Weekly analysis – 27th February 2010 to 6th March 2010

No Comments

MillerSmiles provides its weekly phishing analysis for the week of 27th February 2010 to 6th March 2010

Excerpted from:
Weekly analysis – 27th February 2010 to 6th March 2010


Who Put The “Canadian” in Canadian Health&Care Mall”?

No Comments


Right out of the gate: lies.

The domain, which they carefully placed at the end, is:


That’s “.cn” as in “China.” Not Canada. Hosted on IP address: That’s in Budapest, Hungary.

That in turn redirects to:


A domain which has been especially difficult to shut down, thanks to the deaf ears of ename.com, registrar of choice to many illegal spam operations.

Hosted on ip address:

That’s in Brasil. And guess what? It’s a hijacked unix server. The actual owner of that server has either abandoned it or is otherwise not using it for web hosting purposes.

So: “Canadian”? Lies!

“Family values”? So far we’re up to:

- Lies about where they claim to be located.
- Hosting on hijacked unix servers
- Fake and / or dangerous drugs.
- Lies about how long the order takes to ship
- No security whatsoever.

I don’t see any “family values” in any of that. Didn’t their mothers ever teach them that lying is wrong?

From Canada)… This article suggested checking with the following organizations
when buying meds from Canada (Canadian Pharmacies):

1. CIPA: Canadian International Pharmacy Association
2. IMPAC: Internet and Mailorder Pharmacy Accreditation Commission
3. Pharmacy Checker

I highly recommend Pharmacy 0nline for all meds purchased from Canada… Most
important, I ordered on the 20th of January and received them on the 27th of
January… Thank you again for being there…”

Wow. They just don’t know when to quit.

AARP: That’s the American Association of Retired People. There is a rfeport, as mentioned, and it lists each of the three organizations listed above (article available here). No representatives from the AARP responded to a request for comments on this claim, but try and find a single report that mentions “Canadian Health&Care Mall”, or bulker.biz in a positive light. Go ahead I’ll wait… :)

CIPA, if you contact them, are very much aware of this illegal online pharmacy and do not endorse or support this group, or any of the sites that they promote via illegal spam or otherwise. They’re also well aware of the abuse of their logos and organization name within these illegally sent spam messages, and on the websites they drive to.
In reviewing all the above, I could only find two Pharmacies that were recommended
by all three… and one was Pharmacy Online.

IMPAC (Internet and Mail-Order Pharmacy Accreditation Commission) also is aware and (hey guess what!) also deny any endorsement for this site, or this affiliate program. Their site also features a list of actual IMPAC accredited pharmacies (located here) and (hey guess what!!) “Canadian Health&Care Mall” is nowhere to be found. There are only three online pharmacies on that list, so it doesn’t take much time to figure out that this group is telling outright lies.

Pharmacy Checker, as you might expect, also says that they do not at all endorse this group, and further that their logos and organization name are being used illegally by this group.

By the way: who is this quotation from? Who is this “I” they refer to? And why do they suddenly refer to this site as “Pharmacy Online”?


If you do a simple, non-strategic search for “Better Business Bureau Canadian Health&Care Mall” the first link you get has a headline of “Online Pharmacy Questionable: Canadian Health&Care Mall” (here.) Separately, correspondence I and many others have had with the Better Business Bureau in numerous states has resulted in statements from their representatives stating outright that they do not recommend these sites, that they lie, that they pose a genuine risk to the public, and that they are notoriously difficult to shut down. They also state that their logos and organization name are being used by this group without any authorization or consent.

But hey: so is their hosting. So is their domain registration, which uses stolen identities and credit cards. So why stop there?

If I were to write a testimonial with some truth in it, it might sound more like this:

All of the research I could find on this shady “pharmacy” indicated that they were lying to me, but I purchased from them anyway. I know it sounds silly, since the only way I ever heard about this company was via hundreds of unwanted spam messages which I never asked to receive. I guess I figured “why not”? They certainly weren’t going to remove me from their lists. After weeks of waiting I did finally get some pills but they weren’t packaged very safely, and when I brought them to my doctor he said that these were essentially fake pills.

But people generally don’t do this type of research before they hand over their credit card information. They should.

Please visit our Big Discount Canada Pharmacy Mall via below links

How about: please don’t.

The days of this criminal group must be numbered. If this were a legitimat company with a head office and a CEO, they would be hauled into court for publishing lies like this. Because they are illegal spammers, and have operatives located in numerous offshore locations: they get away with it.

It is time for international law enforcement to recognize this group and others like it as more than a mere “nuisance” for spamming. They are commiting numerous serious crimes without spamming even entering into the picture, and most of all, they are filthy liars.

Please tell anyone you know who has a requirement for pharmaceuticals that they should never, ever, buy from organized criminals, which is essentially what this group is.

SiL / IKS / concerned citizen

Read the original post:
Who Put The “Canadian” in Canadian Health&Care Mall”?


What Is Going On At Bulker.biz?

No Comments

As many of you who follow my blog know, Bulker.biz (more recently known as “bulkerbiz.com” due to coincidental shutdown of their previous domain in November 2008) is a spam-friendly affiliate I’ve talked about quite a bit.

The list of illegal acts they routinely take part in is available in the spamtrackers wiki entry devoted to their most popular spammable illegal online pharmacy My Canadian Pharmacy.

I noticed that rather suddenly, they have decided to secure their current affiliate portal, replacing it with an authorization setup, and a default message indicating they are changing their name yet again.

Site is closed. Please contact ICQ 333192431 for new address.

To see what it used to look like, even a mere four days ago, check out the Spamtrackers wiki entry here.

Isn’t that interesting?

That ICQ address belongs to an individual who used to post on a variety of forums, notably Russian ones, using the username “ebulker”. He specifically mentions in most of these postings that bulker.biz “doesn’t care where your traffic comes from”, indicating that they’re very much aware that they spam illegally. But really, spamming is just the tip of the iceberg. These guys break so many laws on a daily basis that it’s hard to believe nobody’s gone after them. It would literally be like shooting fish in a barrel.

More as it happens, I suppose…

SiL / IKS / concerned citizen

See original here:
What Is Going On At Bulker.biz?


Public apology – Please Download our software free of charge.

No Comments

After a long debate with Owners of Antispyware.com they have decided that YES it was a complete mistake to ABUSE the trust of the people by fallaciously SELLING Software That DOES NOT BELONG TO THEM!

Are now making a public apology:
 “Chris: I’m very sorry to my customers, and to all who are unsatisfied with the software. I have chosen not to demand a PAYMENT for FULL Use of this software. It is now FREEWARE, Please feel free to share and re-distribute it to friends and family. IF and only IF you are fully satisfied with the results you may make a donation.”

To avoid errors, Please Copy and Paste the Order and Serial Number into the registration box.

Order No.  : copemedia@hotmail.com
Serial No. : CFE8-106F-91F1-A311

AntiSpyware 2009  |Download| http://setup.antispyware.com/setupxv.exe

RegistrySmart     |Download | http://setup.registrysmart.com/setupxv.exe

Privacy Control   |Download| http://download.privacycontrol.com/setup.exe

MACRO VIRUS  |Download| http://www.avast.com/eng/download-avast-home.html

ZONEWALL|Download| http://download.zonelabs.com/bin/free/1025_update/zaSetup_en.exe 

Excerpt from:

Glavmed responds – re: my Open Letter.

No Comments

Welcome Glavmed affiliates who are linking here directly from the Glavmed site. :)

For a very brief period of time yesterday (Feb. 4th, 2009) the following claims were posted on many pages of the glavmed portal site, and it makes it clear that they are seeing some negative attention as a result of my open letter:

4.Our rivals allege that our drug stores’ products have low quality. This is totally lie and defamation. We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.

Unfortunately we can foresee the further organized pressure against our partnership programme, because normal business competition can’t be provided by them. We really take care of our partners and our customers.

This message was removed sometime between yesterday and today. It is unclear why, although I would guess that they didn’t want their own affiliates reading my posting. I and other researchers have also noticed that they are now blocking very specific IP addresses from viewing the Glavmed website.

A couple of obvious corrections need to be made right off the bat:

a) The letter was not written to you, Glavmed representatives. It was written to law and drug enforcement agencies, as well as the media who has been researching this.

b) I am absolutely not a “business rival”.

c) I am not the only one who has been researching your organization. My letter is a an account of the known, researched, verifiable facts regarding the scourge of unwanted Canadian Pharmacy websites. If I were trying to defame you, I wouldn’t have nearly as much factual evidence in my letter.

So in response, I’ll counter their bogus response point by point.

1. Glavmed claims on their front page (and I’m of course not altering their horrendous spelling and grammatical mistakes):

GlavMed is a BEST way to convert your pharmacy traffic into real money. Forget about miserable sums you’re getting sending your visitors to PPC pharmacy results.

You’re loosing at least half of YOUR money converting traffic like this. GlavMed offers you a possibility to eliminate any agents and sell most popular pharmacy products directly. It means 30-40% revenue share. features & benefits

Note: sell most popular pharmacy products directly. Which is it? Are they selling them or not?

Whether they sell the drugs themselves or not is ultimately irrelevant. They are part of a long chain that gets illegally-produced FAKE and harmful versions of these products into the hands of unwitting members of the public. There is copious amounts of evidence to support this, and they know it.

Glavmed is an affiliate program. They get their affiliates (aka: spammers) to promote (aka: spam) the websites (hosted via rampant viral PC infections) to sell fake drugs to unwitting victim customers. Who do they send that order data to? They don’t say. But they know who that is, and they know that they are taking these orders without any consultation with any pharmacist. They also do all of this with absolutely ZERO security or encryption, so you can imagine how they’re treating the rest of your personal data.

2. Sure, they state on their website that they don’t allow spamming, but as I mentioned: they removed any of the postings which made it clear that very actve spammers are indeed a part of their program. Nowhere do we find ANY postings within their forum about any actual action taken against spammers. Literally everyone with an email address will know that Canadian Pharmacy is THE most spammed property on the Internet today, and has been for three years and counting. If they don’t allow spammers, why is it still the most commonly found spam in the world today? You can have rules all you like. If you’re not enforcing them: what does it matter?

As an aside, I and many other individuals have been complaining to Glavmed under numerous identities starting in May of 2008. I have personally sent, using numerous of my accounts, at least 25 very detailed complaints regarding spam messages I have received between May 2008 and January 2009. Guess how many responses I’ve gotten? Guess how much “action” I’ve seen on behalf of Glavmed, or anyone else claiming to represent this operation? ZERO! Guess where their abuse-reporting pages are on their site? THEY DON’T HAVE ANY!

This claim is utterly false. They take zero action regarding their KNOWN spamming affiliates, and they never will.

3. If Glavmed has been aware all this time that so-called third parties were ripping off their site designs, functionality and everything else: why haven’t they drastically changed their entire design, branding, etc., or made ANY public statement regarding any of this? Why did they wait until someone like me exposes the whole setup for the obviously fraudulent operation that it is? This is an outright lie.

4. Again I will link to actual evidence (source), on behalf of a reputable company — Ironport — who placed orders from one of these sites, and gave the pills they received to a lab for analysis:

False Drugs Purchased

IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.

A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.

IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.

So in light of this report: I don’t believe a single word Glavmed says, and I don’t think anyone else should either.

Keep in mind: this is only one such report. There are others.

I notice that they completely ignore any mention of concern over the rampant illegal spamming which continues on behalf of Canadian Pharmacy, nor do they even broach the subject that as recently as October 2008 their site templates still contained bogus “sponsorship logos” on behalf of the Better Business Bureau, Verified By Visa, and Pharma Checker, nor do they mention that they were making very public statements that they knew full well that all of these logos were not being used appropriately.

The Spamtrackers wiki entry for Glavmed contains a screenshot of the Glavmed sites page dating from July 2008 which shows the Canadian Pharmacy layout still featuring the bogus sponsor logos. (source.)

In addition: this howler of a claim:

“We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.”

Their claim that they have all kinds of feedback saying how great they are is meaningless.

Which “indinan laboratories”? Which “independent test results”? On behalf of whom? Published where, exactly?

Of course they will never say.

What about third-party, verified claims and lab tests that your products are genuine? What about third-party reports that your servers actually are secure? If I’m selling you a car and you ask me for verification that the car is in road-ready shape and is safe to drive, I can’t just start typing you a recommendation myself. I would need a third party inspector to verify that my claims that this vehicle was safe were in fact true. Glavmed doesn’t do this, nor have they ever.

“We really take care of our partners and our customers.”

Really? I know for a fact that numerous of your customers would very much beg to differ.

Clearly my letter has hit a nerve. As usual, their response, as with many obvious spam operations, is more concerned with damage to their profits than anything to do with public safety, or the security of your personal data.

Glavmed’s claims are theirs alone, verifiable by nobody, and easily countered point by point as being verifiably false.

I stand behind every word of my posting. This is not defamation. Again: I am only one individual, but my posting links to research performed by literally dozens of others, from a very wide variety of technical, medical, security and other backgrounds.

Use your own judgement: Glavmed, and the entire operation they support, are liars and part of a criminal operation. The proof isn’t just in my open letter. It’s all over the place.

SiL / IKS / concerned citizen

Continued here:
Glavmed responds – re: my Open Letter.


Welcome, Inboxrevenge.com

No Comments

As some of you may know, I was a regular contributor for the past three years to a forum previously known as “KillSpammers” (thus the naming of this blog.)

In 2007 that forum suffered a massive, unrelenting DDOS, likely due to the sheer volume of accurate researching the members of that forum undertook. CastleCops at the time also fell victim to a very large-scale attack at that time. I and the other administrators of that forum pulled it offline and congregated elsewhere.

In the past week, we finally got the forum back in shape and it was unveiled under a new name, InBoxRevenge. If, like me, you are interested in the continued legal and other actions against illegal spammers trying to sell you fake products or otherwise trying to rip you off or steal your identity, you can join the forum at ksforum.inboxrevenge.com.

And if you’re one of the illegal spammers, be aware that this forum is being very closely monitored and maintained.

More as I get it. Thanks for continuing to read this blog.

SiL / IKS / concerned citizen

Welcome, Inboxrevenge.com


SanCash and AffKing are Back To Spamming Everyone On The Planet

No Comments

Well look who’s back. It’s SanCash / AffKing again!

With this incredible scientific breakthrough formula, massive gains can be achieved is just a few short weeks.

As advertised on TV and FHM. Rediscover your male verve and virility, with the same product as seen on TV and FHm. Results indicate 97% of men report rapid growth within weeks.


Link is promoting “PowerGain+”, the latest iteration of VPXL / Express Herbal / PowerEnlarge / Elite Herbal / MaxGain+ / Manster / ManXL / etc. etc. etc.

And also look at this:

Impress your business colleagues and stun the ladies at the club today with that incredibly expensive timepiece today!

The ultimate in making a fashion and wealth statement: a branded timepiece on your wrist. Nothing says success more than a $50,000 bling watch strapped around your wrist, to go along with your party clothes or your power business suit.


Prestige Replicas, back from the grave. Yet another SanCash property. I’ve also seen spam for King Replica, another of their multiple replica watch sites.

To whoever is sending this spam: Are you utterly without a single brain cell? Do you really think this is a wise idea?

There are numerous standing court orders and injunctions from several countries specifically demanding that this activity stop. You haven’t stopped. You’re operating in violation of the law. If you really want to go to jail that much quicker, or at least have all of your ill-gotten profits removed more rapidly, then perhaps I understand why you’d suddenly begin sending this crap again.

Especially in light of this past year’s events regarding the shutdown of illegal spammers: whoever you are, you’re exhibiting an astonishing lack of intelligence (and greed) by continuing to send unwanted, illegal spam promoting these “products.”

Every single one of these messages are being backed up and sent to numerous law enforcement agencies (and the FTC), who I assure you will have no difficulty in finding you, shutting you down, and seizing all of your income from this activity.

SanCash spammers are among the stupidest people on this planet, and they have just proven it again.

SiL / IKS / concerned citizen

SanCash and AffKing are Back To Spamming Everyone On The Planet


CONGRATULATION! / Winning Notification!!! / Payment Notification / Re: STATUTORY ANOMALIES ON YOUR FUND TRANSFER

No Comments

To anyone who’s been investigating spam, or even vaguely following the transformation of illegal spam over the years, the concept of the Nigerian scam seems ludicrous and pathetic. It seems impossible that anybody would NOT know about this scam in this day and age. (They’ve been received by millions starting in around 2002. How people could not be aware of this scam is beyond me.)

I’m not going to describe what this scam is because there are already thousands of places which do so very effectively. Google the term “Nigerian scam” or “419 scam” and read any of the results you get back.

Numerous websites engage in the “baiting” of the criminals behind these scam messages, often keeping them on the hook for months at a time, wasting considerable time and energy. I highly recommend reading any of the baits going on as we speak on TheScamBaiter.com. If you don’t know what a Nigerian scam is, read the “recommended reading” in the postscript. (And tell your friends. More people need to be made aware of how this scam works.)

Since the freezing of SanCash a month ago (which appears to have not slowed them down any, more on that in a subsequent post) my spam intake initially slowed to a crawl across numerous accounts I monitor. Then suddenly all I was seeing was one or another variety of lottery, inheritance or other money exchange scams. They’ve been abusing every free mail system on the Internet, and I and several colleagues have had numerous successes in getting their email addresses shut down quite rapidly.

However it isn’t stopping the influx of spam, and it’s now to the point where I am seeing several dozen such emails every single day, often with four to six of them received within the same hour.

Ignoring for the moment the utter stupidity of whoever is mailing this (how could you possibly think anyone would be fooled when they’re told they’ve simultaneously “won” 12 “lotteries” within the same day?), or the effectiveness of these scams, this type of influx in illegal cheque fraud attempts raises numerous questions about how to report this spam, not all of which is very straightforward at all.

Of course, there is no “lottery”. I have not “won”. There is no “inheritance”. It’s a scam to get me to send money for any number of “fees” which must be paid first to ensure the money makes its way to my account. It’s illegal, and it’s most commonly known as check fraud.

Prior to October 2008, reporting abuse of any freemail system was a straightforward affair. Each company has their own contact addresses or abuse processing forms. But you would be surprised at just how ineffective each of these can be when trying to report these abuses, something that takes a bit of extra effort to do in the first place.

I’ll itemize the current state of abuse reporting and my experiences with each. I would also like to put out an open call to the abuse teams of Yahoo, Hotmail and Gmail with regards to how to make this abuse reporting process more seamless and effortless for the average user, most of whom have absolutely no idea how to report this abuse to your teams. Further: Hotmail – seriously – wtf? Your abuse team is now among the absolute worst I have ever dealt with. We’ll see why in a second.


Gmail has arguably the very best method of reporting, and given that they’re very much aware of what this scam entails, they are really, really fast at investigating and shutting down offending accounts.

Where to report it: Their abuse reporting form is located here. Make a point of outlining what kind of scam this is. If it’s one of those “you have won” messages, that’s cheque fraud (aka: Nigerian fraud, “419″ fraud.) If it’s a “work from home” message, that’s money laundering. Make a point of outlining that this is illegal, and abuses their terms of service.

Expected response: Automated single email with a ticket ID. States they are looking into it. Often this is the only response you’ll get from Gmail, but guaranteed you’ll never see another spam using that Gmail account as the response address.


Yahoo also has an abuse form, but their responses lately lead me to believe that, honestly, that entire abuse team is asleep at the wheel.

After months of successful reports throughout 2008, I suddenly noticed that whoever it is that responds to these abuse reports doesn’t really read the reports at all.

Anyone reporting any kind of spam knows that the headers are usually 99% forged. Yahoo apparently focuses solely on the headers, and if they determine that the message wasn’t sent using Yahoo mail, they’ll conclude that there’s nothing wrong with the account, even if the message body says “I want to steal your money and kill your family, so email me at myillegalaccount@yahoo.com”. They will, almost to a person, completely ignore the message body and the complaint. This HAS to change. This is not 1999 anymore. This scam should be extremely well-known to every free-mail provider on the planet. I spend more time explaining this scam to abuse handlers than should ever be necessary.

Where to report it: The Yahoo abuse form is located here. As mentioned above, you really have to spell out not only that this is illegal, you have to try to get their attention that the headers are not necessarily how to tell that Yahoo’s mail service is being abused.

Expected response: Automated single email with a ticket ID, followed anywhere from 2 to 6 days later with a followup as to what their conclusion was. If that conclusion is “we saw that Yahoo was not used to send this message”, you have to reply to that message and clarify that 1) they need to learn how to handle a nigerian fraud message and 2) They need to look beyond the headers.

Why this is the case now is baffling. Yahoo: clean up your act!


AOL is quite long-in-the-tooth at handling abuse requests – which isn’t surprising, since they originated a lot of the filtering and other abuse processes we now all take for granted. They appear to have a decent, if slightly slow, abuse team. In light of recent successes in shutting down Gmail and Yahoo addresses, AOL is fast becoming the free-mail provider of choice for Nigerian scammers.

Where to report it: Send the entire message, including full headers, to: TOSEmail1@aol.com.

Expected response: Automated single email. I often don’t hear anything else after that, but I also don’t appear to receive any further messages sporting the offending address.

Sify.com Email

I know what you’re thinking: Sify.com??

Sify is the Indian equivalent of Hotmail or Yahoo mail. It’s an independent portal located in Mumbai. Over the past year I have seen a shift from Gmail and Yahoo to Sify, which indicates there have been enough successful shutdowns that now they’re really looking for any free-mail port in a storm. Sify has an abuse reporting address, but, as far as I can tell, no defined abuse process.

Where to report it: Send the entire message, including full headers, to: customercare@sify.com.

Expected response: [crickets...] I’ve never received any response from Sify mail. It’s really sporadic when I do see an inbound scam message featuring a sify.com address.


Here’s where I begin to lose my mind, and I’d have to say at this point that Hotmail effectively has no abuse reporting process for this type of scam, or indeed for any abuse of Hotmail involved with spam.

For years I was reporting these scams to abuse@hotmail.com, but then last year they introduced report_spam@hotmail.com. Reports sent to that address went unanswered, but then in June would send an automated message claiming that I should instead report the abuse to abuse@hotmail.com. (Huh?)

I later discovered that MSN also has the same two addresses, so I began reporting every such abused address to all four:


That resulted in four of the same automated messages, but it did finally also result in a followup message stating that the account had been terminated.

Starting in October 2008, however, all messages reporting abuse sent to those four addresses were all bounced. The reason?

They contained content which appeared to be spam.

Honestly: Hotmail abuse team – HOW do we report this abuse to you? If anyone at Hotmail abuse is reading this, I would very much appreciate you responding by posting a comment here (I won’t publish it if you want to just reach me directly.) This has GOT to change.

Hotmail and MSN Live Spaces are, as we speak, essentially owned by criminals. The only sites I am ever referred to on MSN live spaces featured content which has been automatically generated for use in spam campaigns, by “users” who have clearly also been created via some automated means.

If anyone at Hotmail / MSN abuse is reading this: we as angry recipients of illegal spam would like an explanation. You’re clearly falling way, way behind in handling this type of abuse, and it’s leading to many people being scammed out of their life savings. What gives?

In closing, here’s the recent tally of my “lottery winnings” from just this past Friday (Nov. 15, 2008) and today (Nov. 17, 2008)

  • $1.500,000.00 in cash [Apparently waiting for me in a package being held at the FEDEX DELIVERY COURIER COMPANY.]
  • Six million US Dollars [Waiting to be invested "into profitable areas of business in your country"]
  • US$2,500, 000.00 [My prize from the SOUTH AFRICA WORLD CUP LOTTERY 2010 Sweepstake Award Promo]
  • a cash prize of One Million British Pounds [£1, 000,000.00] [from the South Africa FIFA 2010 World Cup Organizing Lottery Promotion - I won twice?!?! In one day?!?!]
  • $4.2Million USD [from the nondesript CONTRACT AWARD COMMITTEE]
  • USD18M {EIGHTEEN MILLION UNITED STATES DOLLARS} [an inheritance from the death of one "MR.TONY.RAYMOND"]
  • £850,000,00 POUNDS (Eight Hundred And Fifty Thousand Pounds Sterling) [THE CASINO-WEB LOTTERY PROMO]
  • US$ 2Million (TWO MILLION UNITED STATES DOLLARS) [International Human Rights Organization (IHRO) in Nigeria, West Africa]
  • US$3,600,000.00 [UN Fund recovery Committee]
  • £1.500,000 GBP (One million five hundred thousand) Pound Sterling [Online Sweepstakes® I.P Award Department.]
  • US$3,600,000.00 [CCH & Securities (Advancing Payment Solution WorldWide)]

Grand total as of this writing (in USD): $55,925,912.79

If I wait two more hours I guarantee I will win at the bare minimum another million dollars USD. The best part is: it looks like everyone’s a winner (they are always sent to “multiple recipients”, never just to me.) Let’s buy each other a drink shall we?

I’ll see about including a tally widget on the sideline of this blog. Any wagers that I “win” a billion dollars by Xmas?

Don’t believe these stupid, pathetic and desperate messages.

SiL / IKS / concerned citizen

P.S. Recommended reading:

Nigeria cracks down on e-mail scams
The ‘yahoo-yahoo boys’ who are behind the country’s infamous export have few job prospects.

Wikipedia: Advance-Fee Fraud

FOXNews.com: Oregon Woman Loses $400,000 to Nigerian E-Mail Scam

See more here:
CONGRATULATION! / Winning Notification!!! / Payment Notification / Re: STATUTORY ANOMALIES ON YOUR FUND TRANSFER


eNom Phishing, Child Porn and Avalonpay.com

No Comments

Lots of spam suddenly showing up claiming to be on behalf of eNom.com, a well-known domain registrar.

Investigating these phishing attempts leads down a very dark hole indeed.

The eNom phishing sites are attempting to gather up domain information. For what purposes exactly is unsure, but I’m sure you could imagine: theft of a large number of domains, redirection of previously “good” domains to harmful content.

The contact information on these sites is all identical, and should be familiar to anyone who investigates this crap. Let’s take one example domain, sys82.net:

Whois sys82.net

Domain Name: SYS82.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Status: ok
Updated Date: 25-oct-2008
Creation Date: 25-oct-2008
Expiration Date: 25-oct-2009

Domain servers in listed order:
ns1.kolberacn.com ns2.kolberacn.com

Name– Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel –: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Technical Contactor:
Name– Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel –: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Billing Contactor:
Name– Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel –: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910

Let’s examine what else those dns servers are supporting:


lolita-bbs.name NS ns1.kolberacn.com
ns1.kolberacn.com A
ns1.kolberacn.com A
ns1.kolberacn.com A
ns1.kolberacn.com A
ns1.kolberacn.com A
ns1.kolberacn.com A
ns1.kolberacn.com A
ns1.kolberacn.com A
xlpreview.com NS ns1.kolberacn.com
sys82.net NS ns1.kolberacn.com
com94.net NS ns1.kolberacn.com
weblola.net NS ns1.kolberacn.com
littlelolita.net NS ns1.kolberacn.com
nude-kids.net NS ns1.kolberacn.com
xlsites.net NS ns1.kolberacn.com

The server state is: 201 Okay


lolita-bbs.name NS ns2.kolberacn.com
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
ns2.kolberacn.com A
xlpreview.com NS ns2.kolberacn.com
sys82.net NS ns2.kolberacn.com
com94.net NS ns2.kolberacn.com
weblola.net NS ns2.kolberacn.com
littlelolita.net NS ns2.kolberacn.com
nude-kids.net NS ns2.kolberacn.com
xlsites.net NS ns2.kolberacn.com

The server state is: 201 Okay

And the rest are supporting several other domains featuring the enom phishing setup.

Note the diversity of the ip addresses associated with those domains: every single one of these is being hosted via a botnet, assumedly home computers infected with the Asprox infection. I had been reading up on several investigations into that exploit, and now it appears it’s directly a part of my own spam investigations.

Many of the domains supported by those name servers are, of course, sites which promote, sell, and distribute child pornography. Fortunately, as I write this, all of these sites are not responding. (Good work on getting those shut down, whoever you are.)

A quick investigation of one of those sites leads to a payment processing site known as Avalonpay.com. A quick search on that domain turns up an interesting blog entry on matchent.com concerning a similar investigation. The registrant contact data for that domain includes the company name “Absolutee Corp. Ltd.”, allegedly based in Hong Kong:

Note the company name used, ABSOLUTEE CORP. LTD.
Compare with an article in Wired News, http://www.wired.com/politics/security/news/2007/10/russian_network , about the Russian Business Network from October 2007, quote:

“Jaret [note: speaking on behalf of RBN] also says there’s no mystery about the company’s ownership. According to Jaret, an offshore company called First Connect Telecom Limited Inc. owns RBN, though the company’s principals remain anonymous. The registration information for the company’s website lists a company called Absolutee Corp. LTD as the owner of the domain name. “

The article also mentioned that the whois info for RBN was changed later. And it has now expired.


- eNom Phishing sites (all featuring alexeyvas@safe-mail.net contact email in whois.)
- Rogue DNS servers (All featuring fake Chinese registrant information in whois.)
- Child porn sites (All featuring absolutee.com registrant information in whois.)
- Avalonpay.com (Payment processor for child porn sites, also featuring absolutee.com registrant information in whois.)

ALL hosted using botnet-supported fast-flux servers.

You would think that this guy’s days in this industry were numbered, but sadly you’d be wrong, at least to gauge it from how long he’s maintained these operations.

I would love it if anyone from Russian law enforcement would investigate this scumbag. I guess I would first have to figure out how much they charge to do that. (Pardon my cynicism.)

Stay far, far away from any email related to these eNom “securiy bulletin” emails.

SiL / IKS / concerned citizen

Excerpt from:
eNom Phishing, Child Porn and Avalonpay.com


Is UADreams the new VPXL?

No Comments

UADreams (Formerly UALadys) is back to spamming everybody whether they want it or not with 100% bogus “Russian dating” messages. Here’s a sampling from mere moments ago:

Subject: RE: Message 00

Im a charming blue-eyed blonde, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

Don’t loose time and come get registered FREE at: http://el1te-russ1an-g1rls.com/?idAff=5

Subject: RE: Message 61

I’m a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

I have registered my profile at: http://el1te-russ1an-g1rls.com/?idAff=5

Subject: RE: Message 11

I’m a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5

Subject: RE: Message 54

I’m a hot brunette girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5

Subject: RE: Message 30

I am an atractive blonde, and I’m searching for a man to chat with by email or by Skype, or even meet in reality!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5

Of course I never initiated any communication with anyone in Russia (thus: why would there be a “Re:” in the subject in the first place?) This same affiliate (idAff=5) is sending me, on average, five to ten of these per hour, and the wording makes it clear he has utterly no idea what he’s doing. Nobody should be dumb enough to click on any of these messages, especially since they all arrived virtually simultaneously.

Ignoring all of that: who describes themselves this way? There’s just no basis of reality in any of these messages. Also: nobody is dumb enough to assume they are the sole object of this “woman’s” affection. Literally everyone I discuss spam with has received these messages, and continue to do so.

This affiliate was previously sending me non-stop VPXL spam (prior to the shutdown of SanCash / AffKing, of course.) I can tell simply because he’s applying the same template and frequency to this “UADreams” spam run. He also mails on behalf of GlavMed / Spamit and is among the mailers sending four times as much “Canadian Pharmacy” spam to everyone on the planet.

I’ve blogged about UALadys in the past. They clearly have no problem paying mailers to send millions of messages illegally to anybody. This idiot has no idea who’s in his lists, and he doesn’t care. I could be a 98 year old woman or a five year old boy. He will still assume I am interested in meeting a Russian woman to date and / or marry. This is the typical intellect of the average mailer. Not only do they not segment their lists or clean them, they just flat-out have no idea whatsoever of who is in their lists. Yet they believe it’s up to us to take care of that by “just deleting” the millions — or billions, as we’ve seen recently — of messages they clog the Internet with on a daily basis.

Needless to say: you should never join ANY dating site which uses unsolicited email to promote itself.

SiL / IKS / concerned citizen

Excerpt from:
Is UADreams the new VPXL?


Older Entries