Friday, May 15, 2009

HerbalMaxx -selling pills that make your digital camera automatically zoom-in

It has been a long time ago since I last posted any new research, but just to let you know that I haven't given up but are still trying to get rid of all the spam in my inbox, here is a little research about HerbalMaxx.

HerbalMaxx is one of those wonderful sites with before and after pictures of male penises where you can easily see that either there is zoomed in on the after pictures or otherwise the pill have actually made the entire person grow, not only "the little guy". So either HerbalMaxx are selling pills that make your digital camera automatically zoom in or they sell pills that make your entire body grow.

The HerbalMaxx site I was looking at recently was The domain is registered at Xiamen eName Network Technology Co.,Ltd, who is chosen quite often by different spammers. That doesn't surprise much when we see the kind of totally crappy registration information they accept:

The site is/was hosted on the server with ip-address, which is located in China and belongs to China Unicom

On the server is/was hosted 120+ other sites which is definitely in the same category, US HealthCare Inc, some replica watch sites etc. SpamWiki do have lot of information about US HealthCare spamming, but I must say it confuses me a little that SpamWiki primarily talk about links to United States and Romania, because as I will show in a moment I quite clearly see a link to China. However it would definitely not be the first time that we see spammers from very different parts of the world working together, but there is also the possiblity that HerbalMaxx have just rented space on the server in China along with other non-related spammers.

Well enough about the information that can just be looked up using a good WHOIS service. Spammers have generally become better at validating input in their order forms, but HerbalMaxx is luckily an exception. So I played my old "show me who read the orders" game by injecting a callback to a server controlled by me in a fake order, and then I could a few hours after see the following in my log files

I have removed some of the non interesting data. Basically what can be seen is that some non-existing images is requested from my server, and the image name is the exact same as I placed in the fake order. The images are requested from the ip-address and the referer is and The order id match the order id I was shown on the order confirmation page when placing the fake order.

So without a doubt what we are seeing here is that someone is looking at my fake order placed on a HerbalMaxx site and then updating status afterwards, probably canceling the order because it was quite obviously fake.

The ip-address is located in China and belongs to China Telecom (CHINANET Guangdong province network). There is of course a possibility that this ip-address is just a proxy and not the real address assigned to the spammer, but based on my past experience (Robert Soloway, The Atkinson Brothers and that company in India that I may not mention by name) then most spammers probably feel there is no reason to protect themselves by using proxies in this paticular situation of reading orders. I'm also not able to find any information pointing in the direction that this ip-address should be a proxy server.

The other very interesting part of the information that was logged was the referer. So apparently the spammer has a PHP application running on the address that is used for administration of the orders. The registrant information for is protected using the name of CSMJBS Enterprises.

And the site is hosted at the IP-address which is located in United States and belongs to Beyond The Network America.

I of course ran the same test again later to make sure that my result was not just some kind of extreme coincidence. I placed a new fake order and the following showed up in my log files on the server

So basically this is 24 hours after the other registrations in my log file, as can be seen then the same ip-address is used, so it might even be a static address assigned to the spammer. is also used again for the order administration and this time the spammers also run some kind of search, probably to see if they can find similar weird orders in their database. Apparently they search all the way back to 1/1-2007 which could indicate that they are not all new in this business.

Monday, December 22, 2008

A christmas and new year update about Herbal King / Elite Herbal.

As can be seen I have been quite lazy blogging lately as non-spam releated work (the part of my business that pays the bills) has taken up too much of my time. But I just wanted to send a little update before the end of 2008. This also marks that we have now passed 1 year since the BBC Radio programme and the raid by Department of Internal Affairs in Christchurch, New Zealand a few days after, really placed some focus on the Herbal King / Elite Herbal (Sancash/Affking) spamming.

The latest development in New Zealand is that Lance Atkinson has now admitted his part in the spamming and have settled with a fine of $100.000 (NZD):!OpenDocument

But of course Lance is still facing the legal actions against him by the Federal Trade Commission (FTC) in United States.

Regarding the case against me in Delhi High Court, India, then currently all of my research is being evaluated by NASSCOM (because of the techincal dept of parts of it) who will report back to Delhi High Court, and the next hearing will be in the end of february 2009, which can be read in the following court document:

But more interesting regarding the last hearing in October was that I have been told by my lawyer that ________ (*) was actually interested in withdrawing all actions against me, and according to my Lawyer then in India it is normally possible for plaintiff to withdraw a case without any specific reason. However I have no interest in getting the case withdrawn because then it will be much more difficult for me to countersuit afterwards, and Delhi High Court was also quite interested in looking further at my research supporting that ________ (*) was involved in spamming activities. So luckily the case was not allowed to be withdrawn.

So this means that busy with non-spam related work or not then there will definitely be some interesting things happening in the coming year too.

So with this little update I will just wish all of the non-spamming readers of this blog a merry christmas and a happy new year.

(*) Reference to entity has been temporarily removed due to temporary injuction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injuction (order) can be found here:

Tuesday, October 14, 2008

Herbal King/Elite Herbal: Legal actions in New Zealand and United States

So I have been blogging a lot in the past about the investigation by Department of Internal Affairs in New Zealand, an investigation that came to our knowledge shortly after a BBC radio programme that I participated in pointed at Genbucks, Shane Atkinson and that Indian company that I may not mention by name: ________ (*) as being involved in spamming.

Today a media release regarding the result of this investigation was published by Department of Internal Affairs (DIA) in connection with a related press release from Federal Trade Commission (FTC) in the United States.

Media release from DIA:!OpenDocument

As it can be read then Shane Atkinson, his brother Lance Atkinson and a third individual from New Zealand are now facing a case against them in High Court for spamming (among others then the Herbal King / Elite Herbal sites), and if found guilty will face a penalty of up to $200.000 (New Zealand Dollars)

The media release also mentions that Shane Atkinson was a co-manager at the Genbucks Affiliate programme, that the products being spamvertised was manufactured and shipped by ________ (*) and that the Sancash affiliate programme was used to recruit and pay the spammers (the people actually sending the spam emails) to market the Genbucks/_________ (*) products.

This fits well with the research I have conducted myself and shared with you on this blog and which have also been supplied to DIA and are part of the evidence in the case.

What I have now learned is that what happened when DIA raided properties in Christchurch, New Zealand and Shane Atkinson was put under investigation back in December 2007, was that the brother of Shane, Lance who was the primary person responsible for recruiting the spammers to the Sancash affiliate programme, closed down Sancash (I have blogged about that earlier), stopped the work with Shane and instead teamed with US-based Jody Michael Smith and together they made the Affking (Affiliate King) programme, where I guess a lot of the old spammers from Sancash moved to. The domain was registered on December 17th 2007, a few days after the BBC Radio Programme that I participated in was aired, and at the same day where DIA raided the properties in New Zealand.

It is this part of spamming operation (affking) that FTC has now put an halt to through a temporary injuction. Press release can be found here: and besides that a memo from the court is publically available and can be found here

(*) Reference to entity has been temporarily removed due to temporary injuction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injuction (order) can be found here:

Wednesday, July 23, 2008

Case closed: Robert Alan Soloway

With a sentence set at 47 months a fine of around $700.000 and 3 years of supervision when he gets out of jail then the final words have probably been said for now about the case of Robert Alan Soloway.... the guy who is indirectly responsible for the existence of this blog.

Monday, May 26, 2008

Temporary injunction on this blog and my opinion about it

As you will maybe notice I have taken some blog entries completely offline and edited reference to a particulary entity out of other blog entries. This has happend because I have learned that the temporary injuction placed on the blog and me in the case CS (OS) 218/2008 under process in Delhi High Court, also orders me to remove any indications in past blog entries which indicate any nexus between this particulary entity and spamming.

Further information about the injuction (order) can be found here:

I definitely don't agree with the temporary injunction (an opinion I'm entitled to have due to the Freedom of Speech given to me by §77 of the Danish constitution), but of course I accept it in respect of the Delhi High Court.

What I as a common man don't understand, is that the temporary injuction was made ex-parte (not because I chose not to be represented but because I was not noticed about the hearing). I fully understand why temporary injunctions made ex-parte and without notice can be necessary in certain cases, f.x. if we are talking a case of childabuse, then of course it's important to be able to remove the child from the abuser as quickly as possible and also without prior notice, in case the court evaluates that harm can be done to the child if the abuser knows that the temporary injunction is up for hearing.

But in this particulary case the reason for a temporary injunction must be in order to prevent further damages and financial loss to Plaintiff, and the order mentions that it is a problem that potential customers can search in google with Plaintiffs name and then end up on this blog, and that this can put off large number of customers. I have looked at my Google Analytics reports and can see that from July 2, 2007 and until this date I have received only 215 visits referenced from search engines where name of the Plaintiff have been used in the searchwords, that is not even 1 visit per day, which really doesn't fit well with the "large number of customers" statement. Based on that a common man like me find it unlogical that such a speedy hearing, without time to at least just hear my point of view regarding the allegations, was necessary, but again it's just my opinion and I respect the choice made by Delhi High Court.

The temporary injunction also seems to be based on the fact that I should have continued blogging after being told about the suit. It's correct that an earlier suit No. 148/2007 was filed back in July 2007 by Plaintiff but I was not served the summon and shown the allegations in the suit before the end of January 2008. So the reason I continued blogging was simply because I'm not clairvoyant. But of course with a ex-parte hearing I was never given the possibility to prove that it was missing clairvoyant capabilities and not disrespect for the lawsuit that made me continue blogging.

Then there is the actual order given:
"In view of these circumstances, the plaintiff is entitled to ex parte ad interim orders. The defendants and in particular the defendant No.1 shall desist from posting any blogs or writing any e-mails to the plaintiff or any other person, which contain any defamatory matter or which indicate any nexus between the plaintiff and spamming."

What I have now learned more than 3 months after the temporary injunction was served and after Plaintiff have filed a petition because of my contempt for the court (disobeying the temporary injunction), is that "desists from posting any blogs" actully does also mean "remove postings / references to plaintiff in existing postings". I think it's understandable that a common man like me who don't know the language used in lawsuits can misunderstand the order, and I, especially when the temporary injunction is then given ex-parte, don't understand why it was not chosen to clearly state what was expected of me in the temporary injuction.

But again all of the above is just my personal opinion and is of course a result of my poor knowledge of legal processes and the language used in such, and I therefore also as mentioned before fully accept the temporary orders given to me by Delhi High Court.

“Truth is like the sun. You can shut it out for a time, but it ain't goin' away.”
- Elvis Presley

Tuesday, April 29, 2008

Short update: Herbal King/Elite Herbal etc.

I have a lot of people asking me about what happend about the Herbal King/Elite Herbal case, why I'm not posting anymore etc.

So here is just a short update. No the case is definitely not closed and Yes I definitely have a lot of new information about the case, but I'm not posting about it for the following reasons

  • One of the entities mentioned in the past postings about Herbal King/Elite Herbal etc. have filed a civil lawsuit against me in Delhi High Court, India and I have been temporarily constrained from posting about this entity while the lawsuit is being processed.

  • Department of Internal Affairs in New Zealand is still undergoing investigation and I help them the best with not posting any new information but only sharing with them

So you simply just have to be patient and trust me when I say that I will definitely post a lot of new interesting information about this case sometime in the future but at the moment I can't say if that will be in 2, 4 or 6 months timeframe.

Regarding me not posting at all.... well unfortunately it's not because I don't receive spam emails anymore, I have just been busy with other things among other the mentioned lawsuit and then the business activities that actually pay my bills. But be rest assured that it's still a bad idea to deliver spam to my inbox. :-)

Thursday, January 10, 2008

"Colleagues" about Herbal King/Elite Herbal, Genbucks, _________ (*) etc.

Here is a little update regarding Herbal King/Elite Herbal etc. (too many names to list them all here). Most of this is actually just information supplied to me by friendly "colleagues" so some of it you might already read in the comments to my last posts. But anyway I will summarize here

* The company Etech Media from Christchurch, New Zealand which I found a connection to earlier from Genbucks is owned by Shane Atkinson (A "colleague" with the access to search in New Zealand company registrations did supply me that information)

* Another "colleague" at just further strengthened the feeling I already had that it's probably Shane Atkinson who uses the name 'pilldude' in different places among others also on the Genbucks forum. What is a little interesting is that since 'Pilldudes' entrance into the forum back in 2005 he have 1000+ posts, so is in other words heis quite active. However the latest post can be dated back to December 10, a few days before the BBC radio programme that really started to bring some attention to this case.

* Another "colleague" again pointed me to, a well-known forum for spammers where a debate started about an affilliate programme called Sancash, that suddenly had disappeared (site gone, and skype id no longer in use). There was quickly some confirmation that Sancash was an affiliate programme for Elite Herbal and doing a little calculation I could also see that Sancash did disappear if not on same date then close to the date of the raid in Christhchurch, New Zealand. By looking at historic whois information for I could also see that until its disappearence it was hosted at IzoWeb inc. which is also the prefered hostingprovider for Genbucks related sites. My guess is that maybe Sancash was just a facade put up in front of the Genbucks affilliate programme and used by them for the special group of affilates sending spam in order to keep the Genbucks name "free of dirt". According to Sancash is not dead but have changed site and skype id, so this is probably the reason while many of you is still receiving spams, but now mostly under the name of VPXL and not Herbal King/Elite Herbal. Can it be Shane that is still so stupid that he just keeps on under another name, I don't know, I would think not, but he has probably not been alone in the first place so there is probably some trusted "business partners" that takes over, that is unfortunately often how it is.

* Another "colleague" again (and yes we are talking 4 different now since the start of this post) also made me aware what I have also noticed myself, things are disappearing... spooky!!! Some of the latest disappearing items is the post on this Genbucks Affiliate blog, where we found that nice picture of Shane and ________ (*), the two owners of Genbucks. Also the videos on YouTube that helped BBC in their investigation has vanished into thin air...

So have I really digged up nothing myself?

Well a little, but the most interesting thing I'm actually not going to blog about for a while and the reason is the spooky thing about things disappearing. I want to make sure the Department of Internal Affairs in New Zealand have collected everything, and this information has a nature that could make it very interesting as evidence in the hopefully coming trial.

But I can blog a little about one of the small coincidences that we have seen so many of in this case. Apparently Genbucks have chosen just days ago to create a new company to handle their payment of affiliates. There could be some kind of business related reason for doing so, but based on the answers to the confused affiliates on the Genbucks forum then "they just wanted to make a new company to handle payments". Apparently moderator also tries to hide the address for this server by editing user posts, but missed a post about the name of the company, so here we go. The new company is located on and the company name according to domain registration is Etranz Ltd. and is located on Mauritius (not same address as Genbucks), however in the affiliate programme agreement something is mentioned about Indian law. Just a coincidence? Maybe, but then why now and why all the secrecy....

(*) Reference to entity has been temporarily removed due to temporary injuction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injuction (order) can be found here:

Thursday, December 20, 2007

Tangled web of Herbal King/Elite Herbal, Genbucks, _________ (*) etc.

I have been looking even more into the connection between Herbal King/Elite Herbal, Genbucks, __________ (*) and Shane Atkinson and what a tangled web, I don't think I have discovered everything and still I don't know where to start and stop.

Maybe it's a good idea to start with listing what is already known and reported in my past posts about the Herbal King/Elite Herbal spammings

  • 8-9 months ago I found out that the validation in order forms of Herbal King/Elite Herbal sites was poor and I was able to inject a little piece of code that sent a request back to one of my servers when orders was read. I then discovered that the orders was read by a few different IP-addresses one belonging to ____________ (*) in India and one being a DSL connection from the provider IHug in New Zealand. I send complaints/questions to both companies but didn't get any further, actually from _______ (*) I never received a response despite numerous emails + faxes

  • 3 weeks ago I was contacted by BBC who was doing a radio programme about spam and they had choosen Herbal King/Elite Herbal spam as their subject as they was also very tired themselves of the numerous spam mails from these spammers. They wanted to dig further into the connection to ___________ (*) and New Zealand that I found. BBC ordered some products from the Herbal King/Elite Herbal sites and received email verification that the products would be shipped from Ukraine or India (Two locations where __________ (*) is represented). BBC found out that the payment was done through, and looking at the WHOIS information for this site led them to Genbucks. BBC called Genbucks and the responding employee more or less admitted to being an department of ___________ (*) and also that the Herbal King/Elite Herbal sites was theirs. BBC also used the New Zealand link and IHug (owned by Vodafone) to get the name of Shane Atkinson, known for spamming years back but supposed to have left this "business". Shane denied allegations when contacted by BBC.

  • After the BBC radio programme was broadcasted the New Zealand authorities chose to raid properties in Christchurch, New Zealand. The New Zealand authorities was already investigating these people and was afraid they would be alerted by the attention drawn to them by the radio programme.

So far so good. Next question is how tight is the connection really between the Herbal King/Elite Herbal spammings, Genbucks, ___________ (*) and Shane Atkinson.

What led me from Herbal King/Elite Herbal and to _________ (*) was the little piece of code showing that __________ (*) was reading orders exactly as I typed them in at the order page of Herbal King/Elite Herbal sites. This just shows some kind of connection, but not really how tight. It could be a single ____________ (*) employee helping a spammer without the knowledge of the corporation, it could be that _________ (*) was supplying an interface for customers to automatically submit orders and therefore didn't know anything about the products was being sold etc. So __________ (*) could have given me a well made up explanation like that and I would probably have believed them . Ignoring my complaints just made me more curious.

What led BBC from Herbal King/Elite Herbal and to Genbucks was the service on their bank statement. When looking at WHOIS information for this domain you could see the email address I say "could" because the day after the BBC radio programme was broadcasted the WHOIS information on was changed so it now looks like this

So it seems like they have chosen a WHOIS protection service but I never heard of this one before and then I discovered that the address shown for this WHOIS protection service is the same address as shown for Genbucks themselves

And when looking at the WHOIS information for this actually pointed me directly back to Genbucks too... so not very succesfull attempt to hide that is owned by Genbucks.

So Genbucks is also pretending to be a WHOIS protection service besides being a payment gateway. Actually I have found out that Genbucks is behind a lot of different sites not only related to their herbal products, many different payment processing sites (,,,, E-trading bureau approving their own sites, PageRanking services ranking their own sites highly, Pillranking sites ranking only their own products and all with good reviews etc. Unethical marketing if you ask me but again I'm only after the spamming...

Last week when trying to track down further evidence of the connection between _________ (*) and Genbucks I came across a web design portfolio of a Canadian web designer at which showed that he had actually created design for both and __________ (*). Luckily I have a screenshort of how it looked like a week ago

_____IMAGE______ (*)

Notice the second + fourth reference in the fourth row, that is Genbucks + ________ (*). If you go to the site today then the Genbucks reference have been removed. Is that just a coincidence? I have send en email to the owner of the site but have received no answer yet. But actually some of the other references is for Genbucks related sites too.

To see if I could find further indications of the relationship between __________ (*) and Genbucks I got access to the incorporation documents and other public documents for ____________ (*) (Fee of 50 Indian Rupees ~ 1.2 US Dollars in fee to Indian Government... what a bargain). I could see that after one of the directors resigned earlier this year there is now two owners/directores of __________ (*) back, __________ (*) and ___________ (*). Also one of the readers of this blog sent me a comment about GenPharma International also being related to __________ (*) so I checked their incorporation documents too and correct two of the owners of GenPharma International is ____________ (*) and _____________ (*).

This is interesting because I searched a little in the historic WHOIS information (thanks to of some of the Genbucks domains and discovered that back in 2005 the domain had a ___________ (*) registered as the owner of the domain with the same address in India that _____________ (*) used in the incorporation documents for GenPharma International. Now adays they have the Genbucks "WHOIS Protection Sevice" listed instead on the domain.

It should also be mentioned than even though Genbucks show an address in the republic of mauritius on their homepage then it's public known (they have confirmed so in the Genbucks forums) that they are based in India.

But back to the name _____________ (*), because it actually turns up ones again (nicely spotted by Susan from Spamhaus) and this time we are really talking something extremely interesting, a Genbucks affiliate blogging about Genbucks. See his Genbucks blog and notice the third section

The blogging affiliate has been so lucky to meet the owners of Genbucks and have even been taking a nice picture. And the name of the Genbucks owners are Shane and _______ (*)! Based on the image on this site I think there is no doubt that Genbucks owner Shane is actually Shane Atkinson and my guess is that the other Genbucks owner ________ (*) is actually __________ (*) which as mentioned is also one of the owners/directors of ___________ (*) and GenPharma International. It seems like the connection between Herbal King/Elite Herbal, Genbucks, __________ (*) and Shane Atkinson is even tighter than first expected.

But the tangled web is even bigger. I mentioned the E-Trade Bureau ( site that Genbucks owns and which approves Genbucks own sites. There was one of the sites listed that at first didn't seem directly related to Genbucks but it still caught my attention because it was a dating site in New Zealand, When I went into the dating site I found a banner at the bottom advertising 'SpermoMax' which is a Genbucks product but noticed than instead of the normal site this banner linked to (a domain also owned by Genbucks) and I noticed that it used a payment processing site called which was also different from the other site. I searched WHOIS information for with the expectation to find Genbucks once again listed as owners but I got a surprise

It's not Genbucks listed as owner, but a company called Etech Media in Christchurch, New Zealand, the city where spammers were raided by New Zealand authorities few days ago. The company can be found on When looking at the contact page on the site I saw the contact email and instantly I had that feeling that I had seen the name 'jas' before

And correct. If you go back to the image of Shane and __________ (*) you also see a person named Jas and refered to as Affiliate Manager at Genbucks.... again one of those "coincidences" and the next one was only a click away when I looked at the portfolio for Etech Media

All 6 websites listed there are sites belonging to Genbucks and another funny little thing is that at least two of the sites ( + is also listed in the portfolio of the Canadian web designer I mentioned earlier. Maybe he did graphical design and Etech Media did backend programming... is actually a site belonging to Genbucks that sells MP3 Players. As can be seen from the news bulletin from ___________ (*), then ___________ (*) is actually involved in business with the same range of MP3 Players

___IMAGE_____ (*)

My guess is that when New Zealand news sources says that "Two christchurch businessmen was interviewed during the raid" it could very likely be businessmen with a business name of Etech Media, but it's only a guess.

There is probably more relations to be found If I look in all the corners but I think by now there should be no doubt that there is a tight connection between Herbal King/Elite Herbal sites, Genbucks, __________ (*) and Shane Atkinson.

What we can only wait for now is for the New Zealand authorities to find out exactly how many people was involved in or knew about the heavy spamming done to advertise the Herbal King/Elite Herbal sites, and that is my main interest, because in all this untangling of different companies, sites etc. it's important to remember that being owner of different companies is not illegal or necessarily a sign of cover-up, it's actually very common. It's also worth remembering that probably most of the Genbucks affiliates are using legal methods to advertise the products, I think some of Genbucks "marketing practices" with E-Trading bureau that approves their own sites, Pillranking sites that make review of their own pills etc. are unethical but probably not illegal, and personally I doubt (without any evidence) that their pills actually have much effect, except maybe psychological, but the fact is that all in all then if it wasn't for the spamming it would probably be a legit corporation and affiliate programme.

(*) Reference to entity has been temporarily removed due to temporary injunction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injunction (order) can be found here:

Wednesday, December 19, 2007

Herbal King/Elite Herbal: Spammers raided in Christchurch, New Zealand

I thought I had made my last post before christmas but things are moving fast now regarding the Herbal King/Elite Herbal spammer

First BBC was also running a news article regarding their investigation

And now different New Zealand news sources report about a raid on 4 properties in Christchurch, New Zealand where 22 computers and boxes with documents was seized and I believe the raid to be against Shane Atkinsion and friends, the alleged Herbal King/Elite Herbal spammer. According to the news sources the New Zealand authorities was already investigating these spammers but had to move quickly now because the BBC investigation alerted the spammers.

Scoop: Anti-spam raid in Christchurch
New Zealand Herald: Spammers targeted in Internal Affairs raids
Stuff: Suspected spammers raided in Chch

Let us hope the spammers was too stupid to be alerted so the New Zealand authorities finds lot of interesting information in the seized computers and documents, especially it's interesting to see if they find any evidence that shows that Genbucks / ________ (*) was surely aware of how their products was being advertised.

(*) Reference to entity has been temporarily removed due to temporary injunction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injunction (order) can be found here:

Monday, December 17, 2007

Lawsuit against me by _________ (*)

In my last two posts I have been telling about the BBC investigation that among other things have verified the connection between the Herbal King/Elite Herbal spammer and ____________ (*).

What wasn't mentioned in the radio programme is that BBC also send questions to an authorised representative from __________ (*) in which BBC mentioned me however not by name but just as a "Danish IT Professional". The authorised representative from __________(*) however responded by telling BBC that they belived that the "Danish IT Professional" mentioned was me (identified by name) and that they have filed a lawsuit against me at Delhi High Court for harassment and would therefore not make any comments about the case. BBC of course as part of their research asked me for a comment about this lawsuit which was how I heard of it for the first time.

Well if __________ (*) can't then atleast I can make some comments about this "lawsuit"

1) I have never heard of this lawsuit before now. I have never been contacted by any lawyers or by the Danish/Indian police regarding this matter

2) They claim that I have been harassing them. Yes I have send numerous email/faxes to ___________(*) with complaints and questions but I'm sure this can not be defined as harassment. Not once have they responded to my complaints/questions or asked me to stop sending them email/faxes. Weird way to react to file a lawsuit before even once trying to stop the "harassment" by responding to one of my email/faxes.

3) They claim I have been threatening them. Well if telling them that I would hand over information to Indian Newspapers, regarding their connection with a well known spammer, in case they don't answer my questions is threatening then I'm guilty but I'm not exactly loosing my sleep over that.

4) They claim I have made false statements about their company. From my point of view I have just told exactly what I have discovered, I have never told that __________ (*) is directly behind the spamming but been open to different other explanations. I have given _________ (*) numerous possibilites to answer the "allegations" I have made against them and not once havde they chosen to do this or asked me to stop blogging about their connection to the Herbal King/Elite Herbal spammer.

I have now been writing to __________(*) again to hear more about this lawsuit, but it will not surprise me if they just keep ignoring me. Well if there really is a pending lawsuit then sooner or later they (or their lawyer) will have to start communicating, not just ignoring me....

(*) Reference to entity has been temporarily removed due to temporary injunction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injunction (order) can be found here:

Friday, December 14, 2007

The Investigation: Herbal King/Elite Herbal, _________ (*), Genbucks, Shane Atkinson (Follow up)

In my last post I was mentioning a BBC radio programme broadcasted less than 12 hours ago, and those of you have already been listening know why. Otherwise you can listen to the programme on BBC Radio 4: The Investigation

As you can hear in the programme then BBC did an interview with me and was using my research regarding a connection between Herbal King/Elite Herbal, ___________ (*) and Ihug (DSL Provider in New Zealand) in their investigation and did end up with some interesting conclusions.

When BBC ordered some products from a spamvertised Elite Herbal site and afterwards tracked the money through the Bank they ended up with the name of the payment provider As mentioned in the radio programme then is a domain registered by Genbucks in India (Genbucks is an affiliate programme that claims not to accept spamming affiliates). Simon Cox from BBC then called Genbucks and used my research about the connection to __________ (*) to ask, what I will define as a trick question, because he asked the Genbucks employee who responded the phone "if it was ___________ (*) he had called". As you can hear in the radio programme then the employee did admit that genbucks is an "department" of __________ (*) and that Elite Herbal is one of many sites marketing the products that Genbucks/___________ (*) sells.

So what can we make of this research

1) BBC used another approach than mine to track down who is actually receiving the orders on Herbal King/Elite Herbal sites but we both ended up with the same result which is ________________ (*), the BBC research showed that this is done through the affiliate programme Genbucks which is either controlled by ____________ (*) or very closely related to them.

2) A Genbucks (_________(*)) employee did admit that the Elite Herbal site is one of their many sites, even though it's difficult to conclude if that employee really understood that what he was admitting is to know about a site heavily involved with spamming and advertising Genbucks (____________(*)) products.

As you might remember then the connection between Herbal King/Elite Herbal and __________ (*) was not the only connection I found when doing my research, I also found a connection to New Zealand, more precisely a DSL provider called IHug. In the radio programme you hear Simon Cox from BBC mentioning Vodafone, which is probably because Vodafone is well known in the UK, but the fact is that Vodafone has bought IHug, New Zealand, so what he is actually talking about is the IHug, New Zealand connection I found. It's not mentioned directly how they got the information (if IHug provided the information), but BBC has somehow used my information and tracked down the spam to be sent by Shane Atkinson in New Zealand.

Shane Atkinson (and his brother Lance who lives in Australia) has been involved in spamming before and been under investigation by FTC (Federal Trade Commission). As it can be read in the Wikipedia description about Shane Atkinson then he should have left the spamming industry some years ago, but this research from BBC shows differently, apparently he is still active and the "Herbal King/Elite herbal spammer". Shane denies these allegations but the matter is now dealt with by the New Zealand authorities.

So to summarize a long story; This have been a great day for my little blog thanks to BBC, and I hope this is the first step in order to stop the Herbal King/Elite Herbal spam from ending up in not only mine, but also your inboxes.

(*) Reference to entity has been temporarily removed due to temporary injuction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injuction (order) can be found here:

Thursday, December 13, 2007

The investigation of Herbal King/Elite Herbal, _________ (*) etc.

This evening at 20.00 (UTC) BBC Radio 4 broadcasts a radio programme called "The Investigation" in which BBC investigates different current affairs and this evening the programme is about spam - BBC Radio 4: The Investigation: 13 December 2007

But not just any spam but my old time "friends" Herbal King/Elite Herbal (Now adays also known as Express Herbals) and ____________ (*) who I have been blogging about for some time. I don't know exactly what information will be revealed in the radio show, so I'm looking forward to listening myself, but I have been sharing information with BBC and I know they have been able to dig deeper and follow up on the connection I also found between Herbal King/Elite Herbal and __________ (*), I know they have managed to get some comments from __________ (*), I know they found connection to other organizations.... and then I have discovered that _________ (*) is not big fans of my blog here, I wonder why :-)

I will be following up with more information after having listened to the radio programme myself.

*) Reference to entity has been temporarily removed due to temporary injuction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injuction (order) can be found here:

Thursday, December 6, 2007

Busy busy busy but still kicking... and was I fooled by eBullz?

I'm extremely busy at the moment and sorry to say not with fighting the spam in my inbox. My funny little spare time activity here is suffering from the fact that I don't have much spare time but need to focus on the part of my business that will hopefully earn me some money.

But anyway I'm sure christmas will not be celebrated without at least one very interesting update regarding one of the spammers I have been "playing" alot with... so stayed tuned for that one.

Besides that then another case that I haven't done more about has popped up again, leaving me with the big question of whether I was fooled by eBullz or not...

Back in July I found a connection between ED Pill Store and a company called eBullz which run different sites,,, etc. I found some small things that seemed a little weird, like for example a Xavier Ratelle (on spamhaus ROKSO list) working for the company that helped develop these sites but after talking with the owner (Abby) of eBullz I was convinced that HoodiaPlus (that ED Pill Store is involved advertising through spamming) was just a knock off of HoodiaLife sold by, that Xavier Ratelle was not involved and actually not even known by the owner and I did find no proves that eBullz was involved in spamming.

For the entire story read these posts:

ED Pill Store: The hoodia certificate (Part 1)
ED Pill Store: The hoodia certificate (Part 2)
ED Pill Store: Follow up on eBullz (victim)

But now I have discovered that FTC has started a case that involves and, a case that also mentions HoodiaPlus (the name used by ED Pill Store) and where Xavier Ratelle is one of defendants. Lawsuit is regarding both misleading advertising (false product claims) and spamming. Besides Xavier Rattelle the defendants is two persons from Spears Systems inc, a company that I have never heard about before.

Documents regarding the lawsuit can be found on

The sites, has been taking offline based on restraining order and and seems to have been taking offline too, don't know if this is related to the lawsuit or not.

I actually send an email to Abby from eBullz who was so kind to answer my questions last time and to my surprise she was just as fast and kind to answer me again this time, when I asked for a comment regarding the lawsuit. But I must admit that the answer just left me confused on a higher level.

In short she told me that yes there is a temporary restraining order on the herbal products they have been selling based on misleading advertising, but that they are about to settle this matter with FTC. For the spamming part she tells that FTC have to go after Xavier Ratelle, because she still know nothing about him, even though it in the FTC documents is stated that he is doing business on, and she tells that the spamvertised HoodiaPlus products must be something that Xavier Ratelle knows about.

I have many wild guesses, from that I'm being fooled by Abbys (eBullz) kindness and willingness to answer my questions to that Xavier Ratelle maybe stole business idea, webpage code etc. from eBullz when being contracted to help them with developing and afterwards used this, maybe with help from Russian spammers, to make a business for himself. Only thing I'm sure of is that it will be interesting to follow the progress on the case, to see if any of my theories are correct.

Saturday, September 8, 2007

Open letter to _________

This blog entry has been temporarily taken offline due to temporary injunction placed on the blog and the author of this blog in the case CS (OS) 218/2008 under process in Delhi High Court. Further information about the injunction (order) can be found here:

Monday, August 27, 2007

High season for drug spamming

It must definitely be high season for drug spamming because during the last week the amount of spam received from My Canadian Pharmacy, Canadian Pharmacy and Herbal King has gone up with 500-1000% compared to what level I have normally received.

I wonder what is the idea behind sending the same spam to the same email address sometimes up to 10 times each day and My Canadian Pharmacy even did that for 3-4 days advertising a site ( not doesn't strike me as very clever marketing.

But besides the standard complaining to domain registrators and hosting providers there is nothing to report.... yet, because I am of course doing some extra digging and playing a few small games as soon as I have time.

Tuesday, August 14, 2007

Dating scammers: Irina - end of story

It seems like my "communication" with Irina is truly dead now. In my last post regarding those dating scammers I wrote about the letter I had received where "she" asked for money to help her out with her flight ticket. I chosed to see if the scammers were willing to work a little for the money or not, because that probably gives a good indication of how many other people they are close to scamming.

So I made up a little story story about past problems with Western Union and how I would rather prefer another company I have used before, more expensive, but delivery of the money directly to the door. I didn't say that I would not use Western Union at all but just showed a little concern and asked Irina what was her opinion.

I had hoped to see the scammers doing a lot to convince me that Western Union was ok to use and that it was the prefered way etc., because that would have given me hope that I was only among a few people that they were close to scamming. But instead I just received a general email not mentioning my concerns but just explaining how glad she was that I would help and how much she was looking forward to see me etc. So I gave it another shot, answering back if I should understand her answer as if she didn't care that we used other company that Western Union. Again just a general answer but trying even harder to convince me just by saying how much she loves me etc. (Hmm she still doesn't know my full name, age or have seen a picture of me), but again the scammers didn't waste any time to try to deal with my Western Union concerns. I send one more email back but never got an answer.

I find this kind of behaviour very concerning because as mentioned then the only reason I can think of why the scammers try so little to convince me about using Western Union despite my concerns is that they have plenty of people that they are close to scamming or because in their mind it's much easier to pump out a few million new spam mails than to use 10 minutes of their time to try to convince me of sending the $550 through Western Union. Of course there is also the chance that they knew I was not to be scammed no matter what, but I guess if that was the case then they would not have answered my emails at all.

So end of the Irina story..... well except that I submitted all my communication including images etc. to the Danish Police. As I have not lost money it will not result in an investigation but at least they have registered and saved my information and it can be used in case they will start an investigation later based on someone actually loosing money.

Wednesday, August 8, 2007

RXNIC: backend server and more

In a post yesterday I wrote about the RXNIC affiliate program and the connection found to Health Nation and S-RX affiliate program.

My guess was that RXNIC and S-RX was actually the same but I have now changed my view on this and believe they are just working together. After yesterdays post I tried to create an account at RXNIC and was met with a confirmation page saying that my account was created but not active yet and that I could contact ICQ 410098780 if I could not wait for the normal 48 hours activation time.

I searched on google with this ICQ number and found A user on a russian spam forum with the nickname RXNIC and the use of this ICQ number. I then tried with the same ICQ number and also here I found a user with the nickname RXNIC so unless the same person has two different nicknames/ICQ numbers on then it's two different persons.

On RXNIC advertise the affiliate program

In the different posts RIXNIC offers daily changing domains, short domains good for picture spamming (because the user can not just click on link but must type), free mailing software and free bots (hijacked computers) and from the homepage we can see that bulletproof hosting can also be supplied as a service to their affiliates. No doubt a very spam-friendly affiliate program is also itself "hosted" on bots which usually makes it very difficult to close down the site because the bots are just proxies and therefore easy replaceable and then the actual website is placed on an, for us, unkown server, but...

First of all I mentioned that I created an account on RXNIC and they were also so polite to send me a welcome email message. A message send from the address which is a server hosted at It can be a hijacked server but I don't think so because it's not the only server at pilosoft with connection to RXNIC.

I'm quite sure that this test page was not suppose to be public accessable, because it shows some interesting information that is not changing no matter which ip-address (bot) that resolves to:

What we can actually see from this page is that the site is served through one or more proxies (, addresses involved) and then finally from a server called with address, which is ones again a server hosted at Pilosoft

If you look directly at you just get a standard Debian/Apache information page. But from the above page we can see that the server is called, so I placed a manuel DNS entry into my host file (windows/system32/drivers/etc/hosts) with ip-address / and then I went to and now the RXNIC homepage turned up without going trough bot and proxies. So is defently the backend server for RXNIC that the people behind have tried to hide behind bots and proxies.... just not very well

Tuesday, August 7, 2007

Health Nation -> RXNIC -> S-RX

In a post about a week ago I mentioned how a spam from the same spammer lead me to both a My Canadian Pharmacy and a Health Nation site. The Health Nation site was however closed down before I managed to do my research but I got another one today.

Spam contains a link to that redirects to which is a My Canadian Pharmacy sites. But if you try only you are redirected to instead which is a Health Nation site

About the site. They have a fake drug reselling license which is standard for sites like this, this "license" is however also expired. Lazy spammer. They have a lot of false claims regarding the need of prescriptions, safety when ordering by credit card (even though they don't use SSL) and then they have this entry in their faq

If this is true then they use RX Payments and Surefire as credit card processors. RX Payments is based in Israel and the owners are the same who are behind which is to my knowledge a fully legit reseller of drugs. That probably also means that they are so much more interested in reacting if it turns out they are really processing credit cards for Health Nation. Surefire was as far as I know bought by Terra Payments that merged with Optimal Payments. I will contact both credit card processors and ask about their connection to Health Nation.

When placing an order you get a confirmation page with a link on to

Which again shows a logo for runs a pharmacy affiliate program and they don't exactly hide that they are a spam-friendly affiliate program. The home page mentions "BP Domain Registration and BP Hosting Solutions" for their members (BP = Bullet Proof = Doesn't close down just because of some spam abuse reports) and that they have new domains every day which can only be because they know they will get some domains closed along the way.

The home page mentions the following company and address. This company can not be found in the Louisiana Secretary of State Corporation Database and the closest I came to finding the address whad domain registration DomainContender LLC who has exactly same address except for LA 70130 instead of LA 70131. DomainContenter LLC has never heard of NT Express inc.

NT Express Inc
650 Poydras Street
Suite 1120
New Orleans, LA 70131

The domain is registered at YesNic co. ltd. with the following registrant information

The phone number is actually a fax number of a legit real estate agent. The address exists but I would be surprised if it's not the address of some innocent unknowing individual.

The site is hosted at address which belongs to Cernel. What is interesting is that two other sites are hosted on the same server, and . is a support/customer service site. 24x7x364 support (what happend to the 365th day?) , same site that can also be found on except for some changes in phone numbers and footer. I am however not impressed by their support, I asked a week ago what is their connection to Health Suite and they have not answered me yet. When searching for it's mentioned together with Health Suite which was a pharmacy site being spamvertised a lot back in 2005. and is both registered at EstDomains but with different regitration information:

The two sites mentions some different support numbers 1-888-241-8489 / 1-888-242-0845 ( 1-888-237-0341 / 1-888-240-5526 ( There can be found different stories on the net related to those phone numbers and people who have tried to call and have been redirected to some say england and others say moscow. They all talked with persons who just denied spamming and afterwards hung up the phone.

The other site also being hosted on same server as is a site selling cigarettes, Smoke Man, also known for spamming. If you look at the faq you find answers to questions like"What does OEM stand for?", "Am I purchasing some academic or trial software?" etc., so a spammer that also does OEM software spamming and have been too lazy to make a new faq for his cigarette spamming site.

When searching a little for Health Suite and Smoke Man I ended up at this page that mentions both and SRX is an affiliate program for pharmacy, cigarettes and OEM software. Based on the dates of the news the affiliate program seems to be death.... but the people behind is not.... because the site also mentions an ICQ of 414999 for support and on (Forum for mailers - where many are actually spammers not legit mailers) a user with the nickmame of 'S-RX' and who use the ICQ of 414999 has actually advertised for new mailers for an affiliate program just 8 days ago.

According to spamhaus then Anton Gorodov / Gorodetsk from Russia should be behind S-RX.

So connection between lot of different sites. My guess is that it's same person who was behind S-RX that is know running a new affiliate program RXNIC and still just as spam-friendly as the old one. One of the affiliates is running spam campaigns for aswell Health Nation as My Canadian Pharmacy.

Needless to say I will throw around some complaints to the different providers of hosting services and domains.

Wednesday, August 1, 2007

Dating scammers: Irina is back

So Irina is not a reader of my blog I guess because after a days pause she is back again.... I think she have been busy moving her server from McColo, United States to LLC GlobalWholesaleTrade, Russia but she says she have been busy going to the doctor and visiting the travel agency. :-)

But shit happens and she found out that she is $550 short of the ticket for the flight, so now she asks me if I can borrow her some money... transfering them via Western Union.

She have sent me her full address in St. Petersburg

My address here (the flat i am renting)
Country : Russia, City : St. Petersburg,
Address : Beloysova 4-18, zip 198097
Full Name IRINA LOKOTOVA (right writting in English)

And a picture of her passport:

I can see in the headers of the email that they have not only changed hosting location but they have also started to move from to which is also registered at OnlineNic, A new complaint has been sent to them.

And then they are using server instead of so maybe SenPai IT Solutions have scared them away with their internal investigation. The new server is located at Elion, Estonia, This server has some ports being used for OpenVPN just as the also have. A complaint is sent to Estonian Telephone Company Ltd. which is listed as abuse contact.

I did a search in google on this and got 3 hits. One didn't give much information but the two others is for some HYIP (High Yield Investment Program)

They mention a site and that site says that it been visited by hackers

I will try to send them a mail and ask what is their connection to the server and why is this server also used in a dating scam.

And regarding Irina them I'm still playing with a few ideas for what my answer to "her" latest email will be.

My Canadian Pharmacy on hijacked servers as usual

Received spam from "The United States National Medical Association",, explaining how many online pharmacy shops are unreliable and simply frauds... well who else than the spammers themselves has first hand knowledge of this.

When clicking on link in the message you are instead redirected twice. First to and then from there to which is a My Canadian Pharmacy site, not to be confused with Canadian Pharmacy sites. is registered at Xin Net Technology Corporation,, not surprisingly with forged registratation information. A complaint is sent to them. The domain is used in a botnet so it resolves to different addresses with a few minutes interval. Too much work to report them all as they can be large amount of zombie computers.

Regarding the My Canadian Pharmacy site then the SpamWiki has dissected this, so read more here:

The domain is registered at LLC, The domain information used is very likely to be forged because it's the address of one of the directors of the Kentucky Secretary of State and I doubt she is involved in spamming. A complaint was sent that they chosed to delete without reading, I have reminded them that I will report that fact here to see if they change their mind.

As usual then My Canadian Pharmacy are using more servers to host their site and probably all of the frontend servers we see are hijacked. Site itself is located which is assigned to Koc Net, Turkey, Images is placed on a range of addresses all at port 8080:,,,, Abuse reports have been sent to hosting/network providers assigned to all of the 6 addresses.

I mentioned that the redirection to was done from the address and this of course made me curious to see what showed up if you just went to another redirection this time to which is a Health Nation site.

So it appears we have a spammer here which is probably running mailing campaigns for both these sites. There is quite a lot to report about this Health Nation site as it's the first time I see that one so I will leave that for a seperate post.