Glavmed responds - re: my Open Letter.

Welcome Glavmed affiliates who are linking here directly from the Glavmed site. :)

For a very brief period of time yesterday (Feb. 4th, 2009) the following claims were posted on many pages of the glavmed portal site, and it makes it clear that they are seeing some negative attention as a result of my open letter:

We've received a few links from our partners, containing an open letter. This letter was published at http://ikillspammers.blogspot.com/2009/02/glavmed-open-letter-to-law-enforcement.html. This is far from the last time, when apparently our business rivals try to defame our partnership programme. But this is the first time, when they appeal to The FTC, The FDA and other law organisations.

We, Glavmed, want to make a statement, that all the allegations of this letter are absolutely false and incorrect. They denigrate the honour, dignity and business reputation of our company.

We'd like to answer this open letter item by item:

1.Glavmed don't sell, have never sold and will never sell any pills. Glavmed are CEO partnership programme, which run a network of online-shops. Its main task is accepting of buyers' order und data. We have a few commission contracts with well-known, absolutely licensed drug stores. We transfer this order to them for its execution. Glavmed's task is attracting of new customers and transferring their orders to these drug stores. After receiving the commission from these drug stores we share it with our partners. We don't sell pills. That makes a great difference.

2.Glavmed have clear rules against spam and viral spreaders. We've never accepted such traffic. All such accounts have been instantly banned or cancelled. It's very easy to check. Just register and try to spread spam!

3.Glavmed are really well-known long existing partnership programme. Unfortunately we have some problems. The schemes and designs of our sites are being constantly copied and stolen. A lot of our dishonest business rivals give their sites to be ours, copying everything - graphic designs, file names and product descriptions.

4.Our rivals allege that our drug stores' products have low quality. This is totally lie and defamation. We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.

Unfortunately we can foresee the further organized pressure against our partnership programme, because normal business competition can't be provided by them. We really take care of our partners and our customers.

This message was removed sometime between yesterday and today. It is unclear why, although I would guess that they didn't want their own affiliates reading my posting. I and other researchers have also noticed that they are now blocking very specific IP addresses from viewing the Glavmed website.

A couple of obvious corrections need to be made right off the bat:

a) The letter was not written to you, Glavmed representatives. It was written to law and drug enforcement agencies, as well as the media who has been researching this.

b) I am absolutely not a "business rival".

c) I am not the only one who has been researching your organization. My letter is a an account of the known, researched, verifiable facts regarding the scourge of unwanted Canadian Pharmacy websites. If I were trying to defame you, I wouldn't have nearly as much factual evidence in my letter.

So in response, I'll counter their bogus response point by point.

1. Glavmed claims on their front page (and I'm of course not altering their horrendous spelling and grammatical mistakes):

GlavMed is a BEST way to convert your pharmacy traffic into real money. Forget about miserable sums you're getting sending your visitors to PPC pharmacy results.

You're loosing at least half of YOUR money converting traffic like this. GlavMed offers you a possibility to eliminate any agents and sell most popular pharmacy products directly. It means 30-40% revenue share. features & benefits

Note: sell most popular pharmacy products directly. Which is it? Are they selling them or not?

Whether they sell the drugs themselves or not is ultimately irrelevant. They are part of a long chain that gets illegally-produced FAKE and harmful versions of these products into the hands of unwitting members of the public. There is copious amounts of evidence to support this, and they know it.

Glavmed is an affiliate program. They get their affiliates (aka: spammers) to promote (aka: spam) the websites (hosted via rampant viral PC infections) to sell fake drugs to unwitting victim customers. Who do they send that order data to? They don't say. But they know who that is, and they know that they are taking these orders without any consultation with any pharmacist. They also do all of this with absolutely ZERO security or encryption, so you can imagine how they're treating the rest of your personal data.

2. Sure, they state on their website that they don't allow spamming, but as I mentioned: they removed any of the postings which made it clear that very actve spammers are indeed a part of their program. Nowhere do we find ANY postings within their forum about any actual action taken against spammers. Literally everyone with an email address will know that Canadian Pharmacy is THE most spammed property on the Internet today, and has been for three years and counting. If they don't allow spammers, why is it still the most commonly found spam in the world today? You can have rules all you like. If you're not enforcing them: what does it matter?

As an aside, I and many other individuals have been complaining to Glavmed under numerous identities starting in May of 2008. I have personally sent, using numerous of my accounts, at least 25 very detailed complaints regarding spam messages I have received between May 2008 and January 2009. Guess how many responses I've gotten? Guess how much "action" I've seen on behalf of Glavmed, or anyone else claiming to represent this operation? ZERO! Guess where their abuse-reporting pages are on their site? THEY DON'T HAVE ANY!

This claim is utterly false. They take zero action regarding their KNOWN spamming affiliates, and they never will.

3. If Glavmed has been aware all this time that so-called third parties were ripping off their site designs, functionality and everything else: why haven't they drastically changed their entire design, branding, etc., or made ANY public statement regarding any of this? Why did they wait until someone like me exposes the whole setup for the obviously fraudulent operation that it is? This is an outright lie.

4. Again I will link to actual evidence (source), on behalf of a reputable company -- Ironport -- who placed orders from one of these sites, and gave the pills they received to a lab for analysis:

False Drugs Purchased

IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.

A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.

IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.

So in light of this report: I don't believe a single word Glavmed says, and I don't think anyone else should either.

Keep in mind: this is only one such report. There are others.

I notice that they completely ignore any mention of concern over the rampant illegal spamming which continues on behalf of Canadian Pharmacy, nor do they even broach the subject that as recently as October 2008 their site templates still contained bogus "sponsorship logos" on behalf of the Better Business Bureau, Verified By Visa, and Pharma Checker, nor do they mention that they were making very public statements that they knew full well that all of these logos were not being used appropriately.

The Spamtrackers wiki entry for Glavmed contains a screenshot of the Glavmed sites page dating from July 2008 which shows the Canadian Pharmacy layout still featuring the bogus sponsor logos. (source.)

In addition: this howler of a claim:

"We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality."

Their claim that they have all kinds of feedback saying how great they are is meaningless.

Which "indinan laboratories"? Which "independent test results"? On behalf of whom? Published where, exactly?

Of course they will never say.

What about third-party, verified claims and lab tests that your products are genuine? What about third-party reports that your servers actually are secure? If I'm selling you a car and you ask me for verification that the car is in road-ready shape and is safe to drive, I can't just start typing you a recommendation myself. I would need a third party inspector to verify that my claims that this vehicle was safe were in fact true. Glavmed doesn't do this, nor have they ever.

"We really take care of our partners and our customers."

Really? I know for a fact that numerous of your customers would very much beg to differ.

Clearly my letter has hit a nerve. As usual, their response, as with many obvious spam operations, is more concerned with damage to their profits than anything to do with public safety, or the security of your personal data.

Glavmed's claims are theirs alone, verifiable by nobody, and easily countered point by point as being verifiably false.

I stand behind every word of my posting. This is not defamation. Again: I am only one individual, but my posting links to research performed by literally dozens of others, from a very wide variety of technical, medical, security and other backgrounds.

Use your own judgement: Glavmed, and the entire operation they support, are liars and part of a criminal operation. The proof isn't just in my open letter. It's all over the place.

SiL / IKS / concerned citizen

Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA

To whom it may concern (and ultimately it concerns all of you.)

I write today to petition your attention towards a large-scale international illegal pharmacy operation known as Glavmed.

Glavmed are the sponsor program promoting the very-widely-spammed property known as "Canadian Pharmacy". (Hereinafter referred to as "CPh".) If you have an email address of any sort, it is very likely that you're at least mildly aware of Canadian Pharmacy. It's the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years. Here is a screenshot of a currently spammed domain, dadsymbol.com:



Please note that depending on your geographic location, this same domain will appear as "Canadian Pharmacy", "European Pharmacy", and a variety of other variations on that brand name. They do this by using geographic sensing of inbound IP addresses to the site. The overall layout and functionality remains the same.

The Websites

On the surface this appears to be a fairly innocuous website selling what appear to be legitimate pharmaceutical products. However a little further examination proves that this is a site selling fake, knock-off, imitation versions of some fairly widely-sold pharmaceutical products such as Viagra and Cialis. The clue that this is not legitimate is that they also sell the following products:

• Viagra Professional


• Cialis Professional


• Viagra Super Active


• Cialis Super Active


• Viagra Soft Tabs


• Cialis Soft Tabs


• VPXL


• Levitra Professional


• Levitra Super Active

None of these products have ever been produced by the actual originators of the original Viagra or Cialis. These products have only been sold from shady, illegitimate online pharmacies.

Add to this that they have creatively spelled the names of one or more dangerously addictive and harmful products such as "Phentrimine", and offer another bogus version of this same product named "Herbal Phentermine", and it becomes clear that this is a company which is distributing products of dubious origin and manufacture.

All of these products are sold without the need for any prescription, whcih violates several FDA regulations, especially for the sale of controlled substances such as phentermine.

Further (although technically speaking this is less of an issue than the risk to public health and safety): these sites' continued use of the brand name "Viagra" is in violation of the trademark and intellectual property rights of Pfizer, who owns the Viagra name and the patent on its particular medicinal formula. There is no such thing as "generic" Viagra, nor has there ever been. It is not legal to make -- or claim to make -- Viagra while Pfizer still holds the patent. The same is true of Cialis and Levitra.

Sales of these alleged "generic" pharmaceuticals violates the law in most countries around the world. Sale of these products in their legitimate form without consultation with a physician or a registered pharmacist is also illegal, and violates several sections of the FDA act.

Finally: sale of controlled substances - phentermine definitely qualifies, but again: who knows what's actually in the pills this "company" is selling to you? - is also against the law when done so without any registered pharmacist or a valid, authorized prescription.

This organization breaks several international laws, but more importantly it poses a very serious threat to the public's health.

Promotion Via Illegal Spam

The only way that perhaps 70% or more of the world has heard of Canadian Pharmacy is via the unrelenting, large-scale receipt of illegally-sent spam email messages. By "illegally-sent", I refer specifically to the fact that they (or someone or some group working on their behalf) send these emails using very large scale "botnets" (definition) comprising several thousand of exploited public computers. Over the past three years, no fewer than six (6) IT security organizations have performed research on a variety of these botnets, most notably the Storm botnet, and discovered that one of the primary uses of this botnet was to send spam email messages promoting these CPh websites.

I myself have written on this blog and on numerous spam- and cybercrime-related forums regarding Canadian Pharmacy, and I've specifically been researching their operations starting in mid-2006. (previous posting) However I am far from the only individual researching this organization.

Finnish Security Company "F-Secure" posted research tying spam messages promoting spamvertised websites for CPh on November 11th, 2006. (source) In this research they discovered that a PC exploit then known as "Warezov" was capable of sending spam. That spam contained urls for websites promoting what was then known as "Pharmacy Express." Pharmacy Express turned into Canadian Pharmacy in early 2007. The spam runs promoting these websites would often send tens of millions of messages to addresses around the world. The domain names for the Pharmacy Express sites were virtually identical in naming structure to those used as name servers for other sites which were being used as infection points for the Warezov virus, as well as domains used as name servers for both the warezov infection sites and the CPh websites. More on Warezov and it's functionality later.

Fast-Flux Hosting Via Hijacked Public Computers (Storm Worm)

Focusing again on the abovementioned domain, we can see that some unique hosting solution is being used for the "dadsymbol.com" domain by running a "dig" command against that domain:



As you can see from this simple check, the website itself is hosted on rotating IP addresses. This is a technique known as "fast flux" hosting (definition), and it's used by these CPh sites to hide their true location. Research has shown that these IP addresses are, invariably, infected household PC's owned by individuals who are unaware that their computer has been taken over to be used in support of these illegally-operating websites.

The IP addresses in this particular example are all located in Beijing, China, hosted at three distinct companies:

China Network Communications Group Corporation
CHINANET hebei province network / China Telecom
Beijing Zhongbangyatong Telecom Technology Co.,Ltd

This is not often the case. Several researchers have discovered some CPh sites using household dsl connections in the US Midwest, cable internet connections in Poland, and numerous other types of always-on cable or dsl connections around the world. All of this is believe to be provided by the Storm worm.

100% False Claims

Canadian Pharmacy has made numerous completely false claims throughout nearly every word they say in every spam message sent, and on every page of their websites. Among these are claims that they offer security when processing credit cards (they do not, and never have, and this is something you can see by investigating any of the domains spammed to promote this operation,) that their products are safe (numerous researchers have found that they either contain no active ingredient, or that they contain only trace amounts of the active ingredient, or that they actually contain harmful elements or materials,) and they often listed contact information which was actually for the College of Pharmacists of British Columbia, who strenuously denied having anything to do with this operation or its continued illegal spamming practices. They also listed icons for the Better Business Bureau, Verified by Visa and an organization known as "Pharma Checker", none of whom actually supported or endorsed any of these sites. (And in all cases, representatives from all three expressed frustration in being able to get this group to remove their icons from their sites.) Only in the past four months have they removed these icons. It is unclear why, although one could surmise that the increased investigations into their operations are to blame.

In fact even the very name of these sites, Canadian Pharmacy, is a lie. They aren't located anywhere near Canada, the products often ship from India, and the domains and name servers are hosted around the world. There isn't any Canadian source for any of these websites.

Further: the contact information used to register websites and nameserver domains routinely feature 100% fake information. This is true for literally every single website registered for the promotion of Canadian Pharmacy.

These websites represent a very serious risk to the public's health, no matter which country the unwitting customers of these malicious websites happen to live in.

But I encourage you to join me in digging deeper into what other illicit activities this series of illegal websites is tied to.

Glavmed's Connection to Storm / Warezov Infections

I mentioned Warezov in an earlier paragraph.

Over the past 2 years, Warezov has come to be known alternately as Storm or Asprox. There are other names for this type of PC infection. It has continued to grow in size, and has continued to be used for all manner of illicit online activity ranging from the aforementioned spamming, through to plainly illegal activity such as performing large-scale Distributed Denial Of Service attacks (aka: DDOS attacks) against any site the botnet operator chooses (source), performing SQL injection attacks (source,) and most importantly for providing hosting and infrastructure for these Canadian Pharmacy websites, including name servers. Storm worm has also occasionally been used in phishing attempts. (source)

As far back as Jan. 31, 2008, tech news stories abounded that law enforcement authorities knew who had created and continued to operate the Storm worm (source), yet nearly a full year later absolutely no action has been taken against them. Further research by a variety of individuals as well as Wired Magazine tied Storm worm to a shadowy criminal organization known as the Russian Business Network, or "RBN". (source)

No less a source than the Washington Post's Brian Krebs has previously posted in great detail about who is behind the Storm Worm, and boldly declared he had connected all the dots in a story dating from January 29th, 2008. (source, with extensive background research.)

Glavmed Affiliate Program

In the past year, after monitoring numerous spam-friendly forums, many of which now no longer exist, I discovered one website which was responsible for acquiring new affiliates to promote the Canadian Pharmacy brand: a site called Glavmed.com. This is not immediately obvious from just visiting their main website, glavmed.com. (Although they do of course mention that the sites being promoted are pharmacy websites.) Their sites page features no mention of the brand "Canadian Pharmacy", only vague descriptions of what the sites sell, and that anyone can join this program. Their sign up form features no section where anyone needs to disclose whether they are a medical professional or a pharmacist at all, or whether they are retaining one for the purposes of fulfilling prescriptions for the pharmaceuticals these sites sell.

So how did I discover the link between Glavmed's affiliate program and Canadian Pharmacy? I joined their affiliate program. I will not disclose the details of my affiliate account other than to say that I have never used it for any promotional purposes on behalf of glavmed or Canadian pharmacy. Once I was approved, I was sent a link to their site templates which made it very clear that this was a very large-scale, highly organized operation, and that they are indeed 100% responsible for Canadian Pharmacy, and therefore responsible for the relentless spamming which occurs on their behalf.

As it turns out, apparently one of their supporters or affiliates posted a very Glavmed-friendly piece on a website known as atlantea.com (source), which alleges to rate the various online pharmacies promoted by Glavmed. They of course make absolutely no mention of the fact that these sites are easily the most prolifically-spammed properties on the Internet today. That entire domain appears to be a very spam-friendly site, and it links to a known base-domain which glavmed sites have been using for payment processing for three years now, rx-partners.biz.

Some interesting additional notes: They have modified several threads in their forums. These threads previously contained postings by several members which made it very clear that not only were Glavmed and their affiliates aware that many of their ranks were involved in large-scale spamming, but that they also knew they were lying about the use of logos such as that of Pharma Checker.

This thread previously had a posting (following posting #4, which is now the final posting in that thread) which stated that there was no valid Pharma Checker account for the Canadian Pharmacy websites. (A valid Pharma Checker is required in order to place a link to any pharmaceutical sites within a Google Adsense campaign, among many others. One affiliate was refused. I feel certain that many others must have been refused as well.) Another thread regarding spamming (source) had several pro-spam postings dating back to late 2007. These were removed sometime between December 2008 and January 2009. That was previously located after posting #3. Clearly someone is removing any expository evidence. (I and many others have archives of this forum however.)

Glavmed / Spamit / Storm / Canadian Pharmacy / RBN

Further, no less an authority than Ironport, a major spam-fighting corporation, made direct connections between Storm worm, Canadian Pharmacy, Glavmed, and their underground affiliate portal (and likely the real smoking gun) known as Spamit.com. (source) Ironport also placed several orders to verify what would happen with their bait credit card information, and to see whether they would actually receive anything from the order. They did receive a package containing pills which contained sugar and what was referred to as "inert filler". Another contained "high metal content". This is clearly a very high risk to the public's health.

I and many other researchers and security professionals believe it is time for someone to take decisive action against this operation, which has profited for at least four years now and is only continuing to grow. Research and evidence abounds regarding the connections between Canadian Pharmacy, Glavmed, The Storm Worm and the Russian Business Network. All of these are known by numerous security and law enforcement agencies to be operating in flagrant violation of international law. I and the citizens of my country and those of pretty much every other country are fed up with continual bombardment of these spam messages, promoting websites which lie in every word of their content, which sell fake and harmful products, and which endanger the lives of the general public. We are fed up with the complete lack of action on behalf of anyone in Law Enforcement to go after Glavmed, their affiliates, their site operators, their payment processors, their hosting providers and their domain registrars. The time for action is now, especially with the abundance of available research into this organization and their practices.

Please take this appeal very seriously. I welcome your feedback.

Very sincerely,

SiL / IKS / concerned citizen

Further research into Canadian Pharmacy

Spam Wiki: Canadian Pharmacy
http://spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy

Further research into the Storm Worm

Storm Worm Botnet Cracked Wide Open
http://www.heise-online.co.uk/security/Storm-Worm-botnet-cracked-wide-open--/news/112385

Russian Business Network (RBN): Georgia Cyberwarfare - Attribution & Spam Botnets
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-attribution.html

Full-disclosure: It's time to get serious about Storm Worm / RBN
http://seclists.org/fulldisclosure/2008/Mar/0300.html

Slashdot: We Know Who's Behind Storm Worm
http://it.slashdot.org/article.pl?sid=08/01/29/1823242

China: The Last Resort for Spammer Domain Registration

Take any domain you've been spammed with over the past week and do a simple lookup on it. Chances are extremely good that the registrar for said domain will be located in China.

The list of the most spammer-friendly domain registrars has included the following major players:

• Tucows.com


• godaddy.com


• registerfly.com


• CSL Computer Service Langenbach GmbH d/b/a joker.com [aka: Joker.com]


• Beijing Innovative Link Technology


• Moniker.com


• aceofdomains.com (a subsidiary of Moniker.com)


• Xin Net Technology Corporation (aka: Xin Net, New Net, paycentre.com)


• Todaynic.com


• Chinanet


• BizCN


• Dotster


• HKDNR

Of that list, four are located in China, with one in Hong Kong.

Over the past two year, following a relentless campaign of complaints and educating registrars on how to properly shut down and nullroute an illicit domain, that list shrank to:

• Beijing Innovative Link Technology


• Xin Net Technology Corporation (aka: Xin Net, New Net, paycentre.com)

And only within the past couple of days:

• Xiamen Chinasource Internet Service Co., Ltd.

That's largely because Xin Net finally heeded the literally millions of complaints we were sending to them, backed up with evidence of fake contact information and links to wikipedia entries which outline the illegal operations these sponsor organizations are a part of.

It's a pretty good sign that complaining to the right people, in the right way, can have a devastating effect on the spammer economy. XIN NET was home to literally millions of spammed domains representing illegal operations. It took months of consistent communication, often using translators and other elements to get the message across to them that they were essentially supporting illegal activity.

It should be mentioned that Beijing Innovative Link Technology (aka: "BILT" to our community) have in fact been responsive regarding illegally-registered domains. It's just that they never shut them all down. There are always a handful of them which are still actively in use in widespread, aggressive spam campaigns.

I and several colleagues of mine have been diligently reporting every domain and name server we get spammed with in the hopes of getting the domains shut down. This was initially a very daunting process, since many of not most registrars weren't entirely clear on how to perform a proper domain shut down. Fortunately most of them have been very receptive and now even the most stubborn registrars have undergone a change of heart, probably because their continued ignoring of complaints could have led to their ICANN accreditation being revoked.

This is the kind of work which spammers and their sponsors assume (rightly, until recently) that members of the general public didn't want to take on. On the surface it sounds extremely overwhelming. Sponsors routinely register literally hundreds of thousands of domains, including DNS domains. I won't go into the boring details of how domain names work, and how registration takes place, but suffice to say that in the case of spammer-friendly sponsors like SanCash and Spamit, the registration of millions of domain names is not uncommon, and it all happens automatically.

There are two key failing points regarding these domain registrations:

1) They always use fake contact information for all of the contacts. (Administrative, Technical, Billing, etc.)
2) In many cases, a stolen credit card is used to register the domain, or a hacked PayPal account. Several regular domain reporters have received feedback to this effect over the past several years of reporting the domains.

Registration of a domain using fake information is in violation of ICANN accreditation. Forget what the domain is even used for (for now at least): if the contact information is along the lines of the following:

Administrative Contact:
Joe Lastname
123 Fake St.
Fake, NY
10000
tel: 123 4567890
fax: 123 4567890
joelastname@fakefakefake.com

Then that puts the domain registrar in the position of having allowed an illicit domain registration to take place.

If I report that information as being verifiably fake, and the registrar continues to allow several thousand more new domains to be registered using the same information, that puts them in violation of ICANN regulations, which stipulate that valid contact information must be present in order for a registered domain to be considered "valid."

Notably, XIN NET was continually allowing that to happen, for many years. They appeared to be ignoring our multiple complaints, making note of identifiably fake contact information.

All of that changed approximately eight days ago, and XIN NET should be commended for finally taking swift and widespread action against several tens of thousands of active domains used for heavily spammed products such as VPXL, Canadian Pharmacy and Prestige Replicas (to name only a few.)

But add to that the fact that all of these sites are doing the following:

• Lying, everywhere, on every page, about every detail of their products, their location, their staff and their alleged online security.


• Sale of fake "herbal remedies" with no valid active ingredient (several reports confirm this, notably the BBC report from December 2007 regarding "Elite Herbal", now known as "VPXL")


• Sale of potentially harmful or extremely addictive pharmaceutical products without the advice or consent of any licensed pharmacist.


• Aggravated repeat spamming to a majority of recipients who do not wish to receive any emails regarding these products and for whom there is no mechanism to opt out.

And you have a lot more ammunition to supply to the domain registrar.

If I started a website called "coccacolla.com" and claimed it was an official website of the Coca Cola corporation, Coca Cola would definitely hear about it, and the site would be shut down. I would also be sued. That's because there are laws regarding what a company (and therefore: the company's website) can and cannot claim. I can't claim, for example, that Coca Cola will cure cancer. I also can't claim that my corporate address is somewhere in the middle of the Atlantic Ocean. Again: it's not just morally incorrect behavior, it's illegal in most countries to do so.

Yet we have sites representing this barrage of spamvertised products, all registered with fake contact information, promoting fake or (at best) counterfeit products, with claims that they are located in a variety of locations where they in fact do not occupy any offices or warehouses.

One example: Canadian Pharmacy.

A recently spammed domain:

http://scoreway.cn

Whois information:

%whois scoreway.cn
Domain Name: scoreway.cn
ROID: 20071204s10001s42304059-cn
Domain Status: ok
Registrant Organization: theNoun
Registrant Name: HimNil
Administrative Email: goto@åç¸ç½ç»æéån
¬å¸nsoring Registrar: å¦é¨å
Name Server:ns0.nameedns1.com
Name Server:ns0.renewwdns1.com
Registration Date: 2007-12-04 21:03
Expiration Date: 2008-12-04 21:03

Look at that. No identifiable contact information of any sort. The brevity of the record is not unnatural, but the lack of any genuine contact info is.

But scoreway.cn actually presents you an iframe which is loading a separate domain:

http://newrxwalk.com

WHOIS for newrxwalk.com:

Domain Name: NEWRXWALK.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS0.BILLBOARDTOPTENS.COM
Name Server: NS0.GREATTENS.COM
Name Server: NS0.ONTHETENS.COM
Name Server: NS0.ORSTENSGUIDE.COM
Status: ok
Updated Date: 06-jun-2008
Creation Date: 23-may-2008
Expiration Date: 23-may-2009

Registrant:
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
710061



Administrative Contact:
WenFeng
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
xi an Shanxi 710061
CN
tel: 298 5228188
fax: 298 5393585
cncliup@21xn.com

Technical Contact:
WenFeng
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
xi an Shanxi 710061
CN
tel: 5228188
fax: 5393585
cncliup@21xn.com

Billing Contact:
WenFeng
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
xi an Shanxi 710061
CN
tel: 5228188
fax: 5393585
cncliup@21xn.com

Registration Date: 2008-05-23
Update Date: 2008-06-06
Expiration Date: 2009-05-23

Primary DNS: ns0.orstensguide.com
Secondary DNS: ns0.onthetens.com

That old standby, XIN NET.

A complaint has already been sent of course. :)

As I mentioned in previous posts, it's pretty straightforward to pick apart the falseness of this contact information, even if you know nothing about Chinese postal addresses or phone numbers. There is no "5228188" phone number. Dialing it will get you nothing. Likewise the fax number. The regsitrant behind this scam of a domain knows this.

"Wen Feng" is similar to numerous other bogus registrant names we've seen in the past. The address is bogus. etc. etc. All verifiable if you do some legwork.

An aside here: note that registrant's email address: cncliup@21xn.com. For the past year or more, hundreds of thousands of domains have been registered using a similar address: cncliup@21cn.com. Do a google search on that and you'll find numerous complaints and reports regarding spammed domains for these sites. We focused on the use of that domain as an indicator that it was registered illegally. XIN NET and Todaynic took that information and used it in conjunction with our detailed reports to shut down thousands of domains at once, and may be using that information to block registration of any new domains. This would explain the shift to the 21xn.com domain. Note: 21cn.com and 21xn.com are both providers of free email addresses. Sort of like a Chinese Hotmail.

Anyway...

If we visit the site, and look at what they claim:

You may contact us at +1(210) 888-9089, please, keep your order I.D. every time you make a call.

That phone number is a VOIP phone number (or otherwise digital phone line) registered by Level 3 communications in San Antonio, Texas. The owner of the number could in theory be located anywhere in the world. Just like everything else regarding this operation, it's quite possible that the number was also registered using fake contact info, and / or using a stolen credit card number.

Calling the number initially results in a voicemail prompt:

Hello. You have reached united pharmacy support service. Unfortunately, our operators are currently unavailable, so please leave a message after the beep.

They also mention that you can email them at support@uphs.info, or visit the website: uphs.info

Subsequent phone calls however result in a woman answering the phone, and denying any connection whatsoever to the spammed website "scoreway.cn", or its subsequent redirected domain "newrxwalk.com". Unless you have a concern regarding an order you actually placed, they won't discuss anything with you.

If we visit the "contact us" link, we're presented with a form, and the email address: support@canadianmedicationsupport.com

That email address has of course changed several times over the past several years. No contact with that address or via the form has ever gotten any kind of response, and I've been trying for the past two years under a variety of identities.

No corporate address is listed anywhere, no physical location is given.

My (long winded) point: no legitimate company would run in so many circles to hide its location, nor would it need so many thousands of illegally-registered domains to operate. The reason Coca Cola doesn't hide it's corporate office addresses (in Atlanta, GA) is because it operates legally, and communicates with its customers and the public in appropriate and legal ways.

Of course, they also don't illegally abuse numerous systems while attempting to promote their products. Spamit sites, and Canadian Pharmacy in particular, are routinely hosted on botnets (assumedly Storm), use hacked public domains to perform redirections, abuse whitelisted email templates from well known corporate email campaigns, and abuse all manner of systems just to ensure that you recieve a message from them, promoting their products. No legitimate company would engage in these tactics.

This is only one example, obviously.

If you want to join the cause and begin making more of a dent in these illicitly-run spam operations, go over to complainterator.com and download the complainterator. Read the supplied instructions and enter any of the numerous domains you got spammed with. Send off the complaint. Join the cause. (Apologies in advance: at the moment this is a Windows-only application. And no, I didn't create it.)

You would be surprised at just how effective this can be. If a company like XIN NET can be turned around, so can any other registrar being hit with these fake domain registrations. XIN NET is more vigilant about this process. Now it's time to educate Xiamen Chinasource Internet Service Co., Ltd..

SiL / IKS / concerned citizen

The Real Profit Centers of Spam: Sponsors

I recently wrote a new entry describing and dissecting the quagmire that is the "spammer economy" on the now-infamous spam-wiki. It's located here. I had spent many months (in fact the better part of a year and a half) researching and documenting everything that I found which described the separate entities and their distinct relationships. The writing and publishing of that wiki entry is the result of not only a lot of research, but a considerable change of viewpoint regarding who profits from spam, how we all refer to them, and what their distinct role is.

Unwanted email spam has been with us for so long now that I think we all, as recipients, tend to associate the incoming messages with one individual, or possibly one group or organization. For years now, even well-respected groups such as spamhaus have referred to these entities - individually or as a group - as "spam gangs" or "spam kings." They've often used teminology or nomenclature such as "Yambo Financial" or "Badcow" to refer to ghostly, unseen groups of criminals. My feeling is (and maybe it's just my feeling): This is no longer an accurate way to refer to the groups of individuals who spend their livelihoods crafting randomized emails promoting illegal fly-by-night urls.

A key turning point came when I was exposed to several discussion groups used by spammers, many of which I will not refer to directly due to the clandestine nature of how I came across them. In these discussions, many of the mailers or sponsors were essentially mocking any references to "spam gangs." In a nutshell: there is no "gang." There likely is no "Yambo financials". While "Alex Polyakov" or "Leo Kuvayev" may indeed be real people, with possible verifiable connections to one or more of the criminal entities who support and thrive upon illegal spam email, my feeling is: that's likely a red herring, put there to divert attention away from the real responsible parties.

Another turning point came during the investigation and raids upon properties directly related to Sancash or Genbucks. (By the BBC and New Zealand law enforcement, respectively.) This really raised the point of who stands to profit the most in these million-message spam runs: sponsors.

Sponsors is not a sexy term when discussing spamming, generally. Usually the press and individual recipients tend to focus on two things: mailers (spammers) and botnets. They make the press most often because it's probably too complicated to go into the depth of detail required to expose precisely who is behind that "p3n1s-p|ll" message you just received. People don't have the time. Referring to a "sponsor" will only confuse them.

The truth is: sponsors, or sponsor organizations (as I commonly refer to them) are the big fish in the spammer economy. They take the most risk, provide the most resources to mailers, and profit the most from spamming. They control everything from the design and functionality of their sites, to their affiliate front-ends, statistics, domain registration, fast-flux hosting and in some cases even the design or copy of the messages being sent.

Who are these sponsors? There are a handful of them in the upper ranks of the spam messages we receive every day. The top three (based on my own research) are as follows:

• SanCash


• Spamit


• Bulker.biz

Pretty much everybody in the world is receiving spam on behalf of these three organizations. They are well-established, have ties to numerous individuals (remember: no gangs. Everyone is an island) who provide them everything from "bulletproof hosting" to botnet infections. They are the ones most responsible for the 90+ percent of crap we all receive every single day.

So let's examine each of them briefly.

SanCash

SanCash is responsible for that old standby: VPXL (also known throughout the past three years as a variety of names including "Manster", "ManXL" and "Elite Herbal." It's all the exact same useless crap. Despite their claims of it elongating your "member", it does nothing. There is tons of evidence out there to support this.)

SanCash was investigated first by an individual blogger [spaminmyinbox], and subsequently by the BBC [see their article here or download the podcast of the investigation here.], only the BBC weren't aware that that's who they were actually investigating. That's because they focused on the entity they could find out in the wild: GenBucks. Genbucks is a publicly available marketing affiliate group. You won't find any mention anywhere on their sites related to "VPXL" (et al.) You will find mention of a variety of other products for which practically nobody has ever received email spam. Their forums discuss banner advertising or "SEO" (search engine optimization) marketing. This is so that it appears that they have absolutely no connection to the rather obviously rampant amounts of spam being sent worldwide.

The first connection comes from how and where certain domains are registered, and how certain sites operate. During much of last year, domains used for the processing of orders on behalf of ManXL and Elite Herbal sites (domains like "mysecurepaysite.net", now long since out of use) featured a registrant's email address of "pilldude@gmail.com". Do a search for "pilldude" and you'll inevitably find the Genbucks forum (http://genbucks.com/forum/search.php?searchid=720) and his own genbucks blog (http://pilldude.genblogger.com/).

It is no coincidence that all posting on behalf of "pilldude" stopped abruptly at precisely the same moment that members of New Zealand law enforcement executed a raid on 20 properties in Christchurch, New Zealand as a direct result of the information uncovered by the BBC and spaminmyinbox. (See story here.)

But look around and you'll see people openly discussing SanCash, making no mention of Genbucks. Clearly the connection is there. They just want people to (wrongly) focus on GenBucks, when in reality it's SanCash that's profiting from VPXL spam.

Following the New Zealand raids, several people posted on Bulkerforum.biz regarding the raids and the investigation, making it extremely clear that the investigation was definitely on the right track:

ubuntu

Joined: 06 Feb 2007
Posts: 12

Posted: Thu Dec 20, 2007 10:26 am
Post subject:

not sure if this is sancash

this is related to this audition.. and hmm.. looks like GB...

http://www.bbc.co.uk/radio4/theinvestigation/pip/uvboh/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

jhood

Joined: 23 Oct 2006
Posts: 151

Posted: Thu Dec 20, 2007 11:51 am
Post subject:

thanks for link ubuntu..

eliteherbal/manster IS SanCash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

icanspam

Joined: 10 Aug 2007
Posts: 52

Posted: Thu Dec 20, 2007 2:22 pm
Post subject:

SA?

Shane Atkinson, bro.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mail4spart

Joined: 15 Sep 2006
Posts: 33

Posted: Thu Dec 20, 2007 5:18 pm
Post subject:

I know Shane is a straight up guy and doesnt deserve all this heat. I hope he can survive this like he did last time he came under a lot of heat before him and his brother. He has been running a smart business for a long time and looks after his people and if he has to shut down the biz there will be many affiliates effected and unpaid.

"jhood" puts a very fine point on it: "eliteherbal/manster IS SanCash". So it's clear: they knew this operation was in trouble due to the investigation.

It didn't stop the spam at all, of course. And in the meantime "spaminmyinbox" has been sued and placed under a restraining order by Genbucks' offices in India, meaning he can't post more detail about his indepth investigation.

Following the raids, sancash.com as a domain completely shut down and I and other individuals noticed that new names began floating around, among them "etranzmu." As we speak, the new location of SanCash is unknown and their representatives (on bulkerforum.biz: azzy and sanjay) have taken all discussion regarding SanCash "off-forum". This is a clear sign of two things:

1) They must be feeling some heat.
2) They know they're operating in violation of the law.

You can read much, much more about this operation by reading the SanCash entry on the spam wiki.

Products they are known to spam (based on domain registrations and the use of the "Infinity Secure" order processing page):

• VPXL (Also known as Express Herbal)


• King Replica


• Diamond Replicas


• Prestige Replicas


• ED Pill Store / ED Pill Shop

And previously-spammed products going back at least two years or so:

• Manster


• ManXL


• Elite Herbal


• Extra-Time


• More-Size


• Wondercum


• Spur-M


• Personal Pussy


• Penis Enlargement Pills


• Penis Enlargement PatchRX


• Vigramax


• FatBlaster


• Hoodia

Spamit

As we've seen with SanCash, Spamit also has a shell, publicly available front-end company which is easy to find but which (again) doesn't discuss email spamming in any form whatsoever. That "company"'s name is Glavmed.

Spamit, unlike SanCash, still has a publicly available affiliate portal, but not much else is known regarding their operations. Their representatives on bulkerforum.biz were named kref and spamit. I say "were" because with absolutely no fanfare at all, their bulkerforum accounts and all postings were completely deleted on or about Feb. 11th, 2008.

Spamit is behind several very malicious forms of spam. They're probably best known as the sponsors of "Canadian Pharmacy" or "US Pharmacy", both very prolifically spammed, and notable for their focus on the sale of controlled pharmaceuticals such as Hydrocodone and Ambien. Mailers who send on behalf of this group have abused so many systems and so many trademarks and email templates that at some point I should think that a variety of large corporations should be able to serve a class-action corporate lawsuit against them. Here's only a few examples of the abuse that they are known to perpetrate in the name of landing even a single message into an individuals email inbox:

• Hijacking or hacking of publicly owned web servers to be used as redirectors or image hosts.


• Use of whitelisted corporate email templates to bypass spam filters, predominantly used only in Hotmail mailings.


• Use of the same domain to redirect to a Canadian Pharmacy website, present a dynamic / randomized stock spam gif image, or download an infection exe for Storm worm.


• Hijacking / hacking of a publicly owned web server to perform either a redirect to a Canadian Pharmacy website, or to download a new infection exe for Storm worm.


• Automated creation of several hundreds of thousands of redirection pages on free web services such as Geocities, Google Pages, Lycos Tripod and Blogspot.


• Persistent spamming to newly-created gmail accounts, even ones which have never been used at all, within days of creation.


• Persistent spamming to any and all "catchall" addresses, to any domain in the world, several dozen times per day. (Often several times per hour.)


• Completely false claims throughout all spamvertised properties. Everything: their claims of security and safety of offered products, who is on their staff, where they are located, who supports them -- all claims are 100% false.

What a bunch of charmers.

They are known to register several hundreds of thousands of throwaway domains using completely fictitious or nonsensical contact information, and they have been known to register domains using either stolen credit cards or stolen paypal accounts.

Spam sent on behalf of SanCash and Spamit represent some 97% of all the spam messages I receive to any account I control. I know this to also be true of many friends and colleagues.


Products they are known to spam (based on domain registrations and the use of the "Infinity Secure" order processing page):

• Canadian Pharmacy


• US Pharmacy


• Downloadable Software

Note also that "Canadian Pharmacy" will revert to "European Pharmacy" upon auto-sensing of your IP address's geographic location. It's the same site, though.

There are probably many more, but these are the top three for this sponsor.

An additional note regarding Spamit and the Storm worm.

Spamit have been directly tied to infection attempts for the Storm botnet as listed above. We can still see evidence of this even now. Here's two urls I was spammed today [omitting their use of Google ads click linking].

http://westphoto.org/video.exe [do not visit this link on an unprotected computer]
http://scramignon.com/redir.html

As mentioned above, both of these domains are publicly owned, legitimate websites whose servers have been hacked and had these files (video.exe, redir.html) placed on them.

video.exe claims to be the "storm codec", and spam for it usually contains some kind of social engineering copy to fool you into thinking you're downloading a naughty or voyeuristic video. It is of course an infection file for Storm worm.

The redirect in this case points to "sugaronly.com", a Canadian Pharmacy domain.

But let's switch the two around:

http://scramignon.com/video.exe [Again: do not visit this link on an unprotected computer]
http://westphoto.org/redir.html

They both still work. This means that these domains (and several thousand other such hijacked domains) can be re-used in parallel spam runs.

This indicated that Spamit as a company, and Canadian Pharmacy as a brand, rely heavily on high numbers of infections of the Storm worm.

Spamit also has a spam wiki entry, but it is currently missing a lot of this detail.

Bulker.biz

Bulker.biz is possibly one of the older sponsors of illegal spam in existence today. Thanks to the above-mentioned illegal activity of Spamit in relation to Canadian Pharmacy, Bulker.biz is no longer the most malicious spam sponsor organization around.

It's only recently that I noticed that representatives of bulker.biz publicly stated that bulkerforum.biz is mainly in existence because of their sponsorship. It makes sense (and was so obvious that I'm surprised nobody picked up on it earlier.)

Bulker.biz is perhaps best known for that old standby, "My Canadian Pharmacy," which I'll refer to as "MCP". At one point, MCP was the most prolifically-spammed property in existence, accounting for several million spam messages per day, and even peaking at an estimated 20 billion messages sent in a 24 hour period. (Based on research by the i-Law group in May, 2006. [Summary available here.] At that time it was unknown that bulker.biz was responsible for the MCP "brand".

MCP was the first criminal spam operation I researched, which culminated in a report which I provided to law enforcement in seven countries, and a revised summary entry in the spam wiki. You can see from this entry that just like spamit, bulker.biz is responsible for quite a bit of abuse to this day. A sampling of their illegal activity:

• Hijacking of publicly owned Unix servers for everything from DNS hosting, to website hosting, redirections, and image hosting. [This continues to this day.]


• Completely false claims throughout all spamvertised properties.


• Automated creation of several hundreds of thousands of redirection pages on free web services such as Geocities, Google Pages, Lycos Tripod and Blogspot.

Again: charming.

The unique targetting of Unix servers is of particular note, since it's the same method of hosting used by bulkerforum.biz, further tightening the link between the two. You can obviously read much more about them in the spam wiki entry.

Bulker.biz is responsible for a very large amount of spam for the following properties:

• My Canadian Pharmacy


• International Legal RX


• US Drugs


• VIP Pharmacy ("Viagra + Cialis")


• Canadian Health&Care Mall


• Men Health (Men+ Health)

And other sites they were directly responsible for, but for which less spam was seen:

• Exclusive Caviar Online


• Double Your Dating

Bulker.biz is represented on bulkerforum.biz by member "ebulker".

You'll notice that I make specific mention of their mailing practices. That may or may not be directly attributable to the sponsors directly, but especially in the case of Spamit, they clearly have people in their ranks who insist upon spamming every email address in existence in the off chance that two of them might actually receive it and link all the way through to a purchase. It can't be a coincidence that virtually everybody in the world is receiving spam for their websites. If it were an individual mailer, we would see the same volume of spam for a variety of other sponsors. It's for this reason that I specifically include any mention of mailing practices or frequency.

An additional point specifically regarding Spamit's Canadian Pharmacy and all pharmacy properties promoted on behalf of Bulker.biz: I mentioned above that they lie. It's important to note precisely to what extent they lie. In the case of MCP, they lie with literally every single word on that site. They have a completely laughable "about us" page which features mini-bios of completely fictitious "doctors", whose faces are actually gleaned from stock images of surgeons and medical personnel. There is no "Jack Poppins" or "Carl Rose". The same is true of Canadian Pharmacy, which also features stock images (probably used without permission as well) and makes completely false claims regarding their "pharmacists" and licensing thereof. You can see a great deal more detail of these falsehoods in the MCP spam wiki entry.

As I mentioned above: sponsors are the big fish. They are the ones who register and provide hosting for the thousands of spamvertised URLs we see every day. They often also provide pre-made blogspot or geocities redirects (which they hire an individual to create.) They pay out the commissions to the mailers who spam on their behalf. They take care of the credit card processing (using high risk merchants who they pay to provide stable credit card processing on their behalf.) They take care iof any botnet-supported web hosting or DNS rotation. They're the source of all of this. They know they operate illegally, and they get away with it on a daily basis.

It is my hope that someone in law enforcement, or better yet someone from the legal teams of Pfizer, Microsoft or any other companies whose reputations these sponsors are tarnishing will step up and take action to get them completely shut down. The only reason an individual mailer is able to profit from illegally spamming in the first place is directly because these sponsors, and others like them, fully support their illegal activities, and engage in several more of their own. Shut these three down, and you will have removed three of the biggest criminal operations in existence today.

SiL / IKS / concerned citizen

P.S. Recently the PBS featured a documentary entitled "Illicit: The Dark Trade." (Broadcast on PBS, produced by National Geographic.) I strongly recommend viewing this documentary for its indepth exposition of the wider fake drug / fake watch / fake fashion item trade. It opened my eyes to the deeper profit structure of these networks of individuals, spam-related or otherwise.

Do Not Buy Pharmaceuticals Online!

Among the myriad spam messages I receive from the Russian criminals behind "Canadian Pharmacy", came this idiotic missive:

There's a lot of information online but people continue to ask us whether they can trust online drugstores.

We present you the official results of the research made by Independent Research Organization.

All medications are supplied from the leading manufacturers known in pharmaceutical field. The selection of drugs is impressive.



"Canadian Phamacy" site

http://makeseveral.cn

Our major goal is to make your life easier and happier!



Lora Goulette

Also this one for Elite Herbals, from the same individual spammer if not the same exact criminal organization:

http://cyece.com/
Greeting INFO
Whoever said that Doctors are the only ones that can treat all health =
related matters obviously never did their homework..

debbie Wayt

As everyone has mentioned before: spammers lie. They lie constantly. They lie with every single word that they send us, and every website that they build. These messages are no different.

Doctors, as we all know, are "the only ones that can treat all health related matters." The statement from these spammers is a flat-out lie. They know this. They don't care.

There is a lot of information online. But that information very stringently recommends against purchasing pharmaceuticals online, especially the more dangerous ones. Viagra most definitely falls into this category due to its vascular and hormonal side effects.

They obviously are presenting us no "results of the research" (who, precisely is the "Independent Research Organization"? Could they be any more obvious in their lies?)

As we all know: their "major goal" is not to make our lives easier and happier. Their major goal is to drain our wallets and bank accounts, and possibly to kill us all in the process. The number of reported deaths this year due to fake or counterfeit pharmaceuticals has risen to a point where news media outlets are reporting them more often, and with a broader spotlight. It's not merely a band of clandestine reporters focused on illegal spammers and their dangerous and provably lethal "products", it's Reuters, the New York Times, the Canadian Press, and of course Law Enforcement entities around the world.

Today, the Canadian Press released a news story that was on the front page of a very popular daily newspaper in my city. The story is available here and is definitely worth a read. That daily paper is read by some 300,000 people in my city. That's only one of several major newspapers which carried the story.

Canadian Pharmacy's days have got to be numbered. It's been ages since I saw anything from the My Canadian Pharmacy, or International Legal RX sites. The Russian morons behind this patently illegal operation have chosen to focus almost exclusively on the Canadian Pharmacy front end. I'm watching them, and so are many members of law enforcement. They are becoming increasingly desperate in their attempts to get a message past spam filters. (Neither of the messages above did, by the way.) They have co-opted templates from major email campaigns from legitimate companies in the hopes of both poisoning those companies' whitelist status, and planting even more spam in your inbox instead of your spam folder.

Consumers have overwhelmingly made it clear that they don't want to keep seeing this crap, but these Russian scumbags don't care. They think it's their right to continue sending dozens of messages repeatedly every day to millions of people who have already stated very firmly: we don't want this.

What kind of brilliant minds are behind this obviously misguided marketing technique? This is absolutely the stupidest methodology I've ever heard of. And it probably isn't even working, judging by how quickly the sites go down and how varied the message style seems to be.

Don't ever purchase anything from these criminals. You'll be funding what amounts to terrorists in my opinion, and very likely endangering your health. You also are very likely to have your personal data stolen. These assholes run phishing websites on the side and have ties to child porn operations. If you think they're careful with your personal data you are in for a very rude awakening.

Until I stop seeing spam from Canadian Pharmacy and their family of illegal websites, I will not stop warning people never to spend their money there.

Don't support Russian criminal gangs and their dangerous illegal pharmacy operations.

SiL / IKS / concerned citizen