Monday, August 27, 2007

High season for drug spamming

It must definitely be high season for drug spamming because during the last week the amount of spam received from My Canadian Pharmacy, Canadian Pharmacy and Herbal King has gone up with 500-1000% compared to what level I have normally received.

I wonder what is the idea behind sending the same spam to the same email address sometimes up to 10 times each day and My Canadian Pharmacy even did that for 3-4 days advertising a site (miztrust.cn) not working....it doesn't strike me as very clever marketing.

But besides the standard complaining to domain registrators and hosting providers there is nothing to report.... yet, because I am of course doing some extra digging and playing a few small games as soon as I have time.

Tuesday, August 14, 2007

Dating scammers: Irina - end of story

It seems like my "communication" with Irina is truly dead now. In my last post regarding those dating scammers I wrote about the letter I had received where "she" asked for money to help her out with her flight ticket. I chosed to see if the scammers were willing to work a little for the money or not, because that probably gives a good indication of how many other people they are close to scamming.

So I made up a little story story about past problems with Western Union and how I would rather prefer another company I have used before, more expensive, but delivery of the money directly to the door. I didn't say that I would not use Western Union at all but just showed a little concern and asked Irina what was her opinion.

I had hoped to see the scammers doing a lot to convince me that Western Union was ok to use and that it was the prefered way etc., because that would have given me hope that I was only among a few people that they were close to scamming. But instead I just received a general email not mentioning my concerns but just explaining how glad she was that I would help and how much she was looking forward to see me etc. So I gave it another shot, answering back if I should understand her answer as if she didn't care that we used other company that Western Union. Again just a general answer but trying even harder to convince me just by saying how much she loves me etc. (Hmm she still doesn't know my full name, age or have seen a picture of me), but again the scammers didn't waste any time to try to deal with my Western Union concerns. I send one more email back but never got an answer.

I find this kind of behaviour very concerning because as mentioned then the only reason I can think of why the scammers try so little to convince me about using Western Union despite my concerns is that they have plenty of people that they are close to scamming or because in their mind it's much easier to pump out a few million new spam mails than to use 10 minutes of their time to try to convince me of sending the $550 through Western Union. Of course there is also the chance that they knew I was not to be scammed no matter what, but I guess if that was the case then they would not have answered my emails at all.

So end of the Irina story..... well except that I submitted all my communication including images etc. to the Danish Police. As I have not lost money it will not result in an investigation but at least they have registered and saved my information and it can be used in case they will start an investigation later based on someone actually loosing money.

Wednesday, August 8, 2007

RXNIC: backend server and more

In a post yesterday I wrote about the RXNIC affiliate program and the connection found to Health Nation and S-RX affiliate program.

My guess was that RXNIC and S-RX was actually the same but I have now changed my view on this and believe they are just working together. After yesterdays post I tried to create an account at RXNIC and was met with a confirmation page saying that my account was created but not active yet and that I could contact ICQ 410098780 if I could not wait for the normal 48 hours activation time.

I searched on google with this ICQ number and found www.spamsoft.bz/forum/member.php?u=44. A user on a russian spam forum with the nickname RXNIC and the use of this ICQ number. I then tried bulkerforum.biz with the same ICQ number and also here I found a user with the nickname RXNIC so unless the same person has two different nicknames/ICQ numbers on bulkerforum.biz then it's two different persons.

On bulkerforum.biz RXNIC advertise the affiliate program



In the different posts RIXNIC offers daily changing domains, short domains good for picture spamming (because the user can not just click on link but must type), free mailing software and free bots (hijacked computers) and from the rxnic.com homepage we can see that bulletproof hosting can also be supplied as a service to their affiliates. No doubt a very spam-friendly affiliate program

rxnic.com is also itself "hosted" on bots which usually makes it very difficult to close down the site because the bots are just proxies and therefore easy replaceable and then the actual website is placed on an, for us, unkown server, but...

First of all I mentioned that I created an account on RXNIC and they were also so polite to send me a welcome email message. A message send from the address 69.31.81.146 which is a server hosted at www.pilosoft.com. It can be a hijacked server but I don't think so because it's not the only server at pilosoft with connection to RXNIC.

I'm quite sure that this test page www.rxnic.com/cgi-bin/user/test.cgi was not suppose to be public accessable, because it shows some interesting information that is not changing no matter which ip-address (bot) that rxnic.com resolves to:



What we can actually see from this page is that the site is served through one or more proxies (72.232.135.82, 208.166.49.169 addresses involved) and then finally from a server called b1a69.cf.host with address 69.31.46.194, which is ones again a server hosted at Pilosoft

If you look directly at http://69.31.46.194 you just get a standard Debian/Apache information page. But from the above page we can see that the server is called b1a69.cf.host, so I placed a manuel DNS entry into my host file (windows/system32/drivers/etc/hosts) with ip-address 69.31.46.194 / b1a69.cf.host and then I went to http://b1a69.cf.host and now the RXNIC homepage turned up without going trough bot and proxies. So 69.31.46.194 is defently the backend server for RXNIC that the people behind have tried to hide behind bots and proxies.... just not very well

Tuesday, August 7, 2007

Health Nation -> RXNIC -> S-RX

In a post about a week ago I mentioned how a spam from the same spammer lead me to both a My Canadian Pharmacy and a Health Nation site. The Health Nation site was however closed down before I managed to do my research but I got another one today.

Spam contains a link to sethnw.cn/?EILJSMWFxVW3VSXUFRQlhGHVdaXA== that redirects to dolmisdes.cn which is a My Canadian Pharmacy sites. But if you try only sethwn.cn you are redirected to aztxobzipyijon.com instead which is a Health Nation site



About the site. They have a fake drug reselling license which is standard for sites like this, this "license" is however also expired. Lazy spammer. They have a lot of false claims regarding the need of prescriptions, safety when ordering by credit card (even though they don't use SSL) and then they have this entry in their faq



If this is true then they use RX Payments and Surefire as credit card processors. RX Payments is based in Israel and the owners are the same who are behind magendavidmeds.com which is to my knowledge a fully legit reseller of drugs. That probably also means that they are so much more interested in reacting if it turns out they are really processing credit cards for Health Nation. Surefire was as far as I know bought by Terra Payments that merged with Optimal Payments. I will contact both credit card processors and ask about their connection to Health Nation.

When placing an order you get a confirmation page with a link on to www.rxhelpcenter.com



Which again shows a logo for rxnic.com



rxnic.com runs a pharmacy affiliate program and they don't exactly hide that they are a spam-friendly affiliate program. The home page mentions "BP Domain Registration and BP Hosting Solutions" for their members (BP = Bullet Proof = Doesn't close down just because of some spam abuse reports) and that they have new domains every day which can only be because they know they will get some domains closed along the way.

The home page mentions the following company and address. This company can not be found in the Louisiana Secretary of State Corporation Database and the closest I came to finding the address whad domain registration DomainContender LLC who has exactly same address except for LA 70130 instead of LA 70131. DomainContenter LLC has never heard of NT Express inc.

NT Express Inc
650 Poydras Street
Suite 1120
New Orleans, LA 70131
US


The domain rxhelpcenter.com is registered at YesNic co. ltd. with the following registrant information



The phone number is actually a fax number of a legit real estate agent. The address exists but I would be surprised if it's not the address of some innocent unknowing individual.

The site is hosted at address 64.28.179.146 which belongs to Cernel. What is interesting is that two other sites are hosted on the same server, www.hsuite.com and www.popular-cigarettes.com .

hsuite.com is a support/customer service site. 24x7x364 support (what happend to the 365th day?) , same site that can also be found on www.24x7x364.com except for some changes in phone numbers and footer. I am however not impressed by their support, I asked a week ago what is their connection to Health Suite and they have not answered me yet. When searching for hsuite.com it's mentioned together with Health Suite which was a pharmacy site being spamvertised a lot back in 2005.

hsuite.com and 24x7x364.com is both registered at EstDomains but with different regitration information:



The two sites mentions some different support numbers 1-888-241-8489 / 1-888-242-0845 (hsuite.com) 1-888-237-0341 / 1-888-240-5526 (24x7x364.com). There can be found different stories on the net related to those phone numbers and people who have tried to call and have been redirected to some say england and others say moscow. They all talked with persons who just denied spamming and afterwards hung up the phone.

The other site popular-cigarettes.com also being hosted on same server as rxhelpcenter.com is a site selling cigarettes, Smoke Man, also known for spamming. If you look at the faq you find answers to questions like"What does OEM stand for?", "Am I purchasing some academic or trial software?" etc., so a spammer that also does OEM software spamming and have been too lazy to make a new faq for his cigarette spamming site.

When searching a little for Health Suite and Smoke Man I ended up at this page www.s-rx.biz/terms.html that mentions both health-suite.com and popular-cigarettes.com. SRX is an affiliate program for pharmacy, cigarettes and OEM software. Based on the dates of the news the affiliate program seems to be death.... but the people behind is not.... because the site also mentions an ICQ of 414999 for support and on www.bulkerfoum.biz (Forum for mailers - where many are actually spammers not legit mailers) a user with the nickmame of 'S-RX' and who use the ICQ of 414999 has actually advertised for new mailers for an affiliate program just 8 days ago.

According to spamhaus then Anton Gorodov / Gorodetsk from Russia should be behind S-RX.

So connection between lot of different sites. My guess is that it's same person who was behind S-RX that is know running a new affiliate program RXNIC and still just as spam-friendly as the old one. One of the affiliates is running spam campaigns for aswell Health Nation as My Canadian Pharmacy.

Needless to say I will throw around some complaints to the different providers of hosting services and domains.

Wednesday, August 1, 2007

Dating scammers: Irina is back

So Irina is not a reader of my blog I guess because after a days pause she is back again.... I think she have been busy moving her server from McColo, United States to LLC GlobalWholesaleTrade, Russia but she says she have been busy going to the doctor and visiting the travel agency. :-)

But shit happens and she found out that she is $550 short of the ticket for the flight, so now she asks me if I can borrow her some money... transfering them via Western Union.

She have sent me her full address in St. Petersburg

My address here (the flat i am renting)
Country : Russia, City : St. Petersburg,
Address : Beloysova 4-18, zip 198097
Full Name IRINA LOKOTOVA (right writting in English)


And a picture of her passport:



I can see in the headers of the email that they have not only changed hosting location but they have also started to move from www.freemailserv.net to www.mailzervis.net which is also registered at OnlineNic, www.onlinenic.com. A new complaint has been sent to them.

And then they are using server 88.196.209.246 instead of 85.10.235.211 so maybe SenPai IT Solutions have scared them away with their internal investigation. The new server is located at Elion, Estonia, http://www.elion.ee. This server has some ports being used for OpenVPN just as the 85.10.235.11 also have. A complaint is sent to Estonian Telephone Company Ltd. which is listed as abuse contact.

I did a search in google on this 88.196.209.246 and got 3 hits. One didn't give much information but the two others is for some HYIP (High Yield Investment Program)



They mention a site www.hyipinvest.biz and that site says that it been visited by hackers



I will try to send them a mail and ask what is their connection to the 88.196.209.246 server and why is this server also used in a dating scam.

And regarding Irina them I'm still playing with a few ideas for what my answer to "her" latest email will be.

My Canadian Pharmacy on hijacked servers as usual

Received spam from "The United States National Medical Association", us-nma.com, explaining how many online pharmacy shops are unreliable and simply frauds... well who else than the spammers themselves has first hand knowledge of this.

When clicking on us-nma.com link in the message you are instead redirected twice. First to www.fadesuntuides.com/?EILJSMWFxVW3VSXUFRQlhGHVdaXA== and then from there to ahoplicaner.com which is a My Canadian Pharmacy site, not to be confused with Canadian Pharmacy sites.

Fadesuntuides.com is registered at Xin Net Technology Corporation, www.xinnet.com, not surprisingly with forged registratation information. A complaint is sent to them. The domain is used in a botnet so it resolves to different addresses with a few minutes interval. Too much work to report them all as they can be large amount of zombie computers.

Regarding the My Canadian Pharmacy site then the SpamWiki has dissected this, so read more here: spamtrackers.eu/wiki/index.php?title=My_Canadian_Pharmacy

The domain ahoplicaner.com is registered at 1-887NameBid.com LLC, 1-877NameBid.com. The domain information used is very likely to be forged because it's the address of one of the directors of the Kentucky Secretary of State and I doubt she is involved in spamming. A complaint was sent that they chosed to delete without reading, I have reminded them that I will report that fact here to see if they change their mind.

As usual then My Canadian Pharmacy are using more servers to host their site and probably all of the frontend servers we see are hijacked. Site itself is located 195.87.6.3 which is assigned to Koc Net, Turkey, www.koc.net. Images is placed on a range of addresses all at port 8080: 212.174.224.6, 66.134.243.54, 85.92.131.183, 202.82.16.25, 193.95.254.71. Abuse reports have been sent to hosting/network providers assigned to all of the 6 addresses.

I mentioned that the redirection to www.ahoplicaner.com was done from the address fadesuntuides.com/?EILJSMWFxVW3VSXUFRQlhGHVdaXA== and this of course made me curious to see what showed up if you just went to fadesuntuides.com... another redirection this time to aztxobzipyijon.com which is a Health Nation site.

So it appears we have a spammer here which is probably running mailing campaigns for both these sites. There is quite a lot to report about this Health Nation site as it's the first time I see that one so I will leave that for a seperate post.