for a very large amount of spam for the following properties:
- My Canadian Pharmacy
- International Legal RX
- US Drugs
- VIP Pharmacy ("Viagra + Cialis")
- Canadian Health&Care Mall
- Men Health (Men+ Health)
And other sites they were directly responsible for, but for which less spam was seen:
- Exclusive Caviar Online
- Double Your Dating
Bulker.biz is represented on bulkerforum.biz by member "ebulker".
You'll notice that I make specific mention of their mailing practices. That may or may not be directly attributable to the sponsors directly, but especially in the case of Spamit, they clearly have people in their ranks who insist upon spamming every email address in existence in the off chance that two of them might actually receive it and link all the way through to a purchase. It can't be a coincidence that virtually everybody in the world is receiving spam for their websites. If it were an individual mailer, we would see the same volume of spam for a variety of other sponsors. It's for this reason that I specifically include any mention of mailing practices or frequency.
An additional point specifically regarding Spamit's Canadian Pharmacy and all pharmacy properties promoted on behalf of Bulker.biz: I mentioned above that they lie. It's important to note precisely to what extent they lie. In the case of MCP, they lie with literally every single word on that site. They have a completely laughable "about us" page which features mini-bios of completely fictitious "doctors", whose faces are actually gleaned from stock images of surgeons and medical personnel. There is no "Jack Poppins" or "Carl Rose". The same is true of Canadian Pharmacy, which also features stock images (probably used without permission as well) and makes completely false claims regarding their "pharmacists" and licensing thereof. You can see a great deal more detail of these falsehoods in the MCP spam wiki entry.
As I mentioned above: sponsors are the big fish. They are the ones who register and provide hosting for the thousands of spamvertised URLs we see every day. They often also provide pre-made blogspot or geocities redirects (which they hire an individual to create.) They pay out the commissions to the mailers who spam on their behalf. They take care of the credit card processing (using high risk merchants who they pay to provide stable credit card processing on their behalf.) They take care iof any botnet-supported web hosting or DNS rotation. They're the source of all of this. They know they operate illegally, and they get away with it on a daily basis.
It is my hope that someone in law enforcement, or better yet someone from the legal teams of Pfizer, Microsoft or any other companies whose reputations these sponsors are tarnishing will step up and take action to get them completely shut down. The only reason an individual mailer is able to profit from illegally spamming in the first place is directly because these sponsors, and others like them, fully support their illegal activities, and engage in several more of their own. Shut these three down, and you will have removed three of the biggest criminal operations in existence today.
SiL / IKS / concerned citizen
P.S. Recently the PBS featured a documentary entitled "Illicit: The Dark Trade." (Broadcast on PBS, produced by National Geographic.) I strongly recommend viewing this documentary for its indepth exposition of the wider fake drug / fake watch / fake fashion item trade. It opened my eyes to the deeper profit structure of these networks of individuals, spam-related or otherwise.
3 comments:
While I myself do not have insight in the behind-the-scenes workings of Spamhaus, I think they should pay attention this well-done research in the operation of spamming. It seems you have picked up where Brian McWilliams left off back in 2005 or so. The entire approach by organizations who spam has definitely morphed a lot of the past few years. Great stuff on your blog and the wiki, keep it coming.- A sysadmin who deals with mailservers.
Kudos in order: your blog is listed as one of the top 25 blogs on The Industry Standard
http://www.thestandard.com/news/2008/05/14/industry-standards-top-25-b-z-list-blogs?page=0%2C12
To the list of who profits from spam, add domaineers. One such group appears to be the capitaldomains group that is named in a 2007 typo-squatter suit filed by Dell and in a recent GE WIPO action. Some circa 2007 spam nameservers which appear to be still active and authoritative for 2008 Chinese-based spam nameservers are now appearing on IP address subnets shared by this affiliated group of registrar and domaineers.
> Kudos in order: your blog is listed as one of the
> top 25 blogs on The Industry Standard
Wow. :)
That link wrapped unfortunately after I published your comment. It is available here. Thanks for the heads up.
> To the list of who profits from spam, add
> domaineers. One such group appears to be the
> capitaldomains group that is named in a 2007
> typo-squatter suit filed by Dell and in a recent
> GE WIPO action. Some circa 2007 spam nameservers
> which appear to be still active and authoritative
> for 2008 Chinese-based spam nameservers are now
> appearing on IP address subnets shared by this
> affiliated group of registrar and domaineers.
I actually didn't include that because the links between them and the rest of the known spammer economy are less well-established. But that is definitely a good point.
The main thrust of that entry was to clarify who profits the most, and who absorbs the most risk. Clearly we all have to shine a very bright light on the sponsors, without whom the whole house of cards comes tumbling down.
Nicely done. And again thank you.
SiL / IKS / concerned citizen
Post a Comment