Friday, May 15, 2009

HerbalMaxx -selling pills that make your digital camera automatically zoom-in

It has been a long time ago since I last posted any new research, but just to let you know that I haven't given up but are still trying to get rid of all the spam in my inbox, here is a little research about HerbalMaxx.



HerbalMaxx is one of those wonderful sites with before and after pictures of male penises where you can easily see that either there is zoomed in on the after pictures or otherwise the pill have actually made the entire person grow, not only "the little guy". So either HerbalMaxx are selling pills that make your digital camera automatically zoom in or they sell pills that make your entire body grow.

The HerbalMaxx site I was looking at recently was www.mascroes.com. The domain is registered at Xiamen eName Network Technology Co.,Ltd, who is chosen quite often by different spammers. That doesn't surprise much when we see the kind of totally crappy registration information they accept:



The site is/was hosted on the server with ip-address 110.52.8.253, which is located in China and belongs to China Unicom



On the server is/was hosted 120+ other sites which is definitely in the same category, US HealthCare Inc, some replica watch sites etc. SpamWiki do have lot of information about US HealthCare spamming, but I must say it confuses me a little that SpamWiki primarily talk about links to United States and Romania, because as I will show in a moment I quite clearly see a link to China. However it would definitely not be the first time that we see spammers from very different parts of the world working together, but there is also the possiblity that HerbalMaxx have just rented space on the server in China along with other non-related spammers.

Well enough about the information that can just be looked up using a good WHOIS service. Spammers have generally become better at validating input in their order forms, but HerbalMaxx is luckily an exception. So I played my old "show me who read the orders" game by injecting a callback to a server controlled by me in a fake order, and then I could a few hours after see the following in my log files



I have removed some of the non interesting data. Basically what can be seen is that some non-existing images is requested from my server, and the image name is the exact same as I placed in the fake order. The images are requested from the ip-address 116.22.27.74 and the referer is http://www.admin-zed.com/main.php?action=readOrder&order_id=95701 and http://www.admin-zed.com/main.php?action=updateStatus&currentStatus=0&order_id=95701. The order id match the order id I was shown on the order confirmation page when placing the fake order.

So without a doubt what we are seeing here is that someone is looking at my fake order placed on a HerbalMaxx site and then updating status afterwards, probably canceling the order because it was quite obviously fake.

The ip-address 116.22.27.74 is located in China and belongs to China Telecom (CHINANET Guangdong province network). There is of course a possibility that this ip-address is just a proxy and not the real address assigned to the spammer, but based on my past experience (Robert Soloway, The Atkinson Brothers and that company in India that I may not mention by name) then most spammers probably feel there is no reason to protect themselves by using proxies in this paticular situation of reading orders. I'm also not able to find any information pointing in the direction that this ip-address should be a proxy server.

The other very interesting part of the information that was logged was the referer. So apparently the spammer has a PHP application running on the address www.admin-zed.com that is used for administration of the orders. The registrant information for admin-zed.com is protected using the name of CSMJBS Enterprises.



And the site is hosted at the IP-address 207.226.173.179 which is located in United States and belongs to Beyond The Network America.



I of course ran the same test again later to make sure that my result was not just some kind of extreme coincidence. I placed a new fake order and the following showed up in my log files on the server



So basically this is 24 hours after the other registrations in my log file, as can be seen then the same ip-address is used, so it might even be a static address assigned to the spammer. Admin-zed.com is also used again for the order administration and this time the spammers also run some kind of search, probably to see if they can find similar weird orders in their database. Apparently they search all the way back to 1/1-2007 which could indicate that they are not all new in this business.