Wednesday, July 18, 2007

ED Pill Store: The hoodia certificate (Part 2 - eBullz)

Make sure you have read Part 1 of this post as it gives some background information on how I found a connection between ED Pill Store, HoodiaPlus and the site ehoodialife.com because of both sites using the same hoodia certificate.

Ehoodialife.com has many similarities with the HoodiaPlus site:

  • Overall design is very similar
  • Large parts of FAQ looks like one site is copy of the other
  • Contact form looks like one site is copy of the other with minor changes
  • Products offered + Prices (Discount) is exactly the same (except for name)
  • Ordering pages has many similarities both in design and in the javascript code used for validation. Especially javascript code has to be copy of eachother
But besides a single registration (and it can be a mistake) then ehoodialife.com is not mentioned anywhere in connection with spam, which made me think that the ED Pill Store spammer had maybe just stolen lot of design + certificate from ehoodialife.com and then end of story, but luckily I kept digging.

When looking at the domain registration for ehoodialife.com it was registered to Herbal Group in Quebec, Canada:



I looked up the address + phone number and it's a real address but belongs to a B Ratelle. But nothing wrong with that, Richard Duguay is only listed as technical contact. Richards email address is from the domain stjeannet.ca and I also looked that up just to check and then things started to be interesting



I was sure I remembered that Xavier name from somewhere and I was right, he is listed by the spamhaus project, Spamhaus registration. According to them Xavier has worked together with Alex Polyakov, who the SpamWiki has listed as the person behind ED Pill Store spamming. This is the first time that I have found evidence of this link myself. To add to this picture then remember the B Ratelle which I found by searching on phone number/address for the ehoodialife.com registration. An registration that btw have an address very close to the one listed for Xavier Ratelle (8552 and 8556 St-Denis)

When placing an order at ehoodialife.com I noticed that during the ordering process the site suddenly changes to www.ehealthylife.com, which is a site selling different products like HighLife, HoodiaLife, XynaVolume etc. all products that actually has same or very similar name as products sold by different sites related to the ED Pill store spammer.

So I did a new lookup for this domain and found



Richard Duguay again but with another address + phone number in Quebec, Canada. I did a search on google with the phone number from the registration and again interesting things showed up
  • FirstAccessPro. A company dealing with different electronic products, Jewerelly etc. Same address (both real world - 8552 St-Denis and IP - 74.52.59.34) as St-Jean Internet Inc. (Xavier Ratelle)
  • Car for sale. A personal ad for sale of a car, signed by Xavier
  • Billiard table for sale. A personal ad for sale of billiard table added by M. Xavier Ratelle
So apparently Xavier Ratelle is sometimes using the phone number that is listed for the registration on the ehealthylife.com domain.... is Richard Duguay really Xavier Ratelle ???

But none of the links found when searching for the phone number of the registration mentioned the address, so I did a seperate search for the address and found the site Bullz Distribution. The domain registration didn't mention some of the names, addresses etc. from the other domains and the website seems to be for a normal distribution company, so I was almost dropping this thread as I noticed that ehoodialife.com, ehealthylife.com and bullzdistribution.com is all hosted on the same IP-address: 216.17.96.48

So I took a look at the domain registration information ones again



Nothing to be found on address + phonenumber so I tried the ebullz.com domain used in the email address for the registrator. The registrator information is the same as for bullzdistribution.com so I went to look at the site instead and then some of the loose ends started to connect. Ehealthylife is mentioned as one of their sites so there is a connection afterall.



And there is more bullz... because on the ehoodialife.com there is a link called affiliates and when you press that link you are redirected to bullzbuck.com, which is an affiliate site for selling the products listed at ehealthylife.com. The domain, bullzbuck.com, has same registration information as hoodialife.com and the site is hosted on same IP address as hoodialife.com, ehealthylife.com, bullzdistribution.com and ebullz.com.

Last thing noticed is that the ehealthylife.com mentions an international processing office:



When searching then this company turns up in connection with other domains, onlinesupplier.com, investinginsuccess.com, buydiscount.com that is not mentioned in connection with spam.

One little matching hoodia certificate and so much information that it's difficult to keep track of it all, so to summarize: In general then none of the domains mentioned, except for the ED Pill Store HoodiaPlus, seems to be known for being involved in spamming, there are reasons to believe that the domain registration information is genuine, there are more contact information than is normally seen on spamvertised sites, some related sites seems normal distribution company and the sites are hosted in United States, not being hidden in China. All in all those things indicates no involvement with spam at all, but....... Why do Xavier Ratelle's name turn up in the domain registrations? Why do HoodiaPlus and HoodiaLife have so many similarities that it can't be a coincidence? Why do many of the spamvertised sites related to ED Pill Store sell products that are very similar to the products sold in wholesale på ehealthylife.com and which bullzbuck.com has an affiliate program for selling?

1 comment:

Anonymous said...

found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later