Wednesday, August 8, 2007

RXNIC: backend server and more

In a post yesterday I wrote about the RXNIC affiliate program and the connection found to Health Nation and S-RX affiliate program.

My guess was that RXNIC and S-RX was actually the same but I have now changed my view on this and believe they are just working together. After yesterdays post I tried to create an account at RXNIC and was met with a confirmation page saying that my account was created but not active yet and that I could contact ICQ 410098780 if I could not wait for the normal 48 hours activation time.

I searched on google with this ICQ number and found A user on a russian spam forum with the nickname RXNIC and the use of this ICQ number. I then tried with the same ICQ number and also here I found a user with the nickname RXNIC so unless the same person has two different nicknames/ICQ numbers on then it's two different persons.

On RXNIC advertise the affiliate program

In the different posts RIXNIC offers daily changing domains, short domains good for picture spamming (because the user can not just click on link but must type), free mailing software and free bots (hijacked computers) and from the homepage we can see that bulletproof hosting can also be supplied as a service to their affiliates. No doubt a very spam-friendly affiliate program is also itself "hosted" on bots which usually makes it very difficult to close down the site because the bots are just proxies and therefore easy replaceable and then the actual website is placed on an, for us, unkown server, but...

First of all I mentioned that I created an account on RXNIC and they were also so polite to send me a welcome email message. A message send from the address which is a server hosted at It can be a hijacked server but I don't think so because it's not the only server at pilosoft with connection to RXNIC.

I'm quite sure that this test page was not suppose to be public accessable, because it shows some interesting information that is not changing no matter which ip-address (bot) that resolves to:

What we can actually see from this page is that the site is served through one or more proxies (, addresses involved) and then finally from a server called with address, which is ones again a server hosted at Pilosoft

If you look directly at you just get a standard Debian/Apache information page. But from the above page we can see that the server is called, so I placed a manuel DNS entry into my host file (windows/system32/drivers/etc/hosts) with ip-address / and then I went to and now the RXNIC homepage turned up without going trough bot and proxies. So is defently the backend server for RXNIC that the people behind have tried to hide behind bots and proxies.... just not very well

1 comment:

IKillSpammerz said...

In your complaint to pilosoft regarding the server hosted at, you should explicitly mention that rxnic is violating the following sections of their User agreement []:

Use: Customer agrees to the terms and conditions in this agreement at the time they first order or use the Pilosoft Inc. Service. Use of this account is strictly for the customer and is not for resale. Use of this account to violate the security of any computer network, crack passwords or security codes, transfer or store illegal material, or engage in any illegal activity is prohibited. The customer assumes all responsibilities for ensuring legal use of the computer systems.

The bulkerforum member rxnic makes very public mention of the fact that bots are in use. And it is very clear from the rxnic sites that they are engaging in illegal sale of what are likely to be 100% fake drugs. People have died from this practice. So this not only violates the user agreement, it violates a lot of federal and civil laws.

Customer shall not do any of the following or permit any user of their account to do any of the following:


restrict or inhibit any other user from using Pilosoft Inc. Service and/or the Internet. This includes bulk email or postings referred to as spam.

Since this is how you heard about rxnic in the first place (as we all did), this definitely violates their user agreement.

How did you trip across that test.cgi file?!

Nice work as always.