Welcome, Guest. Please login or register.
Friday, October 24th, 2014, 3:30pm
Home Help Calendar Search Register Login

Forum Login
Username: Create a new Account
Password:     Forgot Password

 Board Index    Spam    The Latest Offenders  ›  Pharmacy express
Users Browsing Forum
MSN Bot and 0 Guests

 Pages: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 : All
Recommend Print
  Author    Pharmacy express  (currently 73,168 views)
invic
Posted on: Monday, May 22nd, 2006, 11:05am Report to Moderator
New Member


Posts: 2
I recently received 32 emails in one day from Pharmacy Express. And have come to some of the same conclusions as you. I've contacted both Visa Canada and Visa USA to alert them of the probable misuse of their "Visa Verified" certificate on the Pharmacy Express website. I've been trying to get some information on Palm Grove House in Tortola. It seems there are several apparently normal businesses that have exactly the same PO Box. I had no idea what to make of that. Is there any way I can assist you on waging war on these people?
Logged Offline
Private Message
invic
Posted on: Tuesday, May 23rd, 2006, 1:39pm Report to Moderator
New Member


Posts: 2
This is Visa's position on supporting Consumer Fraud...at least so far

Thank you for your inquiry. Visa sets high standards for all its products and services; however, the fact that a merchant displays the Visa logo or uses it on a Visa sales draft, does not indicate that Visa endorses the merchant, nor does it guarantee the quality of goods or services purchased from the merchant.
To verify the legitimacy of a business, you may wish to contact local and regional organizations, such as the trade licensing bureaus, to inquire. In addition to the above, you may wish to contact your internet service provider regarding any emails you receive that you believe to be spam.
We hope this information is useful.
Thanks for writing.
Visa.ca Webmaster
Logged Offline
Private Message Reply: 1 - 181
tman
Posted on: Monday, May 29th, 2006, 2:50pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36
I've been lately recieving spam from "My Canadian Pharmacy" which looks much slicker than Pharmacy Express.  They have a wierd "we do not spam and pursue those who spam in our name so please report them here."   (surrrre they do!)

They boast on being "certified by the Better Business Bureau."  Here's a link to the report on them:
http://www.bbbmwo.ca/commonreport.html?bid=1134034

One of the alias names they give for "My Canadian Pharmacy" is.....surprise!  "Pharmacy Express."
The BBB also states that they are "unreachable by mail or phone," so any addresses appear to be a front.

A bunch of nice, respectful businessmen  
Logged Offline
Private Message Reply: 2 - 181
tman
Posted on: Monday, May 29th, 2006, 2:54pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36

Quoted from invic
This is Visa's position on supporting Consumer Fraud...at least so far

Thank you for your inquiry. Visa sets high standards for all its products and services; however, the fact that a merchant displays the Visa logo or uses it on a Visa sales draft, does not indicate that Visa endorses the merchant, nor does it guarantee the quality of goods or services purchased from the merchant.
To verify the legitimacy of a business, you may wish to contact local and regional organizations, such as the trade licensing bureaus, to inquire. In addition to the above, you may wish to contact your internet service provider regarding any emails you receive that you believe to be spam.
We hope this information is useful.
Thanks for writing.
Visa.ca Webmaster


I hate those kind of generic responses.  In otherwords, it looks like they don't care about doing anything--probably because there's just so much of it, and it's hard to track these crooks down.  It's disappointing to get that kind of response--maybe if victims of this company would launch lawsuits against VISA for not trying to stop them when they knew about it, that would encourage the credit companies to do their part to put an end to these scams.
Logged Offline
Private Message Reply: 3 - 181
admin
Posted on: Monday, May 29th, 2006, 8:22pm Report to Moderator
Administrator Group



Posts: 15

Quoted from invic
I recently received 32 emails in one day from Pharmacy Express. And have come to some of the same conclusions as you. I've contacted both Visa Canada and Visa USA to alert them of the probable misuse of their "Visa Verified" certificate on the Pharmacy Express website. I've been trying to get some information on Palm Grove House in Tortola. It seems there are several apparently normal businesses that have exactly the same PO Box. I had no idea what to make of that. Is there any way I can assist you on waging war on these people?

Thanks for stopping by the site and offering to post info.  There seems to be alot of debate on the legitimacy of this Tortola address.  It looks like they are actually part of a company in Canada ("Pharmacy") that according to the Better Business Bureau, they cannot locate.  These guys have to be total crooks.  I've wondered what happens when someone actually orders from them--do they really deliver product?

Probably the most aggressive stance you can take against these spammers is to report them directly to their home state Attorney General (Links are on the links page of this site).  The Attorney General and/or Federal Trade Commission are the only ones that can actually go after and prosecute these people, and the more complaints are filed against them by different people, the sooner thay may take notice.  Alot of spammers will try to get around the idea that spam in most cases itself isn't technically "illegal," and is only now starting to be prosecuted as a crime in itself, but deception, misrepresentation, failure to deliver goods or services definately IS illegal.

Logged Offline
Private Message Reply: 4 - 181
mr_d
Posted on: Tuesday, May 30th, 2006, 2:02am Report to Moderator
New Member


Posts: 3
Pharmacy Express has been spamming since 2004 back when it used servers based at Kornet in Korean.  

In 2005 they added servers in Hong Kong and China.  Now they use servers (or zombie PC's) all over the globe.   They changed names many times since 2004 but you can tell it's the same place based on repeated Email patterns that progress over time such as their HTML and formatting tricks.   Sometimes their sites don't even display a real name.  They just highlight a word and stick a temporary embedded web link on it such as:

Online Meds Store
PharmacyByMAlL SSH0P
MEDlCATIONS By MAIL SHOOP
PHARMACY-BY-MAIL SHOP
MedzMail Shop
PiIlsOnline Store
PharmOnline Shop
Visit our Site
Try Viagra
Hi
V A L / u M
V / a G R A
M e R / D / A
S O m &
A m B / E N


I have a record of their sites going back to 2004.  
It appears they started calling themselves Pharmacy Express around Oct 2005.  

Pharmacy Express is the same place as Premier Pharmacy.  
They each have hundreds of sites and the sites are often identical except for the name.  I don't visit most links they send but I do record data about each link and promptly report them to their registrar, host network, etc.  

Canadian Pharmacy (an equally abusive spammer) shares DNS servers with Pharmacy Express on occasion but for the most part they use different web servers and DNS servers.  Perhaps they use the same "spammer network" (it's called China) so their paths cross on occasion.  Canadian Pharmacy also tends to use geocities.com redirects to hide their sites while Pharmacy Express typically does not.  

For a while Pharmacy Express had ties with LongZ enlargement Pills and MegaPower Pills sites and they were really bad for a while.  Fortunately those sites appear to have closed or moved.

Pharmacy Express maintains about 40 DNS servers at all times (that I know of) with a few getting shutdown daily and others coming online just as quickly.  Some of the IP's they use host hundreds or even thousands of sites.  I can only provide info on the ones that were sent to me personally, which averages 25 to 40 new, unique sites per month from this spammer.  

Try the reverse IP lookup tool at http://www.domaintools.com  (that's the new name for whois.sc).  Some spammer IP's host 60,000 sites, if that's possible.

Pharmacy Express changes their IP address 2-3 times a week in groups of 10-15 sites, typically concentrating on keeping the newest sites moving until they get shutdown.  Some sites run undisturbed for months while most appear to run a few weeks and they move on.  

They typically use each registrant name one time.  They may harvest these off the Internet since they tend to be unique.   Sometimes the data matches the info of real people and businesses.   95% of the registrants use a fake Yahoo Email address with their fake phone number, etc.

They tend to use Yesnic.com as the registrar for their DNS servers.  Yesnic doesn't reply or act timely enough to have any effect but they do eventually terminate the registration of some sites after months of abuse.  
 Contrairy to this, their web site registration is spread across a dozen foreign registrars such as
ENOM, INC.
Yesnic.com
BULKREGISTER, LLC.
LTD D/B/A PUBLICDOMAINREGISTRY.COM
ONLINE SAS BookmyName
HICHINA WEB SOLUTIONS (HONG KONG) LIMITED
XIN NET TECHNOLOGY CORPORATION
and many others.  They choose registrars who do not have an abuse policy or who have support pages written in Chinese to make reporting difficult.    Even the US based registrars such as GO DADDY SOFTWARE, INC. are irresponsible in this regard as they reply to repeated abuse from their customers with a letter saying they are "only" the registrar and they will continue to register sites to this spammer.  

I hope someone can use this info and help the situation. If I posted all the info I have it would fill many pages so I will close for now.  If anyone wants a detailed listing of their DNS servers, IP addresses, registrant names, SMTP Headers and server names with dates going back to 2004 or 2005 I can post more info.  

Looking at DNS info you can tell that similar sites such as  "My Canadian Pharmacy" (also called "International Legal RX") is a separate spammer with their own sites and servers.

As a primer, here is a sample of Pharmacy Express info.
Some of their sites changed IP's 8-10 times and are still running.  Most of these are active.  Older sites that are on registar-hold have been omitted to save space.


Pharmacy Express recent site list:
5/28/06     http://www.yunmounbertu.com     211.144.69.243        
5/27/06     http://www.fitingack.com     211.144.69.243        
5/26/06     http://www.dikintansderfun.com     211.144.69.243        
5/25/06     http://www.sekisometi.com     211.144.69.243        
5/25/06     http://www.numzaisundes.com     211.144.69.243        
5/24/06     http://www.arcothene.com     211.144.69.243        
5/23/06     http://www.bullkelaidesion.com     211.144.69.243        
5/22/06     http://www.wozawukelans.com 222.77.187.146
5/21/06     http://www.bexiahekess.com        211.144.69.243     222.77.187.146
5/19/06     http://www.balerutezalod.com        211.144.69.243     222.77.187.146
5/19/06     http://www.eveyearo.com        
5/19/06     http://www.zaxuleqinsertu.com        
5/17/06     http://www.didothikes.com        
5/17/06     http://www.balasintersver.com        
5/16/06     http://www.jernifersactis.com
5/15/06     http://www.foroverear.com        
5/15/06     http://www.sututerfuins.com        
5/13/06     http://www.heltefenskalls.com        
5/13/06     http://www.mubuiterfu.com        
5/12/06     http://www.upomeres.com        
5/11/06     http://www.devalusaare.com        
5/10/06     kolafahrovan.com      
5/9/06     dopalokusar.com
5/8/06     http://www.kilutasso.com
5/6/06     http://www.nesparizapen.com
5/5/06     http://www.temaferte.com
5/4/06     http://www.embasarokal.com
5/4/06     http://www.essanears.com
5/3/06     http://www.nomaicedin.com
5/3/06     http://www.ultavoferak.com
5/2/06     http://www.4cus2mer.com/ms
5/1/06     http://www.vanteweks.com
4/30/06     http://www.popuariso.com
4/29/06     http://www.theekretalaxner.com
4/28/06     http://www.terainital.com
4/26/06     http://www.istolentie.com
4/25/06     http://www.aremadeto.com
4/24/06     http://www.efnerebizal.com
4/23/06     http://www.diminobag.com
4/23/06     http://www.hikiamoun.com
4/21/06     http://www.anngelad.com
4/20/06     http://www.JewensaKeoa.freeservers.com
4/19/06     http://www.volaserhumex.com.
4/18/06     http://www.amteribasoncey.com
4/17/06     http://www.holiddesi.com
4/14/06     BULASIMERNOKUL.COM
4/12/06     http://www.incogusten.com
4/9/06     trapalivazolin.com


DNS servers:
NS0.MAOMAREGI.COM     218.62.89.29        
NS0.MANOTHAVE.COM     222.208.183.164        
NS0.ANOTHEGISA.COM     202.103.178.125        
NS0.SIGUMEBERSI.COM     219.153.19.40        
NS0.TORESINATO.COM     202.103.178.125        
NS0.RAPIEXANSI.COM       222.60.14.242        
NS0.LASROMTEA.COM     202.103.178.125        
NS0.POLTRAINI.COM     202.103.178.125        
NS0.RESTANRELTI.COM     222.52.1.11        
NS0.SETORELLE.COM        
NS0.WINGELA.COM        
NS0.TIMOPOTED.COM        
NS1.FREESERVERS.COM        
NS2.FREESERVERS.COM        
NS4.TRISLUCAT.COM        
NS2.TONOBEARO.COM        
NS0.ANLINHOLI.COM        
NS0.HETRIEDIS.COM        
DNS2.ASETANTIC.COM        
DNS1.ASETANTIC.COM        
DNS1.EIGHOURI.COM        
NS0.FESTIVAINURO.COM        
NS0.AIRALLON.COM        
NS0.TREATENSON.COM        
NS0.ATTEPONTAI.COM        
NS0.THAPICURESE.COM        
NS0.TIVICENE.COM        
NS1.AREVERE.COM        
NS2.AREVERE.COM        
NS3.AREVERE.COM        
NS6.AREVERE.COM        
NS0.ALROMALVI.COM        
NS0.TANISIGER.COM        
NS0.TONCEREAN.COM        
NS0.NEVEPOSTE.COM        
ns0.chapithiso.com    
NS0.COURTANPA.COM
NS1.PUREDNS.COM
NS2.PUREDNS.COM
NS0.AIRAMISU.COM
NS0.EBANTENE.COM
NS0.HOWODEAL.COM
NS0.ROSETTARKIN.COM
DNS7.VISIONNEW.COM
DNS5.VISIONNEW.COM
NS0.GISATOCAT.COM
[color=purple][/color]
Logged Offline
Private Message Reply: 5 - 181
tman
Posted on: Wednesday, May 31st, 2006, 12:31pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36
Yet another alias for "Pharmacy."

Pharmacy Corp.
1916 North Church Street
Layton, UT 84040

This time they call themselves "International Legal RX medications"  with all the same "Verified by the BBB" and contact form info as "MyCanadianPharmacy."   Who knows if this address even means anything.

This one was spammed as http://lfjkpd.lamcentral.info/legalrx/

ADMIN NOTE: Address listed for Pharmacy Corp.  appears to be a Sod Farm.  Address most likely a fake. The Sod Farm is probably a victim as well.
Logged Offline
Private Message Reply: 6 - 181
TomS
Posted on: Monday, June 5th, 2006, 2:48pm Report to Moderator
Guest User



SiteAdvisor is a web site rating service (see http://SiteAdvisor.com for details) that alerts users to problem sites when they visit one. The alert comes from a browser plug-in that reads the URL and does a remote database lookup in real time.

Most ratings are derived from automatic metrics produced by web crawlers and spam monitors. However -- they also allow any individual to post human reviews that get dialed into the overall score.

A number of SA reviewers have been tracking International Legal RX, Comfort RX, Pharmacy Express, US Drugs, etc. If you want to check a URL to see if it's already tagged, the SiteAdvisor page lets you look up a site. If you get a Spam, please add your comment to the SA reviews.

Here is an example of one recent post:
http://www.siteadvisor.com/sites/zoneskin.info
Logged
e-mail Reply: 7 - 181
rob w
Posted on: Thursday, June 22nd, 2006, 6:26am Report to Moderator
Guest User



MyCanadianPharmacy, as far as I can tell-

IP 195.141.149.161


According to webhosting.info, there are 7 domains at this IP. All of them hosted by an Andy Lambe (Lambe Solutions). His websites are-


1 ANDYLAMBE.COM.
2 ATLANTICLIFEQUOTE.COM.
3 CCIPNG.COM.
4 LAMBEFINANCIAL.COM.
5 LAMBESOLUTIONS.COM.
6 PEICREDITBULLETIN.COM.
7 PEILIFEQUOTE.COM.

email is-

support@lambesolutions.com


Robert Wright
rob@comdetroit.com
http://www.comdetroit.com
http://www.comdetroit.net

ADMIN NOTE:  After receiving communication from the above mentioned company, I am convinced that they were a victim of a hacked server.  They stated they have switched hosting companies, and that their web site security is tightened.  It is believed that they were in fact victimized by the spammer, and have nothing to do with Pharmacy Express, etc.  Therefore, their contact info is being distorted on this site.
Logged
e-mail Reply: 8 - 181
tman
Posted on: Friday, June 23rd, 2006, 12:00am Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36
That's very interesting.....At first I thought you were on the wrong track with that IP and Lambe, since the Lambe site seems innocent enough.  Then I found this:  http://www.spamhaus.org/sbl/sbl.lasso?query=SBL42590

That IP is listed on their Register Of Known Spam Operations, and according to them, the IP is used to host image files that are referenced from the spamvertised URL's for various pharmaceutical spam.

One of the things that spammers do is try to hack into other web servers and make their own directory to host their spam, and of course victimizing the server owner with the mess they create.  While that's certainly possible here, it doesn't explain why images are STILL present at this IP address, and how they are hosted on Port 8080 (as far as I know, unless your server is WIDE WIDE WIDE open), the average hacking attempt isn't going to be able to open up a different port on that server for hosting (they wouldn't need to anyway).

Looks like, at the very least the folks at Lambe have some explaining to do as to why they're listed as a spam operation.
That being the case, it would be quite stupid to have any site so easily link them to the spams with their full contact info on the same IP as the IP used for spamming.

Again, very interesting.

ADMIN NOTE:  After receiving communication from the above mentioned company, I am convinced that they were a victim of a hacked server.  They stated they have switched hosting companies, and that their web site security is tightened.  It is believed that they were in fact victimized by the spammer, and have nothing to do with Pharmacy Express, etc.  Therefore, their contact info is being distorted on this site.
Logged Offline
Private Message Reply: 9 - 181
rob w
Posted on: Friday, June 23rd, 2006, 6:50am Report to Moderator
Guest User



If you viewed the source on the MyCanadianPharmacy page, the Lambe Solutions IP address is in every image source. I emailed Lambe Solutions twice about this. The first time was to let Lambe Solutions know that they need to put a stop to it. The second time was a courtesy copy from the email I sent to-

webcomplaints@ora.fda.gov

I received no reply however, today I tried to access these websites that were sent to me and none of them work! I went to my email trash and tried some of the others and none of them work. Somebody must have done something.

Rob Wright
rob@comdetroit.com
http://www.comdetroit.com
http://www.comdetroit.net

ADMIN NOTE:  After receiving communication from Lambe Solutions, I am convinced that they were a victim of a hacked server.  They stated they have switched hosting companies, and that their web site security is tightened.  It is believed that they were in fact victimized by the spammer, and have nothing to do with Pharmacy Express, etc.  Therefore, their contact info is being distorted on this site.
Logged
e-mail Reply: 10 - 181
comdetroit
Posted on: Friday, June 23rd, 2006, 8:40am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
Well, I got spammed again. It seems they are back (mycanadianpharmacy) and the images are still hosted at Lambe Solutions. I will email them every time I get garbage from these people.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 11 - 181
comdetroit
Posted on: Friday, June 23rd, 2006, 9:05am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
I have phone numbers for Andy Lambe and Assoc.

1-877-433-8***

I called them. They stated that the webhosting portion is owned and operated by Andy Lambe's son. I informed the person I talked to that a major spammer has their images hosted at their IP address. They stated they did not know this was going on. This person seemed genuinely concerned.

ADMIN NOTE:  After receiving communication from the above mentioned company, I am convinced that they were a victim of a hacked server.  They stated they have switched hosting companies, and that their web site security is tightened.  It is believed that they were in fact victimized by the spammer, and have nothing to do with Pharmacy Express, etc.  Therefore, their contact info is being distorted on this site.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 12 - 181
Hamish
Posted on: Friday, June 23rd, 2006, 1:04pm Report to Moderator
New Member


Posts: 2
Thank Heaven I have discovered this site to share the same feelings with you folks about Canadian Pharmacy or whatever they're called this week. I, too, have received loads of spam from this outfit - usually in a bluey-gray box with http://BoomBather or http://CLoseDLow or http://BlastCanvas inside this box plus the Cialis, Viagra bullshit and offers. They come in other forms too - anyone get a http with "hitcher" or "createline" in the name???
Now, TBH, I'm probably the last bloke on this planet who's computer illiterate - think "monkey at the controls of a Boeing 747" but I have used spamcop and the tools menu and have reduced my daily emails from about 100 down to circa 8 to 13 a day.
After using spamcop, I get replies from everywhere - Lithuania to Australia to France to Belgium  and so on plus replies from Comcast/Earthlink etc - all, what I believe are called, Site Administrators.
I notice, too, that they have FDA (Federal Drug Authority?) at the bottom of their home page - yeah, I tried the "report scam" forms - silly me. Like VISA, does the FDA know about this and, if so, are they doing anything about it? I have reported these spammers to them. Surely, a body like the FDA would be miffed when they are cited as "approving" this scam. There are others at the base of the homepage too but hard to make them out.
Any of the above make sense or ring a bell?
Hamish aka Noel Gannon, East  Galway, IRL - "the last of the internet virgins" LOL
Logged Offline
Private Message Reply: 13 - 181
TJ
Posted on: Saturday, June 24th, 2006, 5:58pm Report to Moderator
New Member


Posts: 1
My Canadian Pharmacy is currently using:

195.141.149.161 - 161-sn-4-be.pchighway.com

in Switzerland to source images for their target web site

http://www.dottcare.info  

I have asked site support to remove the files and close any security hole that may have been created.
Logged Offline
Private Message Reply: 14 - 181
comdetroit
Posted on: Saturday, June 24th, 2006, 11:30pm Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
Well, I'm still getting a few of these. They have a snail mail address on the mycanadian pharmacy site. I wonder if it is any good.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 15 - 181
dj
Posted on: Sunday, June 25th, 2006, 4:52am Report to Moderator
Guest User



Before finding this site and the disclaimer hidden away on the Better Business Bureau website I had written to the BBB and PharmacyChecker about the use of their logos.
BBB never responded but I have had a reply from PharmacyChecker saying that it hurts their business and "If you learn anything more about the company behind the spam and fraud please share it with us.". So I have passed on the details from the posts here about the image hosting to PharmacyChecker. I have also copied in BBB and "verified by Visa" in case they want to protect their reputation as well.

If anyone has tried filling out the order form (using duff information of course!) you will find that the screen does not have the padlock symbol that your credit card details will be encrypted. (Dont forget to remove the numbers at the end of the url which should help protect them knowing the email address they sent the mail to is active.) This is almost certainly a credit card number harvesting scam so I am surprised that Visa arent more interested.

Logged
e-mail Reply: 16 - 181
comdetroit
Posted on: Sunday, June 25th, 2006, 9:06am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
According to webhosting.info all of the sites, except for the coconut site belong to Ande Lambe of Lambe Solutions. When I called them, the person I talked to said the hosting business is handled by Ande's son. Lambe Solutions, I think, is a hosting and software company. Being that everyone's been contacted and nothing has been done (I am STILL getting spammed by these people), something smells bad.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 17 - 181
dj
Posted on: Monday, June 26th, 2006, 3:04am Report to Moderator
Guest User



I got a fairly bog standard off the shelf reply from verified by visa. -

"Thank you for contacting Visa and questioning the communication you received.  Visa will never ask you to provide personal information such as your bank account number, an account password, credit card number, PIN number, mother's maiden name, or Social Security number by email.

To learn more about 'How to spot a phishing email', please visit: http://usa.visa.com/personal/security/protect_yourself/common_frauds/phishing.html?it=c|/personal/security/protect_yourself/index%2Ehtml|Phishing

Our security department investigates these matters and works with the proper authorities to terminate the activity.  

Visa has many safeguards and detection systems in place, but prompt action by alert cardholders remains a very important method of stopping deceitful activities. Should you receive further communication that you deem questionable, please feel free to contact us immediately.

Please be reminded that U.S. cardholders are fully protected by Visa's Zero Liability policy. This means that cardholders pay nothing in the event of unauthorized card use.

We appreciate your bringing this matter to our attention.

Verified by Visa Webmaster"

You might have thought that they would have been a little more proactive and interested than this stock reply makes out. I think the credit card companies should take more responsibility for spam sites using their services as they give the spammers the ability to collect money from suckers who respond to the spams.
Logged
e-mail Reply: 18 - 181
dj
Posted on: Wednesday, June 28th, 2006, 4:04am Report to Moderator
Guest User



Anybody had any mails from MyCanadianPharmacy recently?

I was getting 6-12 a day before Monday.

I had six on Monday, all of which pointed to websites that could not be displayed.

Yesterday nothing!  
Logged
e-mail Reply: 19 - 181
absolutchele
Posted on: Wednesday, June 28th, 2006, 11:22pm Report to Moderator
New Member


Posts: 1
I've been getting at least 3 e-mails from MyCanadianPharmacy a day, including today.
Logged Offline
Private Message Reply: 20 - 181
Hamish
Posted on: Thursday, June 29th, 2006, 7:59am Report to Moderator
New Member


Posts: 2
Hi again!
Anyone get spam from a company using various https?? The company is called VIP Pharmacy. I checked out Google and came up with VIP Pharmacy and sent them all the spam I received relating to VIP Pharmacy. I got this reply from a Mike Norwood. Apparently, VIP Pharmacy is registered allright but he claims they're legit even though he states they're really a software company but not the same VIP. Here's his email to me. Maybe it'll ring a bell with someone. Hamish

Sir,

I am sorry you are getting these emails, but unfortunately can not do
anything to stop them, as they do not come from us.  We do not sell or
market any drugs over the internet, we are a software company, and our
website is specifically used to market our pharmacy software.  Our
company name is VIP Computer Systems, INC.  We did register the web
address vip-pharmacy.com, but other than the spam showing the name VIP
Pharmacy at the bottom of their webpage, there is no connection at all
to our company.  We have gotten occasional emails about this over the
past couple of months and it appears that the spam links to various
different web addresses registered to people in Eastern Europe or
sometimes Asia.  The webpages have sometimes listed a partial address in
Port Richey, Florida, or a town in Utah on the contact us page, but it
appears the one you got does not even show that.  Again I wish I could
help you with this, but again our only connection at all is that we
registered a similar web address to the name used on the spammers
websites.

Mike Norwood
VIP Computer Systems
919-644-1690
Logged Offline
Private Message Reply: 21 - 181
Dave
Posted on: Saturday, July 1st, 2006, 8:33am Report to Moderator
Guest User



Hi -Im in the uk and get many spam messages from  "My Canadian Pharmacy"
usually from or via china telecom who I believe have just recently started
to accept abuse reports. Whether they do anything with them is another matter.

The latest effort  is from  http://plumageruby.info
The pictures for the following appear to be hosted in Germany
http://62.75.178.134:8080/p/images/veris.gif
         Top rated by pharmacychecker           listed at Better business bureau           verified by visa           verisign secure site           CIPA certification      
Return-Path: <celcoat@tiscali.co.uk>
Received: from He (218.14.199.152) by mk-cpfrontend.uk.tiscali.com (7.2.034.7)
       id 440D1D720656CDC4 for   David@tiscali.co.uk; Sat, 1 Jul 2006 11:18:55 +0100
Received: from [138.36.227.117] (port=2630 helo=138.36.227.117)
    by tiscali.co.uk with esmtp
    id krS9ig-eP5604-87
     for David@tiscali.co.uk; Sat, 01 Jul 2006 04:37:56 -1000
Content-class: urn:content-classes:message
Subject: save yOur wallet use cheap qual1ty meds and pi1ls
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----_=_NextPart_001_01C69139.97634528";
Date: Sat, 01 Jul 2006 04:37:56 -1000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <6325703.20060701043756@tiscali.co.uk>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: save yOur wallet use cheap qual1ty meds and pi1ls
Thread-Index: GSBn4BdBvQIRSuESzbt2R8GuzFWdez==
From: "Billie" <celcoat@tiscali.co.uk>
To: David@tiscali.co.uk
X-Return-Path: celcoat@tiscali.co.uk
X-MDaemon-Deliver-To: David@tiscali.co.uk
X-MDAV-Processed: tiscali.co.uk, Sat, 01 Jul 2006 04:37:56 -1000
X-Spam: Not detected
   

I will report to China telecom and abuse@server4you.desk if they can stop hosting the pictures.
Logged
e-mail Reply: 22 - 181
dj
Posted on: Sunday, July 2nd, 2006, 2:55am Report to Moderator
Guest User



I just checked your link http://plumageruby.info/p/ and the top image is  http://66.93.90.164:8080/p/images/weship.gif. Perhaps they are moving the hosting of the pictures about?

http://www.arin.net/whois/ says that 66.93.90.164 is -
CustName:   FutureLink Communications
Address:    25 Broadway
City:       New York
StateProv:  NY
PostalCode: 10004
Country:    US
RegDate:    2006-05-23
Updated:    2006-05-23

NetRange:   66.93.90.160 - 66.93.90.191
CIDR:       66.93.90.160/27
NetName:    SPEK-444634-0
NetHandle:  NET-66-93-90-160-1
Parent:     NET-66-92-0-0-1
NetType:    Reassigned
Comment:    
RegDate:    2006-05-23
Updated:    2006-05-23

RTechHandle: AS3414-ARIN
RTechName:   Stollar, Andreas
RTechPhone:  +1-206-728-9770
RTechEmail:  abuse@speakeasy.net

OrgTechHandle: AS3414-ARIN
OrgTechName:   Stollar, Andreas
OrgTechPhone:  +1-206-728-9770
OrgTechEmail:  abuse@speakeasy.net

Surely as this is a US address and this is obviously a credit card number harvesting site, someone can report this to the law enforcement agencies in the US?



I'd also suggest copying any complaint to the BBB, PharmacyChecker and Verified by Visa so that they can take action to get their logos removed by this hosting company. I send them copies of the mail and include analysis of where the images are hosted and by whom with contact details.
Addresses I have used for these three are -
verifiedbyvisa@visa.com; bbbmp@bbbmp.ca; gabriel.levitt@pharmacychecker.com
I could not find a suitable address for Verisign who you would think would be interested in this sort of thing.

I havent received a single one of these MyCanadianPharmacy mails in my main mailboxes for the last 5 days, since writing to all these companies about the use of their logos, and reporting all mails received from them to Spamcop for a couple of weeks.

62.75.178.134 as you say is in Germany -
inetnum:         62.75.178.0 - 62.75.178.255
netname:         SERVER4YOU-1
descr:           SERVER4YOU Dedicated Server Hosting
descr:           http://www.server4you.de
country:         DE
org:             ORG-BSBS1-RIPE
admin-c:         OD376-RIPE
tech-c:          IT1309-RIPE
rev-srv:         ns1.plusserver.de
rev-srv:         ns2.plusserver.de
status:          ASSIGNED PA
remarks:         Abuse-Contact: abuse@server4you.de
mnt-by:          INTERGENIA-MNT
source:          RIPE # Filtered
organisation:    ORG-BSBS1-RIPE
org-name:        B S B - Service GmbH
org-type:        NON-REGISTRY
descr:           Internet-Hoster
remarks:         BSB Service GmbH is part of intergenia AG
address:         Daimlerstr.9-11
address:         50354 Huerth
address:         Germany
phone:           +49 2233 612-0
fax-no:          +49 2233 612-144
admin-c:         OD376-RIPE
tech-c:          IT1309-RIPE
mnt-ref:         INTERGENIA-MNT
mnt-by:          INTERGENIA-MNT
source:          RIPE # Filtered
role:            Intergenia Technik
address:         intergenia AG
address:         Daimlerstr. 9-11
address:         50354 Huerth
phone:           +49 2233 612 0
fax-no:          +49 2233 612 144
remarks:         trouble:      Information Contact info@plusserver.de
remarks:         trouble:      Abuse Contact abuse@plusserver.de
remarks:         trouble:      for more information http://www.plusserver.de

There is another abuse address listed.- abuse@plusserver.de
They are part of the larger RIPE organisation - abuse@ripe.net

Good Luck!!!
Logged
e-mail Reply: 23 - 181
tman
Posted on: Sunday, July 2nd, 2006, 3:49pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36

Quoted from dj (Guest)
I just checked your link http://plumageruby.info/p/ and the top image is  http://66.93.90.164:8080/p/images/weship.gif. Perhaps they are moving the hosting of the pictures about?


Surely as this is a US address and this is obviously a credit card number harvesting site, someone can report this to the law enforcement agencies in the US?


I'd also suggest copying any complaint to the BBB, PharmacyChecker and Verified by Visa so that they can take action to get their logos removed by this hosting company. I send them copies of the mail and include analysis of where the images are hosted and by whom with contact details.
Addresses I have used for these three are -
verifiedbyvisa@visa.com; bbbmp@bbbmp.ca; gabriel.levitt@pharmacychecker.com
I could not find a suitable address for Verisign who you would think would be interested in this sort of thing.


Earlier in this thread, there's a link to the BBB's report on these guys.  According to them, they know they're using the logo illegaly, but can't find them.  Probably same for VISA, Pharm Checker, etc.

As for the image hosting, I've seen lately that some spam, mainly the account phishing sites, are located on hacked servers.  Often a compromised web server can be a great tool for spreading spam, as the results become "someone else's problem."  Looking at the root IP address, that looks like a pretty legit operation to be purposely supporting spam.  It's hard to tell if this is the case, but it's certainly probable (and happens).  When you uncover one of these image hosts, try going to just the root URL.  If it looks like a legit company, try sending a polite e-mail informing them of it, with a copy of the URL.  If the page still remains after a few days, then maybe they are part of the spammers.  Spammers don't just screw up e-mail, they also victimize legit businesses and web sites.  Anything to avoid finding their real identity.
Logged Offline
Private Message Reply: 24 - 181
comdetroit
Posted on: Monday, July 3rd, 2006, 8:22am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
Earlier I posted-

According to webhosting.info, there are 7 domains at this IP. All of them hosted by an Andy Lambe (Lambe Solutions). His websites are-


1 ANDYLAMBE.COM.
2 ATLANTICLIFEQUOTE.COM.
3 CCIPNG.COM.
4 LAMBEFINANCIAL.COM.
5 LAMBESOLUTIONS.COM.
6 PEICREDITBULLETIN.COM.
7 PEILIFEQUOTE.COM.



I received an email from Ande Lambe at Lambesolutions.com about MyCanadianPharmacy possibly hosting their images on their servers. This was in response to a phone call I had made to them.

He stated that he was going to check into it. I haven't received any spam from them lately.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 25 - 181
dj
Posted on: Tuesday, July 4th, 2006, 5:24am Report to Moderator
Guest User



I hadnt received any MyCanadianPharmacy mails since 26 June and even then the urls were already dead.  

Then today I received 4 of them again!  

Sorry make that 7, another three just came in. >

Images all hosted at -
http://62.75.178.134:8080/p/images/weship.gif



Logged
e-mail Reply: 26 - 181
dj
Posted on: Tuesday, July 4th, 2006, 5:52am Report to Moderator
Guest User




Quoted from tman


Earlier in this thread, there's a link to the BBB's report on these guys.  According to them, they know they're using the logo illegaly, but can't find them.  Probably same for VISA, Pharm Checker, etc.



I did find the BBB report (eventually). It is not exactly obvious when you go to their site. I'd like someone to tell me how to find it from their homepage!
My comment at these organisations is that they dont seem to do a lot to track down spammers misusing their logos and reputations.
Credit card companies (Visa etc) whine about credit card fraud.
Verisign provide secure credit card transmission which is compromised if their logo is misused.
BBB supposedly are a seal of approval for companies.
Only PharmacyChecker seemed at all concerned and gave me a personal reply, BBB did not respond at all and VerifiedbyVisa gave a template reply telling me how to spot phishing.

I suspect that if one or more of these organisations complained to the hosting companies officially then the image hosting would be removed a lot faster than if you or I complain.

I have mailed abuse@server4you.de and abuse@plusserver.de today reporting the image hosting on their server. - 62.75.178.134 It will be interesting to see how long the images remain there.

(End of whinge - I feel better now   )

Logged
e-mail Reply: 27 - 181
dj
Posted on: Wednesday, July 5th, 2006, 4:37am Report to Moderator
Guest User



Eventually got 13 mails from MyCanadianPharmacy yesterday and have already had another 7 this morning already.
However trying to follow the links (after removing the string of numbers on the end) gives - The page cannot be displayed.
Hopefully this will mean that they will be off air for a couple of days.

Now on to the Luxury spams (fake replicas) and the spams without titles that offer me cheap credit if I "Naw email hier" (sic)
Logged
e-mail Reply: 28 - 181
comdetroit
Posted on: Thursday, July 6th, 2006, 9:20am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
The reason the emails from MyCanadianPharmacy may have stopped momentarily and the reason for the websites not working for a day or so is because they had to move. I called and talked to an associate of Lambe Solutions/Lambe Financial. I actually received a response from Ande Lambe of Lambe solutions. Lambe solutions is where the images for MyCanadianPharmacy were hosted-

Here is Ande Lambe's response-

I am told they think we have narrowed this down to one of my sites which appears to have permitted “hackers” to access in spite of our best intentions to prevent this. I have contacted the company who designed this site and written the code. They are very surprised this could have occurred but they promise to work on it today to make sure we prevent any future occurrences.

Thanks for brining this to my attention.

Andy

Andy Lambe, CLU, CFP, CHFC, RHU

Andy Lambe & Associates Inc.

Partners In Planning

20 Great George St.

Charlottetown, PE

C1A 4J6

Ph. 902 368 8320

Fax 902 894 3159


Ande Lambe had booted them from his servers. His response actually very quick and I made sure to thank him! The images are now hosted at another IP. I am back to getting 5-10 spams a day from them again.

Here is the new IP address-

62.75.178.134 port 8080

According to

http://remote.12dt.com/rns/lookup.php

This IP belongs to-

Intergenia.de

Name:         Hostmaster intergenia AG
Address:      Daimlerstrasse 9-11
Pcode:        50354
City:         Huerth
Country:      DE
Phone:        +49-2233-612-0
Fax:          +49-2233-612-146
Email:        domains@domains.intergenia.de
Changed:      2005-01-21T14:37:40+01:00

I have emailed them today.



Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 29 - 181
dj
Posted on: Thursday, July 6th, 2006, 10:26am Report to Moderator
Guest User




I have been getting the "new" emails since Tuesday. Sometimes the urls dont work when I first receive them but do later in the day.
I have also written to 'abuse@server4you.de' and 'abuse@plusserver.de', who are the new "hosts" for the images, on Tuesday and forwarded a number of the mails I have received from MyCanadianPharmacy. So far no response from them and the images are still on their server, eg - http://62.75.178.134:8080/p/images/weship.gif as of today.
Logged
e-mail Reply: 30 - 181
comdetroit
Posted on: Friday, July 7th, 2006, 10:02am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
They have found a new server to hack (intergenia.de). The last server they were on booted them because they had been hacked. I contacted, via email, the people at intergenia.de and haven't received a response yet. I will be emailing them again soon.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 31 - 181
comdetroit
Posted on: Friday, July 7th, 2006, 10:16am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
The images are no longer hosted by Intergenia.de and they have moved.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 32 - 181
dj
Posted on: Friday, July 7th, 2006, 12:39pm Report to Moderator
Guest User



You must be getting a new version of MyCanadianPharmacy emails, I have only had 3 mails in the last 24 hours, but the images were all still at the following location - http://62.75.178.134:8080/p/images/weship.gif - which is the intergenia server.

I am still complaining to them.
Logged
e-mail Reply: 33 - 181
dj
Posted on: Friday, July 7th, 2006, 1:35pm Report to Moderator
Guest User



I just checked a Spamhaus report dated 28 May - http://www.spamhaus.org/sbl/sbl.lasso?query=SBL42590

This lists the AndyLambe address 195.141.149.161/32 as listed on the Register Of Known Spam Operations (ROKSO) database as being assigned to, under the control of, or providing service to a known professional spam operation run by Yambo Financials.

Interestingly, it goes on to say -
"As usual, the spammer does not have his images here. They are located at:

MyCanadian IMAGES: http://62.75.178.134:8080/p/[varies]
at the SPAMHAUS listed IP address 62.75.178.134 on plusserver.de,intergenia.de/server4you.de"
so these images have been on the intergenia server at least since 28 may 2006!

Obviously they are not too worried.
Logged
e-mail Reply: 34 - 181
mr_d
Posted on: Saturday, July 8th, 2006, 12:16pm Report to Moderator
New Member


Posts: 3
Here is a compiled list of recent Pharmacy Express sites, all from SPAM.
The IP's change almost daily.  

Pharmacy Express is the same as Premier Pharmacy, which many of you knew.  
Today I observed they are using the same exact spam format used by International Legal RX, and Canadian Pharmacy.   Sometimes they even share DNS servers.  We are dealing with ONE large spam network that goes by many names.  

It's interesting that they attempt to keep these web sites seperate.  For example 30 Pharmacy Express sites all change IP's on the same day, as does Canadian Pharmacy.  But they don't share site IP's.  The share SPAM formats, and even DNS servers sometimes but they keep most of it seperate.

Did you guys notice the Pharmacy Express address is shared by at least 4 other companies?

Pharmacy Express
Palm Grove House
P.O.Box 438 Road Town
Tortola, British Virgin Islands

The same address is also used by:
http://www.northcote.co.uk
http://www.fxuc.com
http://www.equitytrust.com    
http://www.nomuraholdings.com

They all seem to be investment firms of various types.  And there are a dozen more investment firms all located on that same street.  Probably hiding there on purpose.  


There is not much point reporting IP's since they move almost every day.
07/08/2006 all sites on 211.144.68.67
07/07/2006 sites on 60.191.254.119
07/06/2006 sites on 218.104.136.237
07/05/2006 sites on 218.104.136.243
07/04/2006 sites on 222.170.2.246


Pharmacy Express site list from SPAM:
7/8/06     http://www.rubakodaf.com    
7/7/06     resoritbe.com
7/5/06     landetungertanka.com
7/5/06     catemis.com
7/4/06     uadesaxecoin.com
7/4/06     anpulicar.com
7/3/06     nijanderuynhaewa.com
7/3/06     uadesaxecoin.com
7/2/06     rohadesfunvers.com
7/1/06     lanvertunjased.com
7/1/06     aturalabur.com
6/30/06     penofarsan.com
6/29/06     omiambell.com
6/28/06     vicesandani.com
6/28/06     zanekesdona.com
6/27/06     vasezoceoms.com
6/26/06     stedatlan.com
6/25/06     http://www.kimanuhetunade.com
6/24/06     http://www.assansit.com
6/23/06     doforeval.com
6/23/06     voyskojasa.com
6/22/06     poureole.com
6/21/06     baderunhertuna.com
6/21/06     dasetunhandecas.com
6/20/06     http://lumunherfans.com
6/14/06     http://www.waleokanfeun.com
6/13/06     http://www.janwertanqa.com
6/13/06     http://www.kangeoutex.com
6/12/06     http://www.loiangande.com
6/11/06     http://www.becogantunx.com  
6/10/06     http://www.pinandesca.com
6/9/06     http://www.neateton.com
6/9/06     http://www.sasonerita.com
6/8/06     http://www.votundasterc.com
6/6/06     http://www.lovedottop.com
6/5/06     http://www.awerod.com/n1
6/5/06     http://www.whileheto.com
6/3/06     http://www.notalokasug.com
5/30/06     http://www.ontthemap.com
5/29/06     http://www.melisaduron.com
5/28/06     http://www.yunmounbertu.com
5/27/06     http://www.fitingack.com
5/26/06     http://www.dikintansderfun.com
5/25/06     http://www.sekisometi.com
5/25/06     http://www.numzaisundes.com
5/24/06     http://www.arcothene.com
5/23/06     http://www.bullkelaidesion.com
5/23/06     http://www.geocities.com/ImkstBaezComb
5/22/06     http://www.wozawukelans.com
5/21/06     http://www.bexiahekess.com
5/19/06     http://www.balerutezalod.com
5/19/06     http://www.eveyearo.com
5/19/06     http://www.zaxuleqinsertu.com
5/17/06     http://www.didothikes.com
5/17/06     http://www.balasintersver.com
5/16/06     http://www.jernifersactis.com
5/15/06     http://www.foroverear.com
5/15/06     http://www.sututerfuins.com
5/13/06     http://www.heltefenskalls.com
5/13/06     http://www.mubuiterfu.com
5/12/06     http://www.upomeres.com
5/11/06     http://www.devalusaare.com
5/10/06     kolafahrovan.com
5/9/06     dopalokusar.com
5/8/06     http://www.kilutasso.com
5/6/06     http://www.nesparizapen.com
5/5/06     http://www.temaferte.com
5/4/06     http://www.embasarokal.com

DNS Servers:
NS0.WITHOMM.COM     211.144.68.59
NS0.MORANAPPY.COM     221.231.139.31
NS0.ANGAMLACE.COM     211.144.68.59
NS0.VESARHOTTO.COM     218.104.136.232
NS2.BLOWIFOM.COM
NS2.MASKELIBASON.COM
NS0.LINESORETE.COM
NS0.HOTEAREKET.COM
NS9.INDIAHOST.BIZ
NS10.INDIAHOST.BIZ
NS0.STROTICCUTU.COM
NS0.ORINALUCH.COM
NS0.THOUMAYBE.COM
NS0.SINACESSI.COM
NS0.MAOMAREGI.COM
NS0.MANOTHAVE.COM
NS0.ANOTHEGISA.COM
NS0.SIGUMEBERSI.COM
NS0.TORESINATO.COM
NS0.RAPIEXANSI.COM
NS0.LASROMTEA.COM
NS0.POLTRAINI.COM
NS0.RESTANRELTI.COM
NS0.SETORELLE.COM
NS0.WINGELA.COM
NS0.TIMOPOTED.COM
NS1.FREESERVERS.COM
NS2.FREESERVERS.COM
NS4.TRISLUCAT.COM
NS2.TONOBEARO.COM
NS0.ANLINHOLI.COM
NS0.HETRIEDIS.COM
DNS2.ASETANTIC.COM
DNS1.ASETANTIC.COM
DNS1.EIGHOURI.COM
NS0.FESTIVAINURO.COM
NS0.AIRALLON.COM
NS0.TREATENSON.COM
NS0.ATTEPONTAI.COM
NS0.THAPICURESE.COM
NS0.TIVICENE.COM
NS1.AREVERE.COM
NS2.AREVERE.COM
NS3.AREVERE.COM
NS6.AREVERE.COM
NS0.ALROMALVI.COM
NS0.TANISIGER.COM
NS0.TONCEREAN.COM
NS0.NEVEPOSTE.COM
ns0.chapithiso.com
NS0.FEEGATIONS.COM
NS0.FEREGULATI.COM
NS0.PROXIMOSAN.COM
NS0.CENTRANDAN.COM
NS0.BASTENNI.COM
NS0.COURTANPA.COM
Logged Offline
Private Message Reply: 35 - 181
dj
Posted on: Saturday, July 8th, 2006, 2:55pm Report to Moderator
Guest User



I got another email today which I thought was going to be a MyCanadianPharmacy email.
The title was - "Your money, mint julep" which is the format I have been getting from MyCanadianPharmacy , and the text reads - "Even if you have no erectin problems SOFT CIAzLIS would help you to make BETTER SE  X MORE OFTEN!
and to bring  unimagnable plesure to her.

Just disolve half a pil under your tongue and get ready for action in 15 minutes.

The tests showed that the majority of men after taking this medic ation were able to have PERFECT ER ECTI ON during 36 hours!

VISIT US, AND GET OUR SPECIAL 70% DISC OUNT OFER!"

Then a url and the piece of text that looks as if it has been extracted from a book.

But when I looked at the site it is now headed "HealthSuite Certified Online Pharmacy" but is presumably still our old friends at MyCanadianPharmacy.

Interestingly, the images (not so many now) are hosted at the same location as the website!
Logged
e-mail Reply: 36 - 181
g4zilla
Posted on: Wednesday, July 12th, 2006, 10:54am Report to Moderator
New Member


Posts: 1
Pharmacy Express...from outta nowhere, I get 48 spam in 30 minutes. As of today they're at ortuncaze.com.

Lock me in a room with 'em, and they'll *need* a pharmacy! Somebody must live near these guys...
Logged Offline
Private Message Reply: 37 - 181
lava
Posted on: Friday, July 14th, 2006, 1:29pm Report to Moderator
Guest User



For months I've been sending copies of this spam with its Internet headers to the originating Internet providers.  It doesn't seem to do any good.  So many of these have gone out that my own IP will block my own abuse emails from being sent.  I guess a person just can't win!

These same fraud artists are not limited to trying to scam people with fake drug outlets, but they also have email scams linking to websites that deal with software, watches, and other things.

I think that perhaps we should flood these idiots with fake orders, fake names, and fake VISA card numbers.

This problem will likely continue as these scamers can safely operate unscathed from the recesses of their own backwoods country.  It seems as if we are impotent in this matter, and that our government officials need a little Viagra before they are able to do anything.


Logged
e-mail Reply: 38 - 181
Unfortunate Bystander
Posted on: Monday, July 17th, 2006, 12:44pm Report to Moderator
Guest User



I've got the opposite problem.  I have my own domain and run my own (small) mailserver.  The folks spamming for Pharmacy Express are using my domain name with random user names as the return address for a good portion of the spam that they send.  My poor little server has to cope with thousands of bounce messages, out-of-the-office messages, MAILER-DAEMON replies, anti-spam reports, etc, etc, to the tune of many thousands a day.  Is there any hope in stopping these guys?
Logged
e-mail Reply: 39 - 181
compinst
Posted on: Tuesday, July 18th, 2006, 5:18pm Report to Moderator
New Member


Posts: 1
This same company has been using some sort of email blasting majordomo program and using MY email name as the sender. I am not only getting junk emails from them under different names but also "returns" from IP's that these names no longer exist. So my research came up with all the names listed here plus a new one. http://www.xolertandefaceda.com with all the same junk being emailed. I notice when I use properties on the email I see the xolertandefaceda.com embedded into this majordomo crap. It burns me up that my site name is being used as a return address. As Im writing this here is another spam same crap from agripi@joelsteed.com This is amazing 10 a day plus the illegal name returns come to me. Rick@allkindstravel.com
Logged Offline
Private Message Reply: 40 - 181
dj
Posted on: Thursday, July 20th, 2006, 4:37am Report to Moderator
Guest User



If anyone on this board is in Canada, keep an eye on the "Globe and Mail". One of their reporters, Scott Roberts, is researching a story on rogue internet pharmacies. I have pointed him to this board and various other sources. Will be interesting to see what he comes up with.

He was looking for "victims", so perhaps some of you who have had your mail addresses used for sending out this junk might want to contact them about the effect this has. It is the "invisible" side of spamming that must really affect small businesses, but is not seen by the majority.
Logged
e-mail Reply: 41 - 181
guest
Posted on: Friday, July 21st, 2006, 11:50pm Report to Moderator
Guest User



my girlfriend has been getting text messages on her cell phone tonight advertising "cashmeds net", which leads you to MyCanadianPharmacy.  Three text messages in ten minutes !
Logged
e-mail Reply: 42 - 181
admin
Posted on: Saturday, July 22nd, 2006, 12:08am Report to Moderator
Administrator Group



Posts: 15
Here's one thing that might be worth a try.  This is from the Federal Drug Administration's Website:  http://www.fda.gov

Reporting Unlawful Sales of Medical Products on the Internet
Last Revised: Jan. 12, 2005

If you find a Website you think is illegally selling human drugs, animal drugs, medical devices, biological products, foods, dietary supplements or cosmetics over the Web, please select one of the three options below to report to FDA.

If your report:

involves a life-threatening situation due to an FDA-regulated product you purchased from a Website, call 301-443-1240 immediately. (Also contact your health professional for medical advice.)
involves a serious reaction or problem with an FDA-regulated product, fill out FDA's MedWatch reporting form. (Also contact your health professional for medical advice.)
for problem Websites that DO NOT involve a life-threatening or otherwise serious reaction, fill out the form below. To report e-mails promoting medical products that you think might be illegal, forward the email to webcomplaints@ora.fda.gov.


I think I'll forward each one of the spams from Pharmacy Express/MyCanadianPhar/LegalRX/Discount Pharmacy etc. etc. etc. to webcomplaints@ora.fda.gov

Maybe if they see a huge influx of complaints, they might want to take some steps to put them out of business.   Remember, these guys aren't just "annoying" people through continuous spam, hijacking servers, etc; they are breaking federal laws by illegally dispensing prescription drugs.  
Logged Offline
Private Message Reply: 43 - 181
Dave
Posted on: Sunday, July 23rd, 2006, 6:21am Report to Moderator
Guest User




Quoted from dj (Guest)
I hadnt received any MyCanadianPharmacy mails since 26 June and even then the urls were already dead.  

Then today I received 4 of them again!  

Sorry make that 7, another three just came in. >

Images all hosted at -
http://62.75.178.134:8080/p/images/weship.gif




Hi
I originally advised the above  site for image posting (1 July) but have now
revisited the  http://plumageruby.info    /link and the accreditation
pics are now at  http://194.146.226.209:8080/p/images/cipa.gif

I have emailed them to see if they can block them
Logged
e-mail Reply: 44 - 181
had_enough
Posted on: Sunday, July 23rd, 2006, 3:35pm Report to Moderator
New Member


Posts: 4
Has anyone got a valid email address for Pharmacy Express?  If so, please post it here and we can all start forwarding their spam emails to them.
Logged Offline
Private Message Reply: 45 - 181
Tony Hoyle
Posted on: Sunday, July 23rd, 2006, 7:04pm Report to Moderator
Guest User



I've been plagued by these idiots - they've been sending from hundreds (thousands?) of ISPs with their vlzagra vzlagra, etc. spams.  Spamassasin scores them very low (highest has been 2.5, and that's only because razor matched it).

I received over 50 in my inbox today, plus another 30 odd on my mailing list, which has been open to everyone for 5 years and is now members only simply because of this burst of spam (considering closing it entirely.. I won't become a spammer by proxy by forwarding this crap).

Up until last week I thought I had the problem licked.. maybe got a couple of spams a week past the filters.. nothing I couldn't handle.. now it's like they've found the magic formula for avoiding them and TBH I'm half way to installing something obnoxious like TMDA on my main account to shut the bastards up. .
Logged
e-mail Reply: 46 - 181
spike
Posted on: Tuesday, July 25th, 2006, 2:09am Report to Moderator
New Member


Posts: 2
Hi just found yhis site, what a relief not to be fighting these people alone. A few thoughts of my own. Seeing Canadian Pharamacy uses a Canadian address, it is up to the Canadian Goverment to deal with it. I contacted them, there is an anti-spam law but they didnt seem to be bothered. I am in the UK and have asked my Member of Parliament to raise the matter. Luckily I know her personally so fingers crossed.
I complain about every spam e-mail i recieve, (400+ one day), if enough complaints are made the industry will need to deal with it, they have the resources availabe to them.
Never thought about contacting visa, if the pharmacy corp registered office does not excist then it is surely fraud. if visa is told of this and do not act, they are condoning it.
From my experience in local politics if you become a bigger nuisance than the problem, people in authority will deal with the problem
     
Logged Offline
Private Message Reply: 47 - 181
chascas
Posted on: Tuesday, July 25th, 2006, 6:08am Report to Moderator
Guest User



Look at this! At the bottom of Pharmacy Express webs say
"© 2006 PharmacyExpress.com All Rights Reserved."

It could be a fake but if you investigate this web you can find some connections
http://www.pharmacyexpress.com/Default.aspx

It's a pharmacy or chemistry company from New Zeland and they have got an email in a image, probably to avoid "their own" spam.

Maybe we have got a valid email!
sales@PharmacyExpress.com

Sorry my poor english.
Logged
e-mail Reply: 48 - 181
tman
Posted on: Tuesday, July 25th, 2006, 6:19pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36

Quoted from chascas (Guest)
Look at this! At the bottom of Pharmacy Express webs say
"© 2006 PharmacyExpress.com All Rights Reserved."

It could be a fake but if you investigate this web you can find some connections
http://www.pharmacyexpress.com/Default.aspx

It's a pharmacy or chemistry company from New Zeland and they have got an email in a image, probably to avoid "their own" spam.

Maybe we have got a valid email!
sales@PharmacyExpress.com


I've seen that site before too, but I have a strong feeling it is not the same Pharmacy we are dealing with.  They don't seem to sell the same products, and have a full customer log-in area, not just typing your credit card in.
One of the things these "companies" like to do is to name themselves fairly generic names that would likely be someting others would have, which makes it hard to find them  (Pharmacy Express, Discount Pharmacy, International Pharmacy, etc).

I doubt that this Pharmacy Express is the one we're dealing with----their site  and products are TOO different.   Also, I would think that they at least would be slapping the Verified by VISA, Better Business Bureau, Pharm Checker logos all over the place, and they do not.

At this point, it is theoried that Pharmacy Express, Discount Pharmacy, My Canadian Pharmacy, are the SAME people.  They seem to be from Canada, but even that isn't for certain at this point.
Logged Offline
Private Message Reply: 49 - 181
MarkGiles
Posted on: Wednesday, July 26th, 2006, 4:34pm Report to Moderator
All-Star


Posts: 363
http://www.pharmacyexpress.com is not one of the highly spammed Pharmacy Express sites.

The spammed ones fall under the umbrella of the same group, people like Alex Polyakov and Leo Kurayev - who are listed in ROKSO's top 10.  Their sites follow a set pattern, and have names like
* Pharmacy Express
* Discount Pharmacy
* My Canadian Pharmacy
* American Pharmacy (US Drugs)
* International Legal RX
* Special RX
* ED Choice

My Canadian Pharmacy runs on hacked machines that are connected 24 hours and have easy to guess administrator level passwords leaving them unprotected from intrusion. My Canadian Pharmacy sites even split their workload, with the html and java portion running on one hacked machine, and all of the images residing on a different hacked machine. The Name Servers for the thousands of domain names associated with these "pharmacies" are spread. This whole pharmacy scam business runs on stolen property all over the world.

The actual content on the sites is full of lies. Fake BBB certification and site awards, with links to their own site? You won't find the BBB certification or awards claimed at the relevant  BBB site.

A perusal of the Terms and Conditions shows them in flagrant breach of US and Canadian Drug Administration regulations, and that their drugs are sourced from India. When you see the lack of quality control in their spamming campaigns, and their stolen resources for the web sites, can you imagine their attention to quality control in the drug manufacturing process?

The site claims to be secure, so you should feel confident entering your credit card details on the ordering screen. But note that the ordering screen is neither https nor SSL. You can see all these lies for yourself.

Millions of spams per week are sent promoting the pharmacy suite of websites. The spamming runs themselves, are also typically generated fro m spam-bots, again on illegally hacked and hijacked machines.

Anyone who is incredibly stupid enough to actually order product from such an obviously illegal operation, and thinks that they will get real pharmaceuticals, must be from a different planet.

Let the buyer beware.
Logged Offline
Private Message Reply: 50 - 181
mr_d
Posted on: Wednesday, July 26th, 2006, 11:30pm Report to Moderator
New Member


Posts: 3
Hi Guys.
I found out their contact info by filling out an order form with fake info.
Here it the contact info they supply to their customers:

support@pillsuitesupport.com
1-888-241-8489
1-888-242-0845

I also found out what appears to be the main site that handles their orders and user accounts right now located at:

http://www.hsuite.com.

Maybe we should be reporting that site instead of all the temp ones.

If you fill out the order form on a Pharmacy Express site with a properly formatted (but invalid) credit card number you can sometimes get to the order confirmation screen that takes you to hsuite.com  

Credit card numbers have to pass basic formatting tests calculated from a LUHN formula.  There is info about that on the net.   The invalid but properly formatted CC number gets passed on to VISA who will deny it but at least they see invalid orders from this spammer.   If enough people bug them VISA may decide it's not worth working with these spammers.  

Their may be considerable value in annoying them with fake orders.  
You can fill in real looking data so they waste time trying to figure it out.
You can also fill out fake info or detailed info about the spammer that may get to VISA when they process the Credit Card.

Orders placed on Pharmacy Express sites redirect to this site:

http://www.hsuite.com
Site title:  User Center
Company logo:  RX-SERV.COM
IP address  211.144.68.69
Name Server: NS0.HTTPHARM.COM
Name Server: NS1.HTTPHARM.COM

That site has remained constant for 2 weeks so it's not the same as their other sites that dissappear after a couple days.

Here is the dialog from a completed order:

"We appreciate your choice and are glad to see you among our customers!
All the data regarding your order was sent to the e-mail address mentioned in the registration form, but we would recommend you to save the order ID of your transaction for further queries. Your order ID is RX00002-042354. Please print and save the information from this page.

All your questions about the delivery period, bank statement and similar queries connected with the billing services you may address our support team using the e-mail address support@pillsuitesupport.com or by call (toll free numbers: 1-888-241-8489 or 1-888-242-0845). We guarantee the response to your emails within 24 hours.

There is an opportunity to see your purchase status with all the needed information concerning your order at user center. By using user center you can speak with our support representative online. Your user center account available at http://www.pillsuitesupport.com/cgi-bin/userCenter/login.cgi ? userLogin = cULeNtar & userPassword = wOptingE.

You are granted a 20% discount for all other purchases you will make with us. To take part in the programm and use your discount, please, use this link: http://www.pillsuite.com/index.asp ? userLogin = cULeNtar & userPassword = wOptingE
Please note that the delivery may be carried out up to 40 days.




.......................................
PS.... and here is a recent site list. these are all the same site.
All on  211.144.68.87
Last week all were on 211.144.68.67

7/26/06     http://www.cadafuhertion.com
7/26/06     http://www.liakertadecaswa.com
7/26/06     http://www.tikerandevali.com
7/26/06     http://www.patertunherwa.com
7/26/06     http://www.leanveracesa.com
7/25/06     http://www.eankertandecase.com
7/25/06     http://www.ubeplease.com
7/25/06     http://www.toknothat.com
7/25/06     http://www.topbentest.com
7/25/06     selinisa.com
7/24/06     http://www.otreseacetion.com
7/24/06     http://www.plentosto.com
7/23/06     http://www.itilessine.com
7/23/06     http://www.terulikaseracaxe.com
7/23/06     http://www.cikeraviolasexa.com
7/23/06     http://www.xinfadesatin.com
7/22/06     http://www.vertadexase.com
7/22/06     http://www.arriesatte.com
7/21/06     http://www.kasedetance.com
7/21/06     styliseen.com
7/20/06     http://www.qatapoleraveda.com
7/20/06     nitergandecin.com
7/20/06     http://www.paseradefa.com
7/20/06     http://www.ketanyancase.com
7/19/06     http://www.fectoppor.com
7/19/06     http://www.tecounrsie.com
7/18/06     http://www.xolertandefaceda.com
7/17/06     http://www.teenicoro.com
7/17/06     http://www.tavionmersa.com
7/16/06     http://www.sidotisla.com
7/15/06     http://www.jerawounaeda.com
7/14/06     http://www.wezaceofunter.com
7/14/06     http://www.adisolash.com
7/14/06     http://www.xeawilention.com
7/13/06     http://www.ceaditove.com
7/13/06     http://www.ranasstais.com
7/13/06     http://www.tolinootec.com
7/13/06     http://www.ikertuncerase.com
7/12/06     http://www.telinemaik.com
7/12/06     http://www.hutefadaze.com
7/12/06     http://www.wotaferin.com
7/11/06     http://www.aninmano.com
7/11/06     http://www.guioertace.com
7/11/06     http://www.pasazedocer.com
7/10/06     http://www.clossupevi.com
7/9/06     http://www.miladimaruz.com
7/9/06     http://www.morgadomolon.com
7/9/06     http://www.estilandoc.com
7/9/06     http://www.isafethen.com
7/8/06     http://www.rubakodaf.com
7/7/06     resoritbe.com
7/5/06     landetungertanka.com
7/5/06     catemis.com
7/4/06     uadesaxecoin.com
7/4/06     anpulicar.com
7/3/06     nijanderuynhaewa.com
7/3/06     uadesaxecoin.com
7/2/06     rohadesfunvers.com
7/1/06     lanvertunjased.com
7/1/06     aturalabur.com
6/30/06     penofarsan.com
6/29/06     omiambell.com
6/28/06     vicesandani.com
6/28/06     zanekesdona.com
6/27/06     vasezoceoms.com
6/26/06     stedatlan.com
6/25/06     http://www.kimanuhetunade.com
6/24/06     http://www.assansit.com
6/23/06     doforeval.com
6/23/06     voyskojasa.com
6/22/06     poureole.com
6/21/06     baderunhertuna.com
6/21/06     dasetunhandecas.com
6/20/06     lumunherfans.com

It's strange that most of their DNS servers are on Registrar-Hold but they keep using them anyway, and their drug sites seem to still be working.....

Pharmacy Express DNS Server list from July 2006:

NS0.AVEABAST.COM     211.144.68.59
NS0.CANGEMOVE.COM     211.144.68.67
NS0.WITHOMM.COM     211.144.68.59
NS0.MORANAPPY.COM     221.231.139.31
NS0.ANGAMLACE.COM     211.144.68.59
NS0.VESARHOTTO.COM     218.104.136.232
NS2.BLOWIFOM.COM
NS2.MASKELIBASON.COM
NS0.LINESORETE.COM
NS0.HOTEAREKET.COM
NS9.INDIAHOST.BIZ
NS10.INDIAHOST.BIZ
NS0.STROTICCUTU.COM
NS0.ORINALUCH.COM
Logged Offline
Private Message Reply: 51 - 181
MarkGiles
Posted on: Thursday, July 27th, 2006, 3:52am Report to Moderator
All-Star


Posts: 363
Join the campaign. Copy and paste these entries in an email to the administrators of the IP addresses being used.

Current sites running Pharmacy express:
Addresses: 211.144.68.67 211.144.68.87
The owner of the IP range is in China, complaints go to -
http://www.dnsstuff.com/tools/whois.ch?ip=211.144.68.67&server=whois.apnic.net&email=on
person:       Guifei Pang
e-mail:       mavis_1010@163.com

person:       Yuening Yin
e-mail:       legendlemon@163.com

acomortale.com, aelioertuncae.com, akeabeeli.com, aliadesidu.com, allerpecta.com, almopere.com, alovertos.com, alrentone.com, amegiareg.com, anagepali.com, anaitson.com, anawagrave.com, anesaveem.com, anetorace.com, aninmano.com, anpulicar.com, ansedeman.com, antickerte.com, antirsteek.com, apitabiza.com, aporabero.com, aritectran.com, arlymmile.com, arteibitio.com, asimpresse.com, assansit.com, aterparkis.com, aturalabur.com, aundandecion.com, baderunhertuna.com, baterganfionsa.com, beispead.com, bertunganes.com, bescanxre.com, bikoucan.com, binutesriec.com, blesvaris.com, blostuggle.com, boardemore.com, bocadefunhaxes.com, bokacertandefa.com, bolindaweslio.com, buganderunfadex.com, buhanxercas.com, bulouseace.com, caderutandecon.com, camaitim.com, casexaseza.com, catemis.com, ceaditove.com, ceanromai.com, celebrilik.com, cerandefuntions.com, cervasedalion.com, citaments.com, coastinut.com, conidenate.com, connuingey.com, contisleas.com, cotlaglan.com, creivegeni.com, cutionferunba.com, cyclinoist.com, dasetunhandecas.com, dasoukancruse.com, distristen.com, dontowan.com, dujapilasen.com, dupalerikason.com, ecornofit.com, elebratees.com, elintesan.com, emaibacto.com, emptionto.com, emracethe.com, enamarut.com, endocember.com, entuscany.com, eperestay.com, epronneci.com, esitedetem.com, estilandoc.com, etaurasion.com, etionferaces.com, eunmacionre.com, famifrien.com, fastansimp.com, fecitipors.com, fistasemi.com, fonakilastoe.com, forearsago.com, funakolacomas.com, gallerinte.com, gesanais.com, geteryndapo.com, givoasafe.com, guioertace.com, gunertopin.com, gunfertanser.com, gunrandescunxa.com, hagraisone.com, hankounxe.com, hawodetukaxe.com, hedacilepadeca.com, helinailla.com, henostan.com, herfagunbas.com, hertungade.com, hezaruinve.com, hoteinlue.com, hotsotrom.com, hounjandex.com, hounkanjndase.com, hunertanceaxe.com, hunterungeas.com, hutenadecaseza.com, icaestauran.com, ifferentace.com, ikertuncerase.com, ilesewasin.com, imolearn.com, imontripas.com, indotemare.com, inuterom.com, isafethen.com, isiunurin.com, islansonly.com, islothos.com, jametunhawer.com, jenadescexasez.com, jenfandewunte.com, jerawounaeda.com, jergasedax.com, jitunfewaqero.com, juheyadopilans.com, jukacexasezo.com, kahescaxesaru.com, kangeoutex.com, kebadasecaxeza.com, kelanhuyertde.com, kerfanwunades.com, kerfousawer.com, kermancasexaz.com, kertungandeca.com, kertunherfan.com, kerundacase.com, keunwoert.com, kijunosae.com, kiladesujerunde.com, kilaherancuinx.com, kimanuhetunade.com, kinhyandefance.com, kiuyertbdes.com, kounhenfus.com, lafonmertuganwe.com, lainietam.com, laioknderttn.com, lamakevirol.com, lanafuhacexaseza.com, landetungertanka.com, langetunfade.com, lanvertunjased.com, lasedacasiona.com, lasexcazker.com, lawenterufan.com, lazexionvertin.com, legancean.com, leoperteas.com, leramuiontes.com, lerfadescasw.com, lertunhawes.com, lesdancaxesz.com, lesonipro.com, lessanapo.com, leteptungefa.com, lewamersde.com, licingothe.com, liesiendia.com, ligtofery.com, likuheyafe.com, limokunherubes.com, lineecoast.com, liokande.com, liokandefun.com, lionberpertun.com, loasukertyn.com, lopadijafon.com, lopmentalon.com, lumunherfans.com, lundewans.com, lurunhamoindes.com, mafunertundaces.com, mailadefans.com, makidone.com, malinoviray.com, malisaborin.com, malisakol.com, matungertunc.com, megahukadoop.com, mentadmon.com, merakiladefanver.com, mericarn.com, mieationa.com, mieslogan.com, miseedo.com, mivazujake.com, modkluhasek.com, modorabi.com, moikujerfaeca.com, moiunyerfane.com, morgadomolon.com, moshiortoc.com, mounkenwas.com, moutanfoun.com, murandionce.com, muzakopadet.com, naherunfadesa.com, naplerokna.com, natualarbo.com, nearater.com, neateton.com, nijanderuynhaewa.com, nikandertunfades.com, nisiafaste.com, nitaderungancas.com, norttisans.com, nounfanters.com, nuradokuhan.com, nurkocalow.com, ohelongan.com, oklenruntandes.com, olpartmen.com, omeredatte.com, onothuge.com, ontempora.com, opeintouris.com, openagece.com, operioswit.com, optenmaces.com, opterfuns.com, opyunterdesn.com, osortospe.com, otesetina.com, otheraum.com, otinfasewa.com, outerfeans.com, outyenfadeswoin.com, padkiodimoloh.com, paliokertunga.com, palitewasedax.com, pamnerungadetun.com, pandaterwantuns.com, pasazedocer.com, pasdelindas.com, pedacasexaze.com, pegadokilances.com, pellicarson.com, penedearly.com, penofarsan.com, peratuhasaxec.com, pewoxazecuer.com, plenopace.com, plentobar.com, poaundesa.com, polafuwexasa.com, punganrundes.com, putenfaderc.com, qefscxzatun.com, qetungers.com, qionraceiom.com, qirungandefa.com, qliondeasa.com, qualintens.com, radionkertade.com, rakelamdefa.com, randefunhers.com, rapolertandeface.com, ravelakovas.com, reathtakin.com, rebilacoben.com, relasaddic.com, resoritbe.com, resorttir.com, riondesax.com, robakilacor.com, robelosakog.com, rohadesfunvers.com, rokmodolec.com, rompalixados.com, romualifie.com, rosteacifi.com, rounfewans.com, rubakodaf.com, rudanlinke.com, rumailakodan.com, rumatoetorseb.com, rungandeoinca.com, salociomceskax.com, sanalerna.com, saounfadewon.com, sasonerita.com, satenkansre.com, searcinor.com, setunjanfances.com, shesanoud.com, sidelegani.com, sidotisla.com, siothear.com, situedonte.com, situeteten.com, slastikadupol.com, slavikasimal.com, sliverolan.com, slobaxigujar.com, slokupoasuhas.com, smapoladur.com, smopolitaca.com, sneviadlef.com, snobalopadun.com, snukfsalen.com, snupakolderiy.com, soicabeus.com, soluomendesca.com, someillio.com, sometease.com, soncemoepik.com, sopisticio.com, spornoffer.com, stabletisso.com, stedatlan.com, stikalogaser.com, stilomothe.com, tadefuhajaxeca.com, tarandefounlandes.com, teargesse.com, tekkintaki.com, teotesbut.com, teradefansuion.com, tercoinenta.com, tesandatta.com, tewealan.com, thesaidas.com, tiercetaves.com, titanicombi.com, tobizatam.com, tocasonal.com, togeeronis.com, toommate.com, toplorieta.com, torinabout.com, traditireside.com, tranenterro.com, travigolobur.com, tubolasamik.com, tudenfanwase.com, tugaderunvesa.com, tungertandeca.com, tunhertiandes.com, tvalibasodok.com, uadesaxecoin.com, unmertiondeas.com, untabilafakos.com, uonwepaou.com, uptendeans.com, usincreati.com, uvalicajoken.com, vadesujun.com, valnuhasep.com, vanesanetop.com, vanlasdrgukad.com, vasezoceoms.com, vendunteron.com, veravehei.com, vesaterco.com, vicesandani.com, villaisleni.com, visorsever.com, vohafujasen.com, vokasibaduk.com, vokeradetionces.com, volinraner.com, votundasterc.com, voungerdanse.com, vounjacasex.com, vountandwsx.com, vountrendes.com, voyskojasa.com, vudacerunfacer.com, waleokanfeun.com, wanounkintion.com, wardesfunbas.com, warunkisolie.com, watogaron.com, wepancerzase.com, weradetunhertion.com, weragokanda.com, wezaceofunter.com, wezeaotuns.com, wideicatio.com, wihotide.com, wortundanse.com, wotaferin.com, wotunfergans.com, woubanxaes.com, xanasdiloruf.com, xeawilention.com, xertunkertuion.com, xoimnetandewocas.com, xolertandefaceda.com, xosapervans.com, xundasefunterx.com, yetnfadecaxes.com, yontomahon.com, zakilpasun.com, zanekesdona.com, zaserfunkos.com, zedasecoliketuda.com, zerunfadecion.com, zodasukelinren.com, zounfertun.com
Logged Offline
Private Message Reply: 52 - 181
MarkGiles
Posted on: Thursday, July 27th, 2006, 4:02am Report to Moderator
All-Star


Posts: 363
The name servers for the above Pharmacy Express servers are all on 5 IP addresses

ns0.angamlace.com [211.144.68.59]
ns0.hoteareket.com [211.144.68.59]
ns0.withomm.com [211.144.68.59]
ns0.orinaluch.com  [211.144.68.59]
ns0.stroticcutu.com [211.144.69.243]
Again, the IP address owner for the above two is found here
http://www.dnsstuff.com/tools/whois.ch?ip=211.144.68.67&server=whois.apnic.net&email=on


ns0.linesorete.com [218.93.201.57]
ns0.vesarhotto.com [218.104.136.232]
ns0.moranappy.com [221.231.139.31]

See
http://www.dnsstuff.com/tools/whois.ch?ip=218.93.201.57&server=whois.apnic.net&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=218.104.136.232&server=whois.apnic.net&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=221.231.139.31&server=whois.apnic.net&email=on

Complaints to these IP address administrators are likely to be the most effective approach. The Internet Society of China has a mission to stamp out spam and illegal Internet merchandising.


spam@jsinfo.net abuse@jsinfo.net anti-spam@ns.chinanet.cn.net

tech-group@china-netcom.com


Logged Offline
Private Message Reply: 53 - 181
MarkGiles
Posted on: Thursday, July 27th, 2006, 5:38am Report to Moderator
All-Star


Posts: 363
In the previous listing from mr_d the sites are still all valid except

doforeval.com  404
miladimaruz.com Finest RX
nitergandecin.com Mortgage Suite
omiambell.com 404
plentosto.com = plentosto.com
poureole.com 404
qatapoleraveda.com 404
ranasstais.com 404
selinisa.com Mortgage
styliseen.com Mortgage
tolinootec.com 404
vertadexase.com 404
Logged Offline
Private Message Reply: 54 - 181
Bitterend
Posted on: Thursday, July 27th, 2006, 6:04pm Report to Moderator
New Member


Posts: 1
I have just started getting Spam from this crowd. Mailing Visa, Verisign, Pharmacy Checker, Et-all has had noe effect, these bodies just appear to ignore the problem.
I was trying to see if the address in the BVI's was real when I found you. Horray!!!
Perhaps if stuff was ordered from this bunch of morons And then a signature was refused on delivery and the stuff sent back, or taken and not signed for or otherwise obtained by deception, and Visa was made to refund the cost under their guarantee scheme then, given sufficent complaints about the company they would revoke their merchant status. If they cant take the cash - they aint got a business.
Short of going out there, finding them and beating the C**P ot of them with a baseball bat (which would make me feel better) there seems to be no recourse.
I do understand that there are some people who organise automatic mass mailings to these firms which shuts their servers down fo a period of time, but I nkow little of the mechanisim for doing this.
Logged Offline
Private Message Reply: 55 - 181
MarkGiles
Posted on: Thursday, July 27th, 2006, 6:37pm Report to Moderator
All-Star


Posts: 363
See the Spam Fighting tips and techniques topic.

Logged Offline
Private Message Reply: 56 - 181
MarkGiles
Posted on: Sunday, July 30th, 2006, 3:17pm Report to Moderator
All-Star


Posts: 363
Take the time to copy and send the mail below.

My Canadian Pharmacy Sites:
Pinging abatebig.info [221.134.127.25]
Pinging yadak.info [218.64.95.171]

Images:
http://87.106.8.105:8080/p/images/

Those are the 3 addresses to follow up on.

Sample message to Rustom_Irani@sifycorp.com and smantha@sifycorp.net

This message is to alert you to a security breach on one of your systems.

Illicit drug site "My Canadian Pharmacy" has been installed on a hacked
machine located at IP address
221-134-127-25.sify.net [221.134.127.25]

On the machine at that address you will find a directory  off the server,
called simply /p
Please remove it, and ensure that machine is made more secure from intrusion.
=================================================
Also, for the other hosting address, to hostmaster@public1.nc.jx.cn and anti-spam@ns.chinanet.cn.net

This message is to alert you to a security breach on one of your systems.

Illicit drug site "My Canadian Pharmacy" has been installed on a hacked
machine located on CHINANET, Jiangxi province at IP address

218.64.95.171

In a trace to this machine, the last three sites in the path are
..  220.177.236.238
..  220.177.236.78
..  218.64.95.171

On the machine at that last address you will find a directory  off the web
server, called simply /p
In it is the My Canadian Pharmacy web site.

Please remove it, and ensure that machine is made more secure from intrusion.
Logged Offline
Private Message Reply: 57 - 181
MarkGiles
Posted on: Tuesday, August 1st, 2006, 9:15am Report to Moderator
All-Star


Posts: 363
To close down the three major pharmacy web sites that are constantly being spammed, you need to look up the 9 whois links below, and copy this message to the technical contact email addresses you find there. The sites will be relocated, but it is worthwhile closing the existing sites out.

==============================================================

Subject:  URGENT - One of your machines has been compromised
Body Text:

Please read the following information carefully about three illegal pharmacy operations.

1. My Canadian Pharmacy (MCP)
2. International RX (IRX)
3. American Pharmacy (AP)


The perpetrator runs these operations on machines that he has hacked into, and you are responsible for one of those machines.

The IP addresses of the two hacked machines running MCP and the hacked image server are:

MCP Sites: 221.134.127.25 222.243.203.143
MCP images: 87.106.8.105


The IP addresses of the two hacked machines running IRX and the hacked image server are:

IRX Sites: 194.25.153.130 220.130.39.67
IRX images: 82.242.12.102


The IP addresses of the two hacked machines running AP and the hacked image server are:

AP Sites: 200.117.131.92 69.46.230.40
AP images: 80.86.83.166




What to look for on your hacked machine

MCP website is in directory /p/
MCP images are in this directory
http://87.106.8.105:8080/p/images/

IRX websites are in directory /legalrx/
IRX images are in this directory
http://82.242.12.102:8080/legalrx/images/

AP websites are in directory /usd/
AP images are in this directory
http://80.86.83.166:8080/usd/images/

What you need to do is to locate the machine that this crminal has hacked into, locate the directory containing his pharmacy web server infection, and remove it. You also need to make that machine more secure to avoid further hacking.


Why have you been sent this message?

These are the links to the people who own the hacked machines, including yourself.

MCP sites
http://www.dnsstuff.com/tools/whois.ch?ip=221.134.127.25&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=222.243.203.143&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=87.106.8.105&email=on

IRX sites
http://www.dnsstuff.com/tools/whois.ch?ip=194.25.153.130&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=220.130.39.67&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=82.242.12.102&email=on

AP sites
http://www.dnsstuff.com/tools/whois.ch?ip=200.117.131.92&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=69.46.230.40&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=80.86.83.166&email=on

Thank you for your urgent attention to this matter.
Logged Offline
Private Message Reply: 58 - 181
JoeOhlandt
Posted on: Tuesday, August 1st, 2006, 4:07pm Report to Moderator
New Member


Posts: 2
Hello,

These jerks were using my business email address to send spam so I decided to have a little fun to get even with them.

I filled out the contact form on the web site telling them they would get the same message every day 1,000 times if they did not stop using my email address for their spam. Then I paid a local kid to sit there and send it to them 1,000 times by just clicking on the submit and back buttons.

I guess it worked as the bounced emails stopped the next day. It was worth the price and made the kid a few bucks.

Joe Ohlandt
Logged Offline
Private Message Reply: 59 - 181
Hawk
Posted on: Wednesday, August 2nd, 2006, 11:19am Report to Moderator
Guest User



I'm writing a program designed to flood their server.  Anyone want a copy?
Logged
e-mail Reply: 60 - 181
dj
Posted on: Sunday, August 6th, 2006, 7:58am Report to Moderator
Guest User




Quoted from mr_d
Hi Guys.
I found out their contact info by filling out an order form with fake info.
Here it the contact info they supply to their customers:

support@pillsuitesupport.com
1-888-241-8489
1-888-242-0845

I also found out what appears to be the main site that handles their orders and user accounts right now located at:

http://www.hsuite.com.

Maybe we should be reporting that site instead of all the temp ones.

If you fill out the order form on a Pharmacy Express site with a properly formatted (but invalid) credit card number you can sometimes get to the order confirmation screen that takes you to hsuite.com  

Credit card numbers have to pass basic formatting tests calculated from a LUHN formula.  There is info about that on the net.   The invalid but properly formatted CC number gets passed on to VISA who will deny it but at least they see invalid orders from this spammer.   If enough people bug them VISA may decide it's not worth working with these spammers.  

Their may be considerable value in annoying them with fake orders.  
You can fill in real looking data so they waste time trying to figure it out.
You can also fill out fake info or detailed info about the spammer that may get to VISA when they process the Credit Card.

Orders placed on Pharmacy Express sites redirect to this site:

http://www.hsuite.com
Site title:  User Center
Company logo:  RX-SERV.COM
IP address  211.144.68.69
Name Server: NS0.HTTPHARM.COM
Name Server: NS1.HTTPHARM.COM

That site has remained constant for 2 weeks so it's not the same as their other sites that dissappear after a couple days.

Here is the dialog from a completed order:

"We appreciate your choice and are glad to see you among our customers!
All the data regarding your order was sent to the e-mail address mentioned in the registration form, but we would recommend you to save the order ID of your transaction for further queries. Your order ID is RX00002-042354. Please print and save the information from this page.

All your questions about the delivery period, bank statement and similar queries connected with the billing services you may address our support team using the e-mail address support@pillsuitesupport.com or by call (toll free numbers: 1-888-241-8489 or 1-888-242-0845). We guarantee the response to your emails within 24 hours.

There is an opportunity to see your purchase status with all the needed information concerning your order at user center. By using user center you can speak with our support representative online. Your user center account available at http://www.pillsuitesupport.com/cgi-bin/userCenter/login.cgi ? userLogin = cULeNtar & userPassword = wOptingE.

You are granted a 20% discount for all other purchases you will make with us. To take part in the programm and use your discount, please, use this link: http://www.pillsuite.com/index.asp ? userLogin = cULeNtar & userPassword = wOptingE
Please note that the delivery may be carried out up to 40 days.




.......................................
PS.... and here is a recent site list. these are all the same site.
All on  211.144.68.87
Last week all were on 211.144.68.67

7/26/06     http://www.cadafuhertion.com
7/26/06     http://www.liakertadecaswa.com
7/26/06     http://www.tikerandevali.com
7/26/06     http://www.patertunherwa.com
7/26/06     http://www.leanveracesa.com
7/25/06     http://www.eankertandecase.com
7/25/06     http://www.ubeplease.com
7/25/06     http://www.toknothat.com
7/25/06     http://www.topbentest.com
7/25/06     selinisa.com
7/24/06     http://www.otreseacetion.com
7/24/06     http://www.plentosto.com
7/23/06     http://www.itilessine.com
7/23/06     http://www.terulikaseracaxe.com
7/23/06     http://www.cikeraviolasexa.com
7/23/06     http://www.xinfadesatin.com
7/22/06     http://www.vertadexase.com
7/22/06     http://www.arriesatte.com
7/21/06     http://www.kasedetance.com
7/21/06     styliseen.com
7/20/06     http://www.qatapoleraveda.com
7/20/06     nitergandecin.com
7/20/06     http://www.paseradefa.com
7/20/06     http://www.ketanyancase.com
7/19/06     http://www.fectoppor.com
7/19/06     http://www.tecounrsie.com
7/18/06     http://www.xolertandefaceda.com
7/17/06     http://www.teenicoro.com
7/17/06     http://www.tavionmersa.com
7/16/06     http://www.sidotisla.com
7/15/06     http://www.jerawounaeda.com
7/14/06     http://www.wezaceofunter.com
7/14/06     http://www.adisolash.com
7/14/06     http://www.xeawilention.com
7/13/06     http://www.ceaditove.com
7/13/06     http://www.ranasstais.com
7/13/06     http://www.tolinootec.com
7/13/06     http://www.ikertuncerase.com
7/12/06     http://www.telinemaik.com
7/12/06     http://www.hutefadaze.com
7/12/06     http://www.wotaferin.com
7/11/06     http://www.aninmano.com
7/11/06     http://www.guioertace.com
7/11/06     http://www.pasazedocer.com
7/10/06     http://www.clossupevi.com
7/9/06     http://www.miladimaruz.com
7/9/06     http://www.morgadomolon.com
7/9/06     http://www.estilandoc.com
7/9/06     http://www.isafethen.com
7/8/06     http://www.rubakodaf.com
7/7/06     resoritbe.com
7/5/06     landetungertanka.com
7/5/06     catemis.com
7/4/06     uadesaxecoin.com
7/4/06     anpulicar.com
7/3/06     nijanderuynhaewa.com
7/3/06     uadesaxecoin.com
7/2/06     rohadesfunvers.com
7/1/06     lanvertunjased.com
7/1/06     aturalabur.com
6/30/06     penofarsan.com
6/29/06     omiambell.com
6/28/06     vicesandani.com
6/28/06     zanekesdona.com
6/27/06     vasezoceoms.com
6/26/06     stedatlan.com
6/25/06     http://www.kimanuhetunade.com
6/24/06     http://www.assansit.com
6/23/06     doforeval.com
6/23/06     voyskojasa.com
6/22/06     poureole.com
6/21/06     baderunhertuna.com
6/21/06     dasetunhandecas.com
6/20/06     lumunherfans.com

It's strange that most of their DNS servers are on Registrar-Hold but they keep using them anyway, and their drug sites seem to still be working.....

Pharmacy Express DNS Server list from July 2006:

NS0.AVEABAST.COM     211.144.68.59
NS0.CANGEMOVE.COM     211.144.68.67
NS0.WITHOMM.COM     211.144.68.59
NS0.MORANAPPY.COM     221.231.139.31
NS0.ANGAMLACE.COM     211.144.68.59
NS0.VESARHOTTO.COM     218.104.136.232
NS2.BLOWIFOM.COM
NS2.MASKELIBASON.COM
NS0.LINESORETE.COM
NS0.HOTEAREKET.COM
NS9.INDIAHOST.BIZ
NS10.INDIAHOST.BIZ
NS0.STROTICCUTU.COM
NS0.ORINALUCH.COM


I find it interesting that you got as far as getting an order accepted. Every time I put an order in (with fake details of course!!!) I only get a message to check that my order is accepted (which it isnt) and would I like to use another credit card number. I never expected there was a pharmacy behind these mails, I just thought they were harvesting credit card numbers.
Logged
e-mail Reply: 61 - 181
dj
Posted on: Sunday, August 6th, 2006, 8:07am Report to Moderator
Guest User



This is the only way to really get rid of these sort of spammers. Unless everyone makes their systems more secure, they will move from server to server quicker than we can close them down.

Always fill out 'contact me' details, always order the products, using fake ids & credit card numbers. If everyone did this (preferably using load testing software like Loadrunner) they would not be able to sort the dross from the valid information.
Logged
e-mail Reply: 62 - 181
dj
Posted on: Sunday, August 6th, 2006, 4:06pm Report to Moderator
Guest User



I have just checked the latest emails received from our friend at MyCanadianPharmacy and the images are hosted at http://137.207.234.52:8080/p/images/weship.gif.

http://ws.arin.net/cgi-bin/whois.pl says that 137.207.234.52 is the University of Windsor, ON, Canada so I have emailed noah@uwindsor.ca  who is the Tech support asking if they know that they are hosting these images and asking them to remove them. I have also copied it to 'pbristo@uwindsor.ca' who is the manager of IT services.
We will see how long the images stay there!
Logged
e-mail Reply: 63 - 181
tman
Posted on: Sunday, August 6th, 2006, 11:30pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36
Found another possible "real" e-mail address.  This is from Rip-Off Report: http://www.ripoffreport.com/reports/ripoff204074.htm.  Here's someone who actually ordered from them:

From the Rip-Off Report:
MyCanadianPharmacy Ripoff and a Fraud Sells Generic Medication From India Advertises Name Brand Toronto Ontario

Company
MyCanadianPharmacy
Address:
1592 Wilson Avenue
Toronto Ontario M3L 1A6
Canada

This company is a fraud. They may use an address in Canada, but their medication comes from India. On their website they advertise "name brand" Viagra and Cialis, however, what they send is loose packaged (not even factory sealed) by hand, generic pills.
I called the 1-800 number many times...and left emails for them at support@mypharmacyportal.com and they never responded.
Don't waste your time with these frauds.



I went to http://www.mypharmacyportal.com and sure enough--it's My Canadian Pharmacy.  Unfortunately, the WHOIS info all seems to lead to nowhere but overseas, but this at least appears to be another "semi-permanent" address.

Unfortunately, the above Rip-Off report also proves that people are willing to actually order from these people as a result of the spams---I'm sorry, I just can't fathome how niave some people are---who would order from an "ad" that contains misspellings & jibberish?  How the hell do you look at these spams and think "they seem trustworthy?" I'm really surprised that people are savy enough to navigate around the internet, but clueless to recognize even the most obvious fraud.  This is part of the reason why spammers keep spamming.
Logged Offline
Private Message Reply: 64 - 181
dj
Posted on: Monday, August 7th, 2006, 12:10pm Report to Moderator
Guest User




Quoted from tman
Found another possible "real" e-mail address.  This is from Rip-Off Report: http://www.ripoffreport.com/reports/ripoff204074.htm.  Here's someone who actually ordered from them:

From the Rip-Off Report:
MyCanadianPharmacy Ripoff and a Fraud Sells Generic Medication From India Advertises Name Brand Toronto Ontario

Company
MyCanadianPharmacy
Address:
1592 Wilson Avenue
Toronto Ontario M3L 1A6
Canada

This company is a fraud. They may use an address in Canada, but their medication comes from India. On their website they advertise "name brand" Viagra and Cialis, however, what they send is loose packaged (not even factory sealed) by hand, generic pills.
I called the 1-800 number many times...and left emails for them at support@mypharmacyportal.com and they never responded.
Don't waste your time with these frauds.



I went to http://www.mypharmacyportal.com and sure enough--it's My Canadian Pharmacy.  Unfortunately, the WHOIS info all seems to lead to nowhere but overseas, but this at least appears to be another "semi-permanent" address.

Unfortunately, the above Rip-Off report also proves that people are willing to actually order from these people as a result of the spams---I'm sorry, I just can't fathome how niave some people are---who would order from an "ad" that contains misspellings & jibberish?  How the hell do you look at these spams and think "they seem trustworthy?" I'm really surprised that people are savy enough to navigate around the internet, but clueless to recognize even the most obvious fraud.  This is part of the reason why spammers keep spamming.


I would have thought that this guys next port of call should be to VISA. I assume he has paid using a credit card (they only seem to accept VISA) and even verified by VISA admits the use of their logo is unauthorised, but they do nothing to stop its use.
I dont know about USA/Canada, but in the UK you can claim for faulty goods against the credit card company. At the very least you can claim that the goods were not what was ordered and get the charge recredited?

Perhaps if everyone who was ripped off by this organisation did that the credit card companies would be more careful who they associated with.
Logged
e-mail Reply: 65 - 181
dj
Posted on: Tuesday, August 8th, 2006, 3:37am Report to Moderator
Guest User



I forwarded a number of mails over the last day or so to the University of Windsor, Ontario, telling them that they were hosting the images for MyCanadianPharmacy.

I copied a couple of them not only to tech supprt but also to a couple of more senior names in the IT support and Computer Science Dept and whoopie, today the picture at http://137.207.234.52:8080/p/images/weship.gif has disappeared.

Thank you University of Windsor for a quick response. Hopefully we will get a days rest from MCP before they find another host.
Logged
e-mail Reply: 66 - 181
TheShootist
Posted on: Tuesday, August 15th, 2006, 2:44am Report to Moderator
New Member


Posts: 7

Quoted from MarkGiles
Join the campaign. Copy and paste these entries in an email to the administrators of the IP addresses being used.

Current sites running Pharmacy express:
Addresses: 211.144.68.67 211.144.68.87
The owner of the IP range is in China, complaints go to -
http://www.dnsstuff.com/tools/whois.ch?ip=211.144.68.67&server=whois.apnic.net&email=on
person:       Guifei Pang
e-mail:       mavis_1010@163.com

person:       Yuening Yin
e-mail:       legendlemon@163.com



I hate to break it to you but 163.com is a MAJOR source of SPAM. They were ruthless on my poor mailbox, I have not gotten anything in a while but they still have reputation here.
Logged Offline
Private Message Reply: 67 - 181
duke_10020421
Posted on: Wednesday, August 16th, 2006, 1:13am Report to Moderator
New Member


Posts: 1
Hi all,
I have located pharmacy express and all other aliases they use. To confirm i located full contact details etc. unfortunately his "gate keepers" are not as savy as he is.

Now i would like people who are in the process of court proceedings etc to contact me so i can pass on these details. I think the first step should be to bring these people to justice. If this fails, i will happily post all his details, as well as the details of his accomplises and business partners etc etc.

Email me at - spammerbgone@informal.com.au (please dont abuse this address!!)

Best regards,
Josh Guest (Australia)
Logged Offline
Private Message Reply: 68 - 181
Straughan
Posted on: Wednesday, August 16th, 2006, 1:57am Report to Moderator
New Member


Posts: 1
These spammers are spoofing my family domain - I wish to effectively deal with them - anyone got any concrete suggestions?
Logged Offline
Private Message Reply: 69 - 181
MarkGiles
Posted on: Wednesday, August 16th, 2006, 6:21am Report to Moderator
All-Star


Posts: 363

Quoted from duke_10020421
Hi all,
I have located pharmacy express and all other aliases they use. To confirm i located full contact details etc. unfortunately his "gate keepers" are not as savy as he is.

Now i would like people who are in the process of court proceedings etc to contact me so i can pass on these details. I think the first step should be to bring these people to justice. If this fails, i will happily post all his details, as well as the details of his accomplises and business partners etc etc.

Email me at - spammerbgone@informal.com.au (please dont abuse this address!!)

Best regards,
Josh Guest (Australia)



The people to arrest are already well known, and identified. Pharmacy Express would have to be the work of Leo Kuvayev. He is trying to match the level of the Yambo Financials gang, who work with Alex Polyakov / Alex Blood. They are responsible for a chain of similar sites, including My Canadian Pharmacy, International RX, US Drugs. They also have sites selling fake watches, Caviar, and even a book on successful dating! [duh!]

Pharmacy Express and the other fake, illegal pharmacies (Ed Choice, Health Suite, Finest RX) from Leo run on "bulletproof" hosts in China, but are vulnerable to Name Server complaints to the registrars. Leo is no where near as clever as his competition.

Incidentally, there is no known situations of actual product being delivered by these scammers. But they sure have a lot of credit card numbers to play with from the suckers who order.

If you have any more information than what is already well known, there is no reason to be shy. Post it.


Logged Offline
Private Message Reply: 70 - 181
MarkGiles
Posted on: Wednesday, August 16th, 2006, 6:35am Report to Moderator
All-Star


Posts: 363

Quoted from TheShootist


I hate to break it to you but 163.com is a MAJOR source of SPAM. They were ruthless on my poor mailbox, I have not gotten anything in a while but they still have reputation here.


:lol: Hahahaha - break it to me?  :roll:

I have had 163.com in my spam filters for over 3 years. I had to take it out last month so I could receive replies from my complaints.

The Chinese ISC has an amazingly good knowledge of the major spam operations, and have them better documented than most other countries. Example. Take this link (don't click "English") and run your eye down the English parts. You should recognise some familiar names and IP addresses (211.144.68.xxx - 211.144.69.xxx)

http://www.anti-spam.cn/ShowArticle.php?id=3169

It is a great pity that they do nothing with that knowledge. But that does not mean anyone can't lodge complaints, with a link to such china's anti-spam pages for evidence to spur some action. It is time for them to walk the walk.
Logged Offline
Private Message Reply: 71 - 181
klippy
Posted on: Wednesday, August 16th, 2006, 6:16pm Report to Moderator
Guest User



Firepay | Neteller | Intercasino | Online Casino | Lucky Nugget | Riverbelle | Golden Palace | Intertops
Logged
e-mail Reply: 72 - 181
Guest
Posted on: Monday, August 21st, 2006, 10:40am Report to Moderator
Guest User



Hi,
i regullary get spammed by"pharmacy express" and wonder where they got my mail address from, as just a very few people got it and it's not one of those info, contact or mail@ addresses....


Logged
e-mail Reply: 73 - 181
3r1c
Posted on: Monday, August 21st, 2006, 1:18pm Report to Moderator
New Member


Posts: 2
I am a web programmer and these fuckers keep spamming my domain and no filters will help because every email is different.

Im sick of it so i have made a nice surprise for them.
Currently i have nocked all their websites offline for about 16 hours now
I guess their busy filtering ip's because i havent got any spam yet today.

See http://www.3r1c.eu/nospam.html

If you have a webpage put this code to help keep them down
<iframe src="http://www.3r1c.eu/nospam.html" height="1" width="1"></iframe>
Logged Offline
Private Message Reply: 74 - 181
Guest
Posted on: Monday, August 21st, 2006, 8:43pm Report to Moderator
Guest User




Quoted from TomS (Guest)
SiteAdvisor is a web site rating service (see http://SiteAdvisor.com for details) that alerts users to problem sites when they visit one. The alert comes from a browser plug-in that reads the URL and does a remote database lookup in real time.

Most ratings are derived from automatic metrics produced by web crawlers and spam monitors. However -- they also allow any individual to post human reviews that get dialed into the overall score.

A number of SA reviewers have been tracking International Legal RX, Comfort RX, Pharmacy Express, US Drugs, etc. If you want to check a URL to see if it's already tagged, the SiteAdvisor page lets you look up a site. If you get a Spam, please add your comment to the SA reviews.

Here is an example of one recent post:
http://www.siteadvisor.com/sites/zoneskin.info


Logged
e-mail Reply: 75 - 181
Guest
Posted on: Tuesday, August 22nd, 2006, 11:33am Report to Moderator
Guest User




Quoted from rob w (Guest)
If you viewed the source on the MyCanadianPharmacy page, the Lambe Solutions IP address is in every image source. I emailed Lambe Solutions twice about this. The first time was to let Lambe Solutions know that they need to put a stop to it. The second time was a courtesy copy from the email I sent to-

webcomplaints@ora.fda.gov

I received no reply however, today I tried to access these websites that were sent to me and none of them work! I went to my email trash and tried some of the others and none of them work. Somebody must have done something.

Rob Wright
rob@comdetroit.com
http://www.comdetroit.com
http://www.comdetroit.net


Logged
e-mail Reply: 76 - 181
MarkGiles
Posted on: Tuesday, August 22nd, 2006, 6:23pm Report to Moderator
All-Star


Posts: 363
Good to hear it, Rob. However, two points.

1. The discussion is about My Canadian Pharmacy - not to be confused with Pharmacy Express - the work of a different criminal gang.

2. My Canadian Pharmacy have lots of machines they have hijacked for image servers. At any one time they will have up to 4 hijacked image servers in use. Shut one down by letting the admin know, and the gang quickly redirects to another. So you have seen the tip of the iceberg.

Here is a list of image servers they  have hacked into and hijacked recently. For each you will find the Whois link for the address owner, and five links to demonstrate whether the hijacked machine is still in use as a proxy, serving up the images for the gang's illicit web sites at the victim's expense and on their bandwidth.

194.145.201.202 http://www.dnsstuff.com/tools/whois.ch?ip=194.145.201.202&email=on

http://194.145.201.202:8080/p/images/weship.gif
http://194.145.201.202:8080/legalrx/images/logo.gif
http://194.145.201.202:8080/usd/images/logo.gif
http://194.145.201.202:8080/rolex/images/logo.gif
http://194.145.201.202:8080/caviar/images/main_logo.gif

213.254.61.238
http://www.dnsstuff.com/tools/whois.ch?ip=213.254.61.238&email=on

http://213.254.61.238:8080/p/images/weship.gif
http://213.254.61.238:8080/legalrx/images/logo.gif
http://213.254.61.238:8080/usd/images/logo.gif
http://213.254.61.238:8080/rolex/images/logo.gif
http://213.254.61.238:8080/caviar/images/main_logo.gif

80.86.83.166
http://www.dnsstuff.com/tools/whois.ch?ip=80.86.83.166&email=on

http://80.86.83.166:8080/p/images/weship.gif
http://80.86.83.166:8080/legalrx/images/logo.gif
http://80.86.83.166:8080/usd/images/logo.gif
http://80.86.83.166:8080/rolex/images/logo.gif
http://80.86.83.166:8080/caviar/images/main_logo.gif

201.28.121.171
http://www.dnsstuff.com/tools/whois.ch?ip=201.28.121.171&email=on

http://201.28.121.171:8080/p/images/weship.gif
http://201.28.121.171:8080/legalrx/images/logo.gif
http://201.28.121.171:8080/usd/images/logo.gif
http://201.28.121.171:8080/rolex/images/logo.gif
http://201.28.121.171:8080/caviar/images/main_logo.gif

202.8.86.149
http://www.dnsstuff.com/tools/whois.ch?ip=202.8.86.149&email=on

http://202.8.86.149:8080/p/images/weship.gif
http://202.8.86.149:8080/legalrx/images/logo.gif
http://202.8.86.149:8080/usd/images/logo.gif
http://202.8.86.149:8080/rolex/images/logo.gif
http://202.8.86.149:8080/caviar/images/main_logo.gif
Logged Offline
Private Message Reply: 77 - 181
Guest
Posted on: Tuesday, August 22nd, 2006, 7:31pm Report to Moderator
Guest User




Quoted from rob w (Guest)
MyCanadianPharmacy, as far as I can tell-

IP 195.141.149.161


According to webhosting.info, there are 7 domains at this IP. All of them hosted by an Andy Lambe (Lambe Solutions). His websites are-


1 ANDYLAMBE.COM.
2 ATLANTICLIFEQUOTE.COM.
3 CCIPNG.COM.
4 LAMBEFINANCIAL.COM.
5 LAMBESOLUTIONS.COM.
6 PEICREDITBULLETIN.COM.
7 PEILIFEQUOTE.COM.

email is-

support@lambesolutions.com


Robert Wright
rob@comdetroit.com
http://www.comdetroit.com
http://www.comdetroit.net


Logged
e-mail Reply: 78 - 181
MarkGiles
Posted on: Wednesday, August 23rd, 2006, 5:58am Report to Moderator
All-Star


Posts: 363
Recent site addresses for My Canadian Pharmacy are

222.173.241.166
194.25.153.130
200.213.167.71
61.77.61.207
59.120.122.76
60.2.57.83
60.248.85.221
59.120.122.76

They change daily as the victims whose machines are hijacked happen to reboot, or change the trivial root / administrator password / locate and delete the trojan proxy site server or proxy server.

Using an image leech is counter-productive, serving only to punish the criminal gang's victim.

Sending an alert message to the site owner is a better approach.

Sending a complaint to the registrar who assigns the name server that resolves the sites is even more effective.







Logged Offline
Private Message Reply: 79 - 181
tbbury
Posted on: Wednesday, August 23rd, 2006, 9:38am Report to Moderator
Guest User



Andy Lambe and Assoc has nothing to do with the spam email being sent out about pharmacy express, etc. His system was broken into and hackers used his system to send out a bunch of bogus emails.
Logged
e-mail Reply: 80 - 181
biggles
Posted on: Wednesday, August 23rd, 2006, 12:09pm Report to Moderator
New Member


Posts: 2
how do you know this?
Logged Offline
Private Message Reply: 81 - 181
biggles
Posted on: Wednesday, August 23rd, 2006, 12:15pm Report to Moderator
New Member


Posts: 2
how do we know that you aren't one of the sad sick bastards yourself?
Logged Offline
Private Message Reply: 82 - 181
Guest
Posted on: Wednesday, August 23rd, 2006, 1:13pm Report to Moderator
Guest User




Quoted from mr_d
Pharmacy Express has been spamming since 2004 back when it used servers based at Kornet in Korean.  

In 2005 they added servers in Hong Kong and China.  Now they use servers (or zombie PC's) all over the globe.   They changed names many times since 2004 but you can tell it's the same place based on repeated Email patterns that progress over time such as their HTML and formatting tricks.   Sometimes their sites don't even display a real name.  They just highlight a word and stick a temporary embedded web link on it such as:

Online Meds Store
PharmacyByMAlL SSH0P
MEDlCATIONS By MAIL SHOOP
PHARMACY-BY-MAIL SHOP
MedzMail Shop
PiIlsOnline Store
PharmOnline Shop
Visit our Site
Try Viagra
Hi
V A L / u M
V / a G R A
M e R / D / A
S O m &
A m B / E N


I have a record of their sites going back to 2004.  
It appears they started calling themselves Pharmacy Express around Oct 2005.  

Pharmacy Express is the same place as Premier Pharmacy.  
They each have hundreds of sites and the sites are often identical except for the name.  I don't visit most links they send but I do record data about each link and promptly report them to their registrar, host network, etc.  

Canadian Pharmacy (an equally abusive spammer) shares DNS servers with Pharmacy Express on occasion but for the most part they use different web servers and DNS servers.  Perhaps they use the same "spammer network" (it's called China) so their paths cross on occasion.  Canadian Pharmacy also tends to use geocities.com redirects to hide their sites while Pharmacy Express typically does not.  

For a while Pharmacy Express had ties with LongZ enlargement Pills and MegaPower Pills sites and they were really bad for a while.  Fortunately those sites appear to have closed or moved.

Pharmacy Express maintains about 40 DNS servers at all times (that I know of) with a few getting shutdown daily and others coming online just as quickly.  Some of the IP's they use host hundreds or even thousands of sites.  I can only provide info on the ones that were sent to me personally, which averages 25 to 40 new, unique sites per month from this spammer.  

Try the reverse IP lookup tool at http://www.domaintools.com  (that's the new name for whois.sc).  Some spammer IP's host 60,000 sites, if that's possible.

Pharmacy Express changes their IP address 2-3 times a week in groups of 10-15 sites, typically concentrating on keeping the newest sites moving until they get shutdown.  Some sites run undisturbed for months while most appear to run a few weeks and they move on.  

They typically use each registrant name one time.  They may harvest these off the Internet since they tend to be unique.   Sometimes the data matches the info of real people and businesses.   95% of the registrants use a fake Yahoo Email address with their fake phone number, etc.

They tend to use Yesnic.com as the registrar for their DNS servers.  Yesnic doesn't reply or act timely enough to have any effect but they do eventually terminate the registration of some sites after months of abuse.  
 Contrairy to this, their web site registration is spread across a dozen foreign registrars such as
ENOM, INC.
Yesnic.com
BULKREGISTER, LLC.
LTD D/B/A PUBLICDOMAINREGISTRY.COM
ONLINE SAS BookmyName
HICHINA WEB SOLUTIONS (HONG KONG) LIMITED
XIN NET TECHNOLOGY CORPORATION
and many others.  They choose registrars who do not have an abuse policy or who have support pages written in Chinese to make reporting difficult.    Even the US based registrars such as GO DADDY SOFTWARE, INC. are irresponsible in this regard as they reply to repeated abuse from their customers with a letter saying they are "only" the registrar and they will continue to register sites to this spammer.  

I hope someone can use this info and help the situation. If I posted all the info I have it would fill many pages so I will close for now.  If anyone wants a detailed listing of their DNS servers, IP addresses, registrant names, SMTP Headers and server names with dates going back to 2004 or 2005 I can post more info.  

Looking at DNS info you can tell that similar sites such as  "My Canadian Pharmacy" (also called "International Legal RX") is a separate spammer with their own sites and servers.

As a primer, here is a sample of Pharmacy Express info.
Some of their sites changed IP's 8-10 times and are still running.  Most of these are active.  Older sites that are on registar-hold have been omitted to save space.


Pharmacy Express recent site list:
5/28/06     http://www.yunmounbertu.com     211.144.69.243        
5/27/06     http://www.fitingack.com     211.144.69.243        
5/26/06     http://www.dikintansderfun.com     211.144.69.243        
5/25/06     http://www.sekisometi.com     211.144.69.243        
5/25/06     http://www.numzaisundes.com     211.144.69.243        
5/24/06     http://www.arcothene.com     211.144.69.243        
5/23/06     http://www.bullkelaidesion.com     211.144.69.243        
5/22/06     http://www.wozawukelans.com 222.77.187.146
5/21/06     http://www.bexiahekess.com        211.144.69.243     222.77.187.146
5/19/06     http://www.balerutezalod.com        211.144.69.243     222.77.187.146
5/19/06     http://www.eveyearo.com        
5/19/06     http://www.zaxuleqinsertu.com        
5/17/06     http://www.didothikes.com        
5/17/06     http://www.balasintersver.com        
5/16/06     http://www.jernifersactis.com
5/15/06     http://www.foroverear.com        
5/15/06     http://www.sututerfuins.com        
5/13/06     http://www.heltefenskalls.com        
5/13/06     http://www.mubuiterfu.com        
5/12/06     http://www.upomeres.com        
5/11/06     http://www.devalusaare.com        
5/10/06     kolafahrovan.com      
5/9/06     dopalokusar.com
5/8/06     http://www.kilutasso.com
5/6/06     http://www.nesparizapen.com
5/5/06     http://www.temaferte.com
5/4/06     http://www.embasarokal.com
5/4/06     http://www.essanears.com
5/3/06     http://www.nomaicedin.com
5/3/06     http://www.ultavoferak.com
5/2/06     http://www.4cus2mer.com/ms
5/1/06     http://www.vanteweks.com
4/30/06     http://www.popuariso.com
4/29/06     http://www.theekretalaxner.com
4/28/06     http://www.terainital.com
4/26/06     http://www.istolentie.com
4/25/06     http://www.aremadeto.com
4/24/06     http://www.efnerebizal.com
4/23/06     http://www.diminobag.com
4/23/06     http://www.hikiamoun.com
4/21/06     http://www.anngelad.com
4/20/06     http://www.JewensaKeoa.freeservers.com
4/19/06     http://www.volaserhumex.com.
4/18/06     http://www.amteribasoncey.com
4/17/06     http://www.holiddesi.com
4/14/06     BULASIMERNOKUL.COM
4/12/06     http://www.incogusten.com
4/9/06     trapalivazolin.com


DNS servers:
NS0.MAOMAREGI.COM     218.62.89.29        
NS0.MANOTHAVE.COM     222.208.183.164        
NS0.ANOTHEGISA.COM     202.103.178.125        
NS0.SIGUMEBERSI.COM     219.153.19.40        
NS0.TORESINATO.COM     202.103.178.125        
NS0.RAPIEXANSI.COM       222.60.14.242        
NS0.LASROMTEA.COM     202.103.178.125        
NS0.POLTRAINI.COM     202.103.178.125        
NS0.RESTANRELTI.COM     222.52.1.11        
NS0.SETORELLE.COM        
NS0.WINGELA.COM        
NS0.TIMOPOTED.COM        
NS1.FREESERVERS.COM        
NS2.FREESERVERS.COM        
NS4.TRISLUCAT.COM        
NS2.TONOBEARO.COM        
NS0.ANLINHOLI.COM        
NS0.HETRIEDIS.COM        
DNS2.ASETANTIC.COM        
DNS1.ASETANTIC.COM        
DNS1.EIGHOURI.COM        
NS0.FESTIVAINURO.COM        
NS0.AIRALLON.COM        
NS0.TREATENSON.COM        
NS0.ATTEPONTAI.COM        
NS0.THAPICURESE.COM        
NS0.TIVICENE.COM        
NS1.AREVERE.COM        
NS2.AREVERE.COM        
NS3.AREVERE.COM        
NS6.AREVERE.COM        
NS0.ALROMALVI.COM        
NS0.TANISIGER.COM        
NS0.TONCEREAN.COM        
NS0.NEVEPOSTE.COM        
ns0.chapithiso.com    
NS0.COURTANPA.COM
NS1.PUREDNS.COM
NS2.PUREDNS.COM
NS0.AIRAMISU.COM
NS0.EBANTENE.COM
NS0.HOWODEAL.COM
NS0.ROSETTARKIN.COM
DNS7.VISIONNEW.COM
DNS5.VISIONNEW.COM
NS0.GISATOCAT.COM
[color=purple][/color]


Logged
e-mail Reply: 83 - 181
MarkGiles
Posted on: Friday, August 25th, 2006, 1:03am Report to Moderator
All-Star


Posts: 363

Quoted from biggles
how do you know this?


I back him up. See the list of other victim sites that have been hacked in my previous posting.

It is more effective to complain to the registrars who provide the domain name server support. As the result of actions taken by eNom and Tucows in response to user complaints, over 1100 My Canadian Pharmacy, International RX and US Drugs web sites have been blocked over the past 3 weeks.

If you want to understand how these sites are set up on target victim machines, read the whole exposure at http://spamhater.zoomshare.com

The covers are lifted on this whole criminal organization there for all to see.

Summary - don't leech the sites of the criminal gang's victims. Wrong target!
Logged Offline
Private Message Reply: 84 - 181
Guest
Posted on: Friday, August 25th, 2006, 5:10pm Report to Moderator
Guest User



What's going on? something seems to happen, as I didn't get any Pharmacy Express spams for days now....

Logged
e-mail Reply: 85 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:06pm Report to Moderator
Administrator Group



Posts: 15
ADMIN NOTE:  Due to a slight "mishap" with this board, some of the messages on this thread have been lost (From 8/26 to 9/15/06).  In order to try to keep continuity, I am re-posting those that I found on a Google cache of this thread.  I think nearly all of them have been recovered, and I learned a few lessons about board maintenance, the importance of frequent back-ups as this board gets busier, and the wonders of Google's caching of sites  
Logged Offline
Private Message Reply: 86 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:19pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted on: Saturday, August 26th, 2006, 11:54pm
MarkGiles


Over 95% of the 1400 sites in My Canadian, International RX, US Drugs have been closed down by the registrars.

A similar percentage of the 700 Pharmacy Express, Health Suite and Finest RX sites have also been taken down by their registrars.

The close downs occurred a few hundred sites at a time over the period from August 1. The spammers did not know from one day to the next which sites would be taken out in the next few days, so could not do a spam run with any confidence that the site spammed would be there by the time the mail run finished.

The two criminal groups that spam those sites will be in a rebuilding phase. In the meantime they are falling back on the pump-and-dump stock spams and finance lead generators. People are seeing an explosion of those to "fill in the gap" left by the demise of so many pharmacy spam and scam sites.
Logged Offline
Private Message Reply: 87 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:22pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted on: Sunday, August 27th, 2006, 9:01am
MDARULZ (Guest User)


Quoted from MarkGiles

Over 95% of the 1400 sites in My Canadian, International RX, US Drugs have been closed down by the registrars.

A similar percentage of the 700 Pharmacy Express, Health Suite and Finest RX sites have also been taken down by their registrars.

The close downs occurred a few hundred sites at a time over the period from August 1. The spammers did not know from one day to the next which sites would be taken out in the next few days, so could not do a spam run with any confidence that the site spammed would be there by the time the mail run finished.

The two criminal groups that spam those sites will be in a rebuilding phase. In the meantime they are falling back on the pump-and-dump stock spams and finance lead generators. People are seeing an explosion of those to "fill in the gap" left by the demise of so many pharmacy spam and scam sites.


Definitely good news.  Now, if enom.com would do the same for a number of porn sites that continually spam, we'd be getting somewhere !

As I noted elsewhere, for those who would like effective filtering of spam (with almost no matches for legit mail), use these keywords (without the quotes, of course !):


"image/gif" for nailing those stock (and medical) picture mails

".PK" and ". P K" for the stock e-mails

"PO Box." for the finance spam garbage


The above nets most everything, with near zero false positives (tho always check your spam folder to make sure, if you have important mail coming in !!).

Let's hope that the main registrars are committing to finally stopping a lot of this bullshit.  Now, how do we stop the stock and finance stuff from going out ?  That may prove to be a lot tougher...  -  MDA
Logged Offline
Private Message Reply: 88 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:24pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted on: Wednesday, August 30th, 2006, 8:59am
JWR (Guest User)

Hello,

Having received lots of SPAM from Pharmacy Express Corp., located at the Virgin Islands, I found a Drug Reselling License at their recent homepage
(http://desunkerwionterde.com)

The license sheet has been issued from the State of Ontario
(I don't know if it is a fake sheet, but it looks "impressive")

Pharmacy Express Corp. is listed at a full address in:
1460 Don Mills Rd. at York Mills, 2nf floor,
Don Mills, ON M3B 2X9.

The license carries a signature and name of the Issuer

The license is numbered No D2849912
Issue date 07/10/2002
Expiration Date: 07/10/2012

Maybe a lawyer is able to stop the company from spreading SPAM.

Regards,

JWR., Backnang (Germany)

ADMIN NOTE:   It is widely believed at this point that the above address (and license for that matter) are indeed fake, as are all of the site's other claims of being "Certified by Pharmacy Checker" "Member of Better Business Bureau" and "Verified By VISA"
Logged Offline
Private Message Reply: 89 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:33pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted on: Thursday, August 31st, 2006, 12:43am
rij8bk


Hello,

SPAM-spreading methods may be reported to http://www.mail-abuse.com
Now the instructions for reporting prescribe:
"When a loose spam advertises a URL, check to see if the webpage is still active".

However checking the generated URLs in SPAM-Mails (from Pharmacy Express Corp.) must be considered harmful!

The URLs will be generated for a dedicated eMailadress and by clicking the URL the SPAM-server will be signalled the corresponding eMailadress is alive.
Or even worse: Any time you click the http-adress the SPAM-server will update a counter for the corresponding mail adress.
Resulting in: Persons having a high counter-level in the SPAM-database will receive more mails.

My idea: If you repeat clicking generated URLs in your mails,
your eMail-adress in the end will be flooded with SPAM.

Is that correct?
If you are being flooded by mails (eg. from Pharmacy Express Corp.),
did you often open generated URLs in SPAMs?

JWR
Logged Offline
Private Message Reply: 90 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:42pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted: Thursday, August 31st, 2006, 8:46am
MarkGiles


Quoted from JWR (Guest)
Hello,

Having received lots of SPAM from Pharmacy Express Corp., located at the Virgin Islands, I found a Drug Reselling License at their recent homepage
(http://desunkerwionterde.com)

The license sheet has been issued from the State of Ontario
(I don't know if it is a fake sheet, but it looks "impressive")

Pharmacy Express Corp. is listed at a full address in:
1460 Don Mills Rd. at York Mills, 2nf floor,
Don Mills, ON M3B 2X9.

The license carries a signature and name of the Issuer

The license is numbered No D2849912
Issue date 07/10/2002
Expiration Date: 07/10/2012

Maybe a lawyer is able to stop the company from spreading SPAM.

Regards,

JWR., Backnang (Germany)


Everything is fake. Hundreds of PE sites have been shut down but they just create more. See for example http://www.bbb.org/alerts/article.asp?ID=597

That Canadian address has been checked out, and it is ...
Logged Offline
Private Message Reply: 91 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:47pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted: Friday, September 1st, 2006, 2:19pm
Spammed-out

I too am being abused by these incessant emails from the marketeers from Pharmacy Express. They are relentless. I know they are not trying to sell products; their just looking to bog us down.

Is there any way to stop this. I believe they think it's a joke and will forever poke at us just for laughs.
Logged Offline
Private Message Reply: 92 - 181
admin
Posted on: Saturday, September 16th, 2006, 10:48pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted: Sunday, September 3rd, 2006, 6:00pm
(Guest)

my name is monty peterson Imade a order rx002-057079 and I did not get a e
mail back on my order
Logged Offline
Private Message Reply: 93 - 181
admin
Posted on: Saturday, September 16th, 2006, 11:00pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted: Monday, September 4th, 2006, 7:30am
admin


Quoted from Guest
my name is monty peterson Imade a order rx002-057079 and I did not get a e
mail back on my order


I'm not sure what you are asking---are you thinking this is Pharmacy Express?  It is not, and unfortunately, you have been scammed.  I would contact your credit card that you used and CANCEL THE CARD.  And if you actually do get your order, DO NOT TAKE THE MEDICATIONS--they most likely are not the correct drugs, and could be dangerous.

On-line pharmacy spammers are criminals--they do not care to send you quality, or even the right drugs, if they send them to you at all.

Please don't take this the wrong way, but it is somewhat baffling as to why people are ordering from a company that doesn't have a legitimate website, doesn't have any real contact info like a phone number or physical address, and "advertises" through e-mail with unprofessional, misspelled messages.  You are not the only one obviously that orders from them, but what made you decide to trust them?

I hope you are successful at canceling your Credit Card before they take money from it---if they already did, then put it in dispute with your credit company, and file a fraud report.
Logged Offline
Private Message Reply: 94 - 181
admin
Posted on: Saturday, September 16th, 2006, 11:04pm Report to Moderator
Administrator Group



Posts: 15
Originally Posted: Tuesday, September 5th, 2006, 10:48am
Sarek


I just had what I thought was quite a good idea:

I went to the website and found the "contact us" page. I then filled in fictitious details, using one of the spammer's apparent email address and then filled the message space with a huge text file (in this case one of the online Norwegian sagas).

I did this several times.

In future I think I may combine several sagas into one file and send that.

If all of us who are fed up with this spamming could be bothered to do this several times a day, surely we could clog their inboxes - and at least make them employ more people to sort out what was coming to them?

If anyone can spot a fault in the logic please let me know, otherwise anyone fancy giving it a go?
Logged Offline
Private Message Reply: 95 - 181
admin
Posted on: Saturday, September 16th, 2006, 11:15pm Report to Moderator
Administrator Group



Posts: 15
ADMIN NOTE:  The "lost posts" should be restored as best as they can be at this point.   Again, sorry for the mishap. Time to set the board backup on "daily"  
Logged Offline
Private Message Reply: 96 - 181
MarkGiles
Posted on: Monday, September 18th, 2006, 7:36am Report to Moderator
All-Star


Posts: 363
Recently spammed Pharmacy Express sites (last 2 days)
alikotrinhedase.com
badesungajuns.com
bijikeradesun.com
ebokinlderunkdasn.com
gandesunkerin.com
hasedejunminkes.com
herasunmedaxuke.com
huyetandesun.com
kinterfunhasde.com
kolotunmionhe.com
kulindugase.com
leradunmacaherun.com
milukunberdess.com
porutagundes.com
qasedaxecin.com
radesunmdetrin.com
radesuntuijuns.com
ruheradesunmdea.com
sadefunhajunmax.com
tandefunksadwinde.com
tuhedasexin.com
tuherinmawinreades.com
tunheteryunbedun.com
vadasaxetionhe.com
vfgandesinmder.com
vuheyandfaseunde.com
weradesuntertion.com
wokoledefese.com
yasreunmdefuna.com
yuhegandeseterde.com
yunhadewiondefase.com

The name servers they all use
ns2.yadesaxinmer.com     ns3.ovdesaxinme.com
ns0.hadegandestui.com     ns0.hadesunjadukinma.com


The registrars
ns2.yadesaxinmer.com XIN Net
ns0.hadesunjadukinma.com XIN Net

Contact: Zhao Le
Tel: 010-58022118-505
Email: registrar@xinnet.com

ns3.ovdesaxinme.com DNS.COM.CN
ns0.hadegandestui.com DNS.COM.CN
Contact: Wei Li
Tel: 86-10-82601212
Email: liwei@dns.com.cn, litao@dns.com.cn

ACTION REQUIRED  -  JOIN THE CAMPAIGN
Send an email request to XIN Net asking that the two domains  
yadesaxinmer.com and hadesunjadukinma.com
be locked out and the address records set to 0.0.0.0

Send an email request to DNS.COM.CN asking that the two domains  
ovdesaxinme.com and hadegandestui.com
be locked out and the address records set to 0.0.0.0
(You can also request that they do the same for sadewunmkedefuna.com and avuihdesunhawio.com for good measure)

Reason - they are being used to resolve address to the illegal and spamvertized web sites for Pharmacy Express, owned by known criminal Leo Kuvayev (Bad Cow) who is listed in ROKSO, and at China's anti-spam site http://www.anti-spam.cn/ShowArticle.php?id=3169



Logged Offline
Private Message Reply: 97 - 181
dj
Posted on: Monday, September 18th, 2006, 10:48am Report to Moderator
Super Spam Fighter



Posts: 108
I'm down to about one MyCanadianPharmacy mail a day at the moment.

The images are being hosted at http://62.240.183.183:8080/p/images/weship.gif which is a Czech company sloane.cz hosted via the Ripe Network.

I have forwarded the mails to various addresses at sloan.cz including abuse, hostmaster and technik who all sound as if they should be interested as well as abuse at ripe.net who normally send an automatic response to say its nothing to do with them.

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 98 - 181
MarkGiles
Posted on: Monday, September 18th, 2006, 6:45pm Report to Moderator
All-Star


Posts: 363
It is useful to report the image servers, as well as the site servers. Both are hacked. Recently noted hacked machines used by Polyakov are at http://pharmalert.zoomshare.com.

When a compromised machine is recovered, it takes the crims less than one minute to switch to another. An hour ago the picture for site servers for My Canadian, International RX, Canadian Health&Care, Fake Rolex, and Caviar Store sites hijacked by Alex Polyakov:

80.86.212.117 CHC1  
196.211.6.107 MCP2
195.210.39.44 MCP3
59.120.127.142 MCP4
137.118.232.23 IRX1
200.56.242.35 IRX2
125.208.3.214 USD1
195.210.39.44 RLX1
195.210.39.44 CVR1

Image servers

62.240.183.183
62.213.70.68
201.28.121.171

Yesterday's image servers
"heretostay.info" removed by Yahoo
"fredswoot.info" removed by Yahoo

Name servers on Tucows - Email removal requests to compliance (AT) opensrs.org

ns1.coperode.info Removed Sept 19
ns1.hnewsonline.info Gone Sept 26
ns2.kolftoy.info Removed Sept 22
ns2.pentrock.info Gone Sept 29
ns2.tacttal.info Gone Sept 29
ns2.walkclose.info Gone Sept 29
ns1.elegantlatin.info (not Tucows - Intercosmos Media Group)
ns2.elegantlatin.info (not Tucows - Intercosmos Media Group)
ns1.getrn.info Removed Sept 20
ns2.bonnul.info Removed Sept 22
ns2.rneasts.info Gone Sept 26
ns2.forcestar.info Removed Sept 19
ns2.vopor.info Removed Sept 22
this-is-search-traffic-domain.theoncall.info Removed Sept 26
ns1.kosnag.info Timeouts Sept 22

The quickest and most efficient method of shutting these illegal sites down is to focus on the name servers.
Logged Offline
Private Message Reply: 99 - 181
ausmpw
Posted on: Tuesday, September 19th, 2006, 4:51pm Report to Moderator
New Member


Posts: 1
Frankly I'm sick of them. I get, at least, 20 a day from this crowd.

I left a very personal note in their "contact me" area hoping for as much misery as I could possibly inflict upon the recipient. Their parents and children were not spared.

It won't do anything I know but, write it like a curse, and a) makes you feel better getting rid of some of the anger and b) maybe it just might "ping" a heart string
Logged Offline
Private Message Reply: 100 - 181
MarkGiles
Posted on: Wednesday, September 20th, 2006, 6:49pm Report to Moderator
All-Star


Posts: 363
If you really want to make a difference, email compliance at opensrs.org.

Politely request the removal of the nameservers that they are sponsoring. The nameservers run on compromised machines illegally. They allow access to illegal pharmacy sites that are known to scam credit cards and identities. Other registrars have already removed their nameservers because they know that they are illegal.

See the posting earlier for the list of remaining nameservers that Tucows needs to remove.

Thanks for helping to shut down these cybercriminals.
Logged Offline
Private Message Reply: 101 - 181
Dave
Posted on: Friday, September 29th, 2006, 2:21pm Report to Moderator
New Member


Posts: 19
This site seems to have gone bit dead - is spam getting less, is it being ignored, are we getting better at blocking it.

Anyway Ive got another couple tonight - wont bore you with the details but have sent
following to picture host      AIHS.Net GmbH  as I think it may do more good than
emailing where I think it came from or via.

I believe you may be hosting spam images for ratihop.net

i.e http://80.94.82.31:8080/p/images/weship.gif

Thousands of people worldwide will appreciate it if you can stop this.

Thankyou
Logged Offline
Private Message Reply: 102 - 181
MarkGiles
Posted on: Friday, September 29th, 2006, 4:19pm Report to Moderator
All-Star


Posts: 363
Updates - Tucows has removed all the nameservers that they were asked to take out

Name servers on Tucows - Email removal requests to compliance (AT) opensrs.org

ns1.coperode.info Removed Sept 19 Restored Sept 30
ns1.hnewsonline.info Gone Sept 26
ns2.kolftoy.info Removed Sept 22
ns2.pentrock.info Gone Sept 29
ns2.tacttal.info Gone Sept 29
ns2.walkclose.info Gone Sept 29
ns1.elegantlatin.info (not Tucows - Intercosmos Media Group)
ns2.elegantlatin.info (not Tucows - Intercosmos Media Group)
ns1.getrn.info Removed Sept 20
ns2.bonnul.info Removed Sept 22
ns2.rneasts.info Gone Sept 26
ns2.forcestar.info Removed Sept 19 Restored Sept 30
ns2.vopor.info Removed Sept 22
this-is-search-traffic-domain.theoncall.info Removed Sept 26
ns1.kosnag.info Timeouts Sept 22

The quickest and most efficient method of shutting these illegal sites down is to focus on the name servers. Over 3,000 illegal pharmacy sites have been removed in the past 2 months.
Logged Offline
Private Message Reply: 103 - 181
dj
Posted on: Saturday, September 30th, 2006, 2:04pm Report to Moderator
Super Spam Fighter



Posts: 108
I also mailed public at aihs.net about hosting the images for MyCanadianPharmacy on Friday and today the image has gone.  

I think as many people as possible need to hit these sites from as many angles as possible  -

  • take out the name servers,


  • remove the images,


  • stop the mail senders


  • (and make a few dummy orders)


I am only getting about one of these a day now instead of 8-10.

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 104 - 181
Dave
Posted on: Monday, October 2nd, 2006, 1:22pm Report to Moderator
New Member


Posts: 19
Not PHarmacy Express But
anyone any  idea what this page is:

http://br.groups.yahoo.com/group/newasian/messages/2401?viscount=100

Looks like all the spam I have ever got.
Is it the spammers library?
Do you know anyone who might know what it is & if it is "bad" what we can do to get rid of it. Fact that it is Brazil doesnt bode well.  
Logged Offline
Private Message Reply: 105 - 181
MarkGiles
Posted on: Tuesday, October 3rd, 2006, 5:00pm Report to Moderator
All-Star


Posts: 363
Hard to tell. Looks like it could be a site which simply logs spam.
Logged Offline
Private Message Reply: 106 - 181
uZi
Posted on: Friday, October 6th, 2006, 8:08am Report to Moderator
New Member


Posts: 2
I created a new adress @gmail. I didn't give it to anyone, but within 1 day I had yet received spams. How the hell did they get my email adress ??

In conclusion :f*** pharmacy express
Logged Offline
Private Message Reply: 107 - 181
tman
Posted on: Friday, October 6th, 2006, 10:24pm Report to Moderator
Frequent Contributor


Gender: Male
Posts: 36

Quoted from uZi
I created a new adress @gmail. I didn't give it to anyone, but within 1 day I had yet received spams. How the hell did they get my email adress ??

In conclusion :f*** pharmacy express


I have 2 e-mail accounts with my ISP that I've NEVER used in any public sense, and both of them recieve spam on a regular basis.  I think alot of spam bots will just rattle off guesses at e-mail addresses at the popular services.  Services like Yahoo, GMail, AOL, will have literally tens of millions of e-mail addresses.  In otherwords, I'm sure they automatically send a spam to "johndoe" "johndoe1" johndoe2" etc.  A bot could just send to almost anything at these services & have a good chance of hitting an active adress.  And if they do (by not getting an "undeliverable" response), then they have it for good.

I could be wrong about this, but I think that is one of the tactics spammers will use to harvest addresses.
Logged Offline
Private Message Reply: 108 - 181
MarkGiles
Posted on: Sunday, October 8th, 2006, 3:53am Report to Moderator
All-Star


Posts: 363
Spammers have a probe utility. It does not actually send mail to determine if an address exists. Given a few million names (eg mikey7, joetsmith, etc) they can run the probe using the names, appended to the larger domains (like @gmail.com, @hotmail.com, @yahoo.com). At the end of the run they will have a file of every name@domain that exists.  

So if you create a new account at gmail.com using a name that is already in their probe list, they can discover it next time they do a probe run.
Logged Offline
Private Message Reply: 109 - 181
uZi
Posted on: Tuesday, October 10th, 2006, 5:26am Report to Moderator
New Member


Posts: 2
Could be right cos I used to have quite a weird email name, and I have alsmot never received spams. That's why I get another one, people could never remember it, but now with the gmail one which is more common, I receive tons of spams.

Actually not that much if I can compare to some other people here, just between 1 and 3 a day. Why don't I receive all their spams ?
Logged Offline
Private Message Reply: 110 - 181
dj
Posted on: Friday, October 13th, 2006, 1:26pm Report to Moderator
Super Spam Fighter



Posts: 108
I'd gladly swap all mine for your 2 or 3 !!!

Form an orderly queue !!!


Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 111 - 181
DarkShado
Posted on: Friday, October 13th, 2006, 3:03pm Report to Moderator
New Member


Posts: 5
A bit of information about My Canadian Pharmacy Corp.
the address is fake... I am in Toronto, Ontario, Canada
and I know the area. I did a drive by and got out of
my car and spoke to people  in the area as well and
there is no 1592 Wilson Avenue

I spoke to people that live in the area
and I know the area as well. I live in Toronto,
Ontario, Canada myself.

They list an address of

My Canadian Pharmacy Corp.
1592 Wilson Avenue
Toronto, Ontario
Canada, M3L 1A6

That address is fake. And it doesn't reside in the
Sheridan Mall like some one else said addresses for
the Sheridan Mall starts at 1700 Wilson Ave
It has to be closer towards that Corner if it existed.

I also post on the usenet newsgroups and I started
a thread there as well on the newsgroup
news.admin.net-abuse.email and I invite everyone
to read and reply to that message
if you wish.

http://groups.google.com/group.....6c4#1fcf92ba9ab8e6c4

I am getting spammed by this scumbag too
the last URL I got spammed with was
http://www.makstart.com


Anyone else find any more information
on these guys if we do find out they reside in
Toronto or have a Toronto address I can do
a drive by.

Jamie
Logged Offline
Private Message Reply: 112 - 181
MarkGiles
Posted on: Friday, October 13th, 2006, 4:28pm Report to Moderator
All-Star


Posts: 363
The photgraph of their impressive headquarters building in Toronto is posted at http://www.spamhater.com

What would you like on your sandwich, sir? Viagra sauce, Cialis mayonnaise, Propecia salad dressing maybe?
Logged Offline
Private Message Reply: 113 - 181
DarkShado
Posted on: Friday, October 13th, 2006, 10:33pm Report to Moderator
New Member


Posts: 5
A bit more information about Pharmacy Express

http://groups.google.com/group.....=en#1fcf92ba9ab8e6c4


> MCP are run by the Yambo gang. Both MCP and Yambo are listed on ROKSO;
>
> http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6271
>
> http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK3095

> Nasty little organisation, tied in with child porn and various scams
> and rip-offs. Looks like Polyakov is involved.
Logged Offline
Private Message Reply: 114 - 181
DarkShado
Posted on: Friday, October 13th, 2006, 10:38pm Report to Moderator
New Member


Posts: 5
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6271

CANADAPHARM.INFO.
CANADAPHARMSTORE.INFO.
CANADAPILLS.NET.
CANADRUGS.NET.
CANAMEDICAL.INFO.
CANAMEDS.INFO.
CANAPILL.COM.
CANDRUGPORTAL.COM.
CANDRUGS.BIZ.
CANPHARMACY.INFO.
CAVIAR2006.COM.
DRUGPORTAL.INFO.
INETMEDS.INFO.
LEGALMEDICATIONS.INFO.
MYPHARMACYPORTAL.COM.
MYPHARMACYREFILL.COM.
MYPHARMACYREFILLS.COM.
MYPHARMAPORTAL.COM.
PHARMACYSOURCE.INFO.
PHARMAINCANADA.COM.
PHARMAPORTAL.INFO.
PHARMASTORE.INFO.

"Natural" DNS points to here:

$ host candrugs.biz
candrugs.biz has address 193.165.178.164

But an HTTP GET at shows the very same files here:

--- reading URL http://candrugs.biz/p/images/license.jpg
--- contacting host candrugs.biz [207.226.167.66] on port 80

HTTP/1.1 200 OK
Date: Sat, 18 Feb 2006 x:x:x GMT
Server: Apache/2.0.53 (Fedora)
Last-Modified: Wed, 22 Jun 2005 10:59:59 GMT
ETag: "8541-32d09-784749c0"
Accept-Ranges: bytes
Content-Length: 208137
Connection: close
Content-Type: image/jpeg

ÿØÿàí¤x^ ûwRºeýÂþ]ÿWæÜ7åæð&frac;&frac;øÿ&frac;0XrÍ&frac;~¤ÿç«øáÏ÷cqP<±I EQ¦éäٝuùP-êÛAûÖÙG¡¤©&áèû
[snip]

http://groups.google.com/groups?q=%221592+Wilson+Avenue%22&start=0&hl=en&filter=0

MyCanadianPharmacy Corp.
592 Wilson Avenue
Toronto, ON M3L 1A6

State of Ontario
Department of Health Services
Food and Drug Branch
Drug Reselling License #02838940

Issue Date: 02/18/2001
Expiration Date: 02/18/2011






http://www.technology-corner.com/20051023.shtml

Canada must be larger than I thought

I received (at the Technology Corner address) this week an offer for various medicines at "My Canadian Pharmacy". But, as it turned out, My Canadian Pharmacy is in Sofia, Bulgaria. Maybe. That's where the domain registrar says the domain holder is located, but that may not be the case.

Click the image for a larger view.

That's the problem with spam. If you click a link that claims to be from Canada, it might really go to a website in Bulgaria or China. And the owner of the website might actually be in Viet Nam, Australia, the United States, or Libya.

You're foolish if you click on any link in any spam because the spam is, by definition, a lie from the outset. I followed the link (which may make me, by definition, foolish) but I wasn't planning to buy anything. I wanted to find out something about the outfit.

What do you receive if you place an order with "My Canadian Pharmacy"? It's anybody's guess. You might receive a generic equivalent drug, but  because most of the drugs these folks advertise have no generic equivalents  you'll probably receive a placebo that's designed to look like the medication you ordered.

If you're lucky, you'll receive a placebo that's in a counterfeit package. But you might also receive a forged medication that's stronger or weaker than the real product. Or you might receive something that's truly dangerous. If you're taking the medication for something serious, any deviation from the real thing would be dangerous.

What else might happen? Identity theft is a possibility when you're dealing with spammers. Additionally, the website could be booby trapped with spyware that exploits a browser bug. There's no way to know. As far as I'm concerned, spam gets deleted without question.
For your amusement.
(VIEW LARGER IMAGES BY CLICKING THE SMALL IMAGES)
MyCanadianPharmacy claims accreditation, but ...
... if you click any of the logos, you're not taken to VeriSign or to the Better Business Bureau. You may think that's where you are, but open the larger version of the image at the left and notice the URL in the title bar.
The "About Us" section tells about the "pharmacy" and about the doctors. In both cases, the text is badly written.


The site says "Dr. Jack Poppins studied reanimatology at Ontario Medical State University in 1969." Perform a Google search for "Ontario Medical State University" and you'll find exactly 2 references: Both are on the MyCanadianPharmacy website. What the writer seemed not to know is that Canada has provinces, not states.

The site also says "Dr. Paul Newman graduated from the faculty of psychiatry of the University of Ottawa." Better guess this time. The University of Ottawa exists and even has a medical school.


This document is represented to be the organization's "Drug Reselling Licence" but it lists the state of Ontario as the issuing authority. A Google search for +"ontario health and safety code" +"division 104" found nothing. "The license is required by law to immediately notify the Department of Health Services," but the Oxford Canadian Dictionary reveals that Canadian English makes a distinction between "license" and "licensee", so "license" is a spelling error. A search for "Department of Health Services" turns up no references in Ontario, but a search for the "Ministry of Health Services" does. And finally, the form uses both "licence" and "license". Both spellings are accepted in Canada, but not within a single document.


Where exactly is 1592 Wilson Ave, Toronto, Ontario? The website operator selected a believable location. It seems to be an address in the Sheridan Shopping Mall, just off highway 401 (a major road) and not far from the airport.

Do you think "MyCanadianPharmacy", licensed by the "state" of Ontario, and operated by a "doctor" who attended a medical school that doesn't exist, is located here?

It may be, but the operators have already stretched the truth just a little too far for my comfort .

I asked a friend who lives in Toronto about the address. "What a ratty part of town! Just north of there is Jane and Finch, the really scary part of the city. The address they give seems to be in a strip mall right beside the Sheridan Mall. Stores with adjacent addresses include a video store, a tattoo place, and a Jamaican savings and loan. I'm guessing the address they give is a cheap office above one of those stores."
But wait, there's more!

Later in the day, I heard from other Toronto residents. Here's what I learned:

* You're correct that Ontario Medical State University does not exist, and never has.
* The only medical schools in Ontario are at McMaster U. (in Hamilton), Queen's U. (in Kingston), the University of Western Ontario (in London), the University of Toronto, the U. of Ottawa, and the Northern Ontario School of Medicine, which is a brand-new joint venture between universities in Sudbury and Thunder Bay.
* Ontario does have a Ministry of Health, not a Department of Health. Ontario's ministries used to be referred to as departments, but that's outmoded usage.
* Here's something that those characters overlook: in Ontario, you can't operate a pharmacy unless you're a pharmacist.
* Dr. Poppins (wonder if he thinks a spoonful of sugar helps the medicine go down in the most delightful way?) claims to be the founder of the Canadian International Pharmacy Association. Turns out that there is such a body. The outfit claims to certify online pharmacies. MyCanadianPharmacy isn't listed.
* The Better Business Bureau in Kitchener, Ontario, has checked into complaints related to this outfit. The investigations were both "closed as unpursuable. Company cannot be located. Mail returned and phone disconnected." See here.
* They don't even get their postal code right: the code for 1592 is M3L 1A3. The code they give, ending in 1A6, seems to link up to the beer store at 1718 Wilson Avenue.
* As a practicing Ontario physician, I can assure you there's no Ontario Medical State University.
* The "certificate" has a watermark logo from Ontario County. Interestingly, there used to be an Ontario county in the province of Ontario until it was adsorbed into the Regional Municipality of Durham in 1972.
Logged Offline
Private Message Reply: 115 - 181
DarkShado
Posted on: Friday, October 13th, 2006, 10:41pm Report to Moderator
New Member


Posts: 5
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK3095

September 2006: NOTICE! For their pharma spam websites and nameservers, Yambo is using cracked servers as reverse proxies. They appear to be exploiting weak user/password combinations, for example "admin/admin". Most of the hijacked servers are embedded Linux devices such as firewalls and wi-fi routers. In addition to completely disinfecting the device and adding strong passwords, Spamhaus would also like to hear from system admins who have monitored the hijacked IP and tracked packets to the "back end" servers.
____________________________________________________________

Huge spamhaus tied into billing for child/animal/incest-porn spamming, pirated software spamming, credit-card "collection" sites.

Frequent visitors and advertisers in "secret" spammer chat forums.

Uses "affiliate" model extensively to distribute its spamming among various kiddiez, particularly for their "pharma" programs (pharmaceutical drugs). EVAPharmacy (EVA Pharmacy, EVABilling, EVA Billing), USDrugs (US Drugs), MyCanadian Pharmacy (My Canadian Pharmacy), and other recognizable spam brands are theirs.

Frequently tied to involvement in hijacking ownership of various ARIN netblocks from the rightful owners.

They try an look somewhat "legit" by using postal addresses at US and British "remailer" services and US/British forwarding-phone services.

The players are mostly Ukrainian and/or Russian, living in and around Seattle, WA and Gainesville, FL in the USA and in Russia/Ukraine. Also have ties in Paris, France.

Have ties to "Alex Blood", who ties to the RegPay child-porn spammers.

If all the info is correct, they are also one of the older spamhausen around.

Related to, or same as, Oxbill (and many other "___bill" domains) and possibly the samme gang as Pavka / Artofit
See ROK2432 for links to smartdns.com, which is a P-A domain.

http://groups.google.com/groups?selm=bp8lu4%241llavj%241%40ID-115151.news.uni-berlin.de

http://groups.google.com/group.....net.cable.rogers.com

Subject: Yambo Financials - yambobank.com, yambo.biz, name15.com, ssl4all.com etc, etc....

--
Registrant:
Yambo Financials Ltd.
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Domain Name: YAMBO-GROUP.COM

Administrative Contact:
Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Technical Contact:
Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Record last updated 08-02-2004 04:06:31 PM
Record expires on 06-13-2005
Record created on 06-13-2003

Domain servers in listed order:
NS0.HQHOST.NET 64.237.37.72
NS1.HQHOST.NET 64.237.41.94




--
[whois.networksolutions.com]
Results:

Registrant:
Yambo Financials Ltd (FJWNQVESWD)
14 Hook Road, Epsom, Surrey
KT19 8TH, United Kingdom
Surrey, UK KT19 8TH
UK

Domain Name: YAMBOCARDS.COM

Administrative Contact:
Yambo Financials Ltd (YKGPBXLJNO) yambocards@hotmail.com
14 Hook Road, Epsom, Surrey
KT19 8TH, United Kingdom
Surrey, UK KT19 8TH
UK
+1-866-YAMBOCS

Technical Contact:
Network Solutions, Inc. (HOST-ORG) customerservice@networksolutions.com
13200 Woodland Park Drive
Herndon, VA 20171-3025
US
1-888-642-9675 fax: 571-434-4620

Record expires on 04-Apr-2004.
Record created on 04-Apr-2003.
Database last updated on 3-Jan-2004 21:22:39 EST.

Domain servers in listed order:

NS1.SMARTDNS.ORG 64.49.244.204
NS2.SMARTDNS.ORG 209.51.142.198
NS1.SMARTNIC.ORG 207.44.143.227
NS2.SMARTNIC.ORG 66.111.52.49

__________


Registrant:
Yambo Financials Ltd.
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668

Domain Name: YAMBOBANK.COM

Administrative Contact:
Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668

Technical Contact: Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668

Record last updated 07-31-2003 05:14:57 AM
Record expires on 07-07-2005
Record created on 07-07-2003

Domain servers in listed order:
NS1.YAMBO.BIZ 66.111.36.80
NS2.YAMBO.BIZ 69.93.6.13


____________


Domain Name: YAMBO.BIZ
Domain ID: D2914606-BIZ
Sponsoring Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
Domain Status: ok
Registrant ID: IMG-495311
Registrant Name: Customer Support
Registrant Organization: Yambo Financials Ltd.
Registrant Address1: 14 Hook Road
Registrant City: Epsom
Registrant State/Province: Not Applicable
Registrant Postal Code: 19KT 8TH
Registrant Country: Great Britain (UK)
Registrant Country Code: GB
Registrant Phone Number: +44.8719008667
Registrant Facsimile Number: +44.8719008668
Registrant Email: support@yambo.biz
...
Name Server: UDNS1.ULTRADNS.NET
Name Server: UDNS2.ULTRADNS.NET
Name Server: NS0.XNAME.ORG
Name Server: NS2.YAMBO.BIZ
Name Server: NS1.YAMBO.BIZ
Name Server: NS1.XNAME.ORG
Created by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
Last Updated by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
Domain Registration Date: Thu Apr 11 12:35:11 GMT 2002
Domain Expiration Date: Sat Apr 10 23:59:59 GMT 2004
Domain Last Updated Date: Sun Nov 16 09:40:14 GMT 2003


___________


[whois.directi.com]
Results:

Domain Name: NAME15.COM

Registrant:
Yambo Financials Inc. (DE)
Anton Denysenko (ad@host2010.com)
1001 SW 16th Avenue, #103,
Gainesville
null,32601
US
Tel. +135.23789943
Creation Date: 16-May-2003
Expiration Date: 16-May-2004
Domain servers in listed order:
ns.host2010.com
ns2.host2010.com
Administrative Contact:
Yambo Financials Inc. (DE)
Anton Denysenko (ad@host2010.com)
1001 SW 16th Avenue, #103,
Gainesville
null,32601
US
Tel. +135.23789943
Status: ACTIVE


___________


Registrant:
Eva Payments Limited
20 Maidstone road
Kent
Borough green TN15 8BD
United Kingdom
Registered through: GoDaddy.com
Domain Name: EVAPHARMACY.COM
Created on: 03-Sep-03
Expires on: 03-Sep-06
Last Updated on: 16-Dec-03
Administrative Contact:
Bortnikov, Sergey evapayments@hotmail.com
Eva Payments Limited
20 Maidstone road
Kent
Borough green TN15 8BD
United Kingdom
8704581886 Fax -- 8704581887
Domain servers in listed order:
NS1.SMARTDNS.ORG
NS2.SMARTDNS.ORG
NS1.SMARTNIC.ORG

NS2.SMARTNIC.ORG

___________


> Yambo Financials Ltd.
> 14 Hook Road, Epsom, Surrey,
> KT19 8TH, United Kingdom
> 1.866.YAMBOCS
> (US and Canada)
> +1.212.301.7424

New York City area code.

Vegas World Casino - online gambling center!
Vegas World Casino is owned and operated by Eva Payments Ltd.
http://www.vegasworld.net/billingpolicy.shtml
- contains the same information as above



Companies House Britain

Name & Registered Office: EVA PAYMENTS LIMITED
20 MAIDSTONE ROAD <--- linkbill.com old address
BOROUGH GREEN
SEVENOAKS, KENT TN15 8BD
Status: Active
Company Type: Private Limited Company
Nature Of Business: None registered
Company No.: 04594965
Date of Incorporation: 19/11/2002
Country of Origin: United Kingdom



domain: vegasworld.net
status: production
organization: Eva Payments Limited
email: evapayments@hotmail.com <-- spam for EVAPHARMACY.COM
address: 20 Maidstone road
address: Borough green, Sevenoaks
city: Borough green
postal-code: Kent TN15 8BD
country: GB
admin-c: evapayments@hotmail.com#0
tech-c: evapayments@hotmail.com#0
billing-c: evapayments@hotmail.com#2
nserver: ns1.named1.net
nserver: ns2.named1.net
registrar: JORE-1
created: 2001-11-30 16:50:41 UTC cosmos
modified: 2003-08-15 09:12:57 UTC JORE-1
expires: 2006-11-30 16:50:41 UTC
source: joker.com

db-updated: 2004-01-04 02:21:43 UTC


_________


[whois.dotster.com]

Registrant:
Kernel Network LLC
5 Starboard Center Suite 20
Bethany Beach, De 19930
US

Registrar: DOTSTER
Domain Name: NAMED1.NET
Created on: 29-NOV-01
Expires on: 29-NOV-04
Last Updated on: 30-OCT-03

Administrative, Technical Contact:
Vic, Andy owner@named1.com
Kernel Network LLC
5 Starboard Center Suite 20
Bethany Beach, De 19930
US
270-637-4721
270-637-4721

Domain servers in listed order:
NS1.XTRAFF.COM
NS2.XTRAFF.COM


___________


[whois.dotster.com]

Registrant:
Kernel Network LLC
5 Starboard Center Suite 20
Bethany Beach, De 19930
US

Registrar: DOTSTER
Domain Name: NAMED1.NET
Created on: 29-NOV-01
Expires on: 29-NOV-04
Last Updated on: 30-OCT-03

Administrative, Technical Contact:
Vic, Andy owner@named1.com
Kernel Network LLC
5 Starboard Center Suite 20
Bethany Beach, De 19930
US
270-637-4721
270-637-4721

Domain servers in listed order:
NS1.XTRAFF.COM
NS2.XTRAFF.COM


__________


[whois.dotster.com]

Registrant:
Globetime Ltd.
788-790 Finchley Road
London, UK NW11 7TJ
GB

Registrar: DOTSTER
Domain Name: LINKBILL.COM
Created on: 16-JAN-01
Expires on: 16-JAN-05
Last Updated on: 15-NOV-02

Administrative Contact:
Melrow, Joel admin@linkbill.com
Globetime Ltd.
788-790 Finchley Road
London, UK NW11 7TJ
GB
+44 845 458 9654
+44 845 458 9653

Technical Contact:
Melrow, Joel admin@linkbill.com
Globetime Ltd.
788-790 Finchley Road
London, UK NW11 7TJ
GB
+44 845 458 9654
+44 845 458 9653

Domain servers in listed order:
NS1.LINKBILL.COM
NS2.LINKBILL.COM


_____________

There is indeed a Yambo Financials registered in the UK

Companies House Britain

Name & Registered Office: YAMBO FINANCIALS LIMITED
OCTAGON HOUSE, FIR ROAD
BRAMHALL, STOCKPORT

CHESHIRE SK7 2NP
Status: Active
Company No.: 04441960
Date of Incorporation: 20/05/2002
Country of Origin: United Kingdom
Company Type: Private Limited Company
Nature Of Business: 7484 - other business activities
Last Members List: 20/05/2003


There are a number of companies registered using that address. It appears to be the office of Davenport Company Services.


____________


[whois.net.ua]
Results:
% Ukrainian Whois server.
% Please visit http://whois.com.ua for more information.
% Rights restricted by copyright.

domain: million.dp.ua
nserver: ns.million.dp.ua 195.248.163.58
nserver: ns2.trifle.net 195.24.128.164
mnt-by: MILLION-MNT
source: APEX

__________


yambo.biz MX 30 gecko.yambo.biz
yambo.biz MX 10 million.dp.ua
yambo.biz MX 20 rara.yambo.biz
yambo.biz NS NS0.XNAME.ORG
yambo.biz NS NS1.XNAME.ORG
yambo.biz NS ns1.yambo.biz
yambo.biz NS NS2.yambo.biz
yambo.biz NS UDNS1.ULTRADNS.NET
yambo.biz NS UDNS2.ULTRADNS.NET
gecko.yambo.biz A 69.93.6.10
rara.yambo.biz A 66.111.36.80 [S333 - sago/unitedcolo]
NS0.XNAME.ORG A 195.20.105.149
NS1.XNAME.ORG A 213.133.115.5
ns1.yambo.biz A 66.111.36.80
NS2.yambo.biz A 69.93.6.13
UDNS1.ULTRADNS.NET A 204.69.234.1
UDNS2.ULTRADNS.NET A 204.74.101.1

million.dp.ua A 195.248.185.130
million.dp.ua A 195.248.163.58
million.dp.ua NS ns.million.dp.ua
million.dp.ua NS ns2.trifle.net
ns.million.dp.ua A 195.248.163.58
ns2.trifle.net A 195.24.128.164





named1.net NS ns2.xtraff.com
named1.net NS ns1.xtraff.com
ns2.xtraff.com A 69.31.87.2 [S2513]
ns1.xtraff.com A 69.31.86.14

________

Hosted at Russian lang hosts -

nLayer Communications, Inc. NLYR-ARIN-BLK2 (NET-69-31-0-0-1)
69.31.0.0 - 69.31.143.255
Pilosoft, Inc. NLYR-69-31-80-0-1 (NET-69-31-80-0-1)
69.31.80.0 - 69.31.87.255
KERNELNETWORKLLC KERNELNETWORKLLC-001 (NET-69-31-86-0-1)
69.31.86.0 - 69.31.86.255

OrgName: Pilosoft, Inc.
OrgID: PILOS
Address: 55 Broad St, 3rd Fl
City: New York
StateProv: NY
PostalCode: 10004
Country: US

NetRange: 69.31.80.0 - 69.31.87.255
CIDR: 69.31.80.0/21
NetName: NLYR-69-31-80-0-1
NetHandle: NET-69-31-80-0-1
Parent: NET-69-31-0-0-1
NetType: Reallocated
NameServer: NS5.PILOSOFT.COM
NameServer: NS6.PILOSOFT.COM
Comment:
RegDate: 2003-08-16
Updated: 2003-08-16

OrgTechHandle: ALEXP1-ARIN
OrgTechName: Pilosov, Alex
OrgTechPhone: +1-212-632-6123
OrgTechEmail: alex@pilosoft.com

OrgName: KERNELNETWORKLLC
OrgID: KERNE
Address: 5 Starboard Center Suite 20
City: Bethany Beach
StateProv: DE

PostalCode: 19930
Country: US

NetRange: 69.31.86.0 - 69.31.86.255
CIDR: 69.31.86.0/24
NetName: KERNELNETWORKLLC-001
NetHandle: NET-69-31-86-0-1
Parent: NET-69-31-80-0-1
NetType: Reallocated
NameServer: NS1.XTRAFF.COM
NameServer: NS2.XTRAFF.COM
Comment:
RegDate: 2003-08-26
Updated: 2003-08-26

OrgTechHandle: NOC1345-ARIN
OrgTechName: NOC
OrgTechPhone: +1-866-356-2437
OrgTechEmail: noc@host-system.com




[whois.dotster.com]
Kernel Network LLC
5 Starboard Center Suite 20
Bethany Beach, DE 19930
US

Registrar: DOTSTER
Domain Name: HOST-SYSTEM.COM
Created on: 30-JUN-01
Expires on: 30-JUN-04
Last Updated on: 16-OCT-03

Administrative, Technical Contact:
Vic, Andy owner@named1.com
Kernel Network LLC
5 Starboard Center Suite 20
Bethany Beach, DE 19930
US
270-637-4721
270-637-4721

Domain servers in listed order:
NS1.XTRAFF.COM
NS2.XTRAFF.COM
NS3.XTRAFF.COM

End of Whois Information

_______________

[whois.dotster.com]
Registrant:
Extreme Networks
88-331 Palm road
Sukhdrischinsk, Papua d3345
PG

Registrar: DOTSTER
Domain Name: BANNEDHOST.NET
Created on: 06-SEP-02
Expires on: 06-SEP-04
Last Updated on: 10-SEP-03

Administrative Contact:
Vic, Andy root@host-system.com
Host-System Backbone Ltd.
29 Brighton 8 street
Brooklyn, NY 11235
US
+1-702-554-64-66
+1-702-554-64-66

Technical Contact:
Vic, Andy root@host-system.com
Host-System Backbone Ltd.
29 Brighton 8 street
Brooklyn, NY 11235
US
+1-702-554-64-66
+1-702-554-64-66

Domain servers in listed order:
NS1.NAMED1.NET
NS2.NAMED1.NET

End of Whois Information


____________


220 server1.xtraff.com ESMTP Postfix
(69.31.86.14)
220 sex-pics-catalogue.com ESMTP Postfix
(69.31.86.32)
220 sebasta ESMTP
(69.31.86.2)
220 sebasta ESMTP
(69.31.86.3)
220 sebasta ESMTP
(69.31.86.4)
220 sebasta ESMTP
(69.31.86.5)
220 sebasta ESMTP
(69.31.86.6)
220 sebasta ESMTP
(69.31.86.7)
220 sebasta ESMTP
(69.31.86.
220 sebasta ESMTP
(69.31.86.9)
220 alex205 ESMTP
(69.31.86.10)
220 alex205 ESMTP
(69.31.86.11)
220 alex205 ESMTP
(69.31.86.12)
220 alex205 ESMTP
(69.31.86.13)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.16)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.17)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.1
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.19)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.20)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.21)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:52 -0500
(69.31.86.22)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:53 -0500
(69.31.86.23)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:53 -0500
(69.31.86.24)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:53 -0500
(69.31.86.27)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:53 -0500
(69.31.86.2
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:53 -0500
(69.31.86.29)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:53 -0500
(69.31.86.30)
220 server1.xtraff.com ESMTP Postfix
(69.31.86.43)
220 server1.xtraff.com ESMTP Postfix
(69.31.86.44)
220 server1.xtraff.com ESMTP Postfix
(69.31.86.42)
220 server1.xtraff.com ESMTP Postfix
(69.31.86.46)
220 sex-pics-catalogue.com ESMTP Postfix
(69.31.86.47)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.9
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.103)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.104)
220 host001 ESMTP
(69.31.86.89)
220 host001 ESMTP
(69.31.86.95)
220 srv209.hcolo.com ESMTP Postfix

(69.31.86.105)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.106)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.107)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.109)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.10
220 tentura212.named1.com ESMTP Sendmail 8.12.8p1/8.12.8; Sun, 4 Jan 2004 02:44:28 GMT
(69.31.86.80)
220 tentura212.named1.com ESMTP Sendmail 8.12.8p1/8.12.8; Sun, 4 Jan 2004 02:44:28 GMT
(69.31.86.81)
220 tentura212.named1.com ESMTP Sendmail 8.12.8p1/8.12.8; Sun, 4 Jan 2004 02:44:28 GMT
(69.31.86.82)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.111)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.110)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.112)
220 tentura212.named1.com ESMTP Sendmail 8.12.8p1/8.12.8; Sun, 4 Jan 2004 02:44:28 GMT
(69.31.86.83)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.113)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.134)
220 server31.xtraff.com ESMTP Postfix
(69.31.86.130)
220 server54.xtraff.com ESMTP Postfix
(69.31.86.131)
220 dahost213 ESMTP
(69.31.86.12
220 dahost213 ESMTP
(69.31.86.129)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.114)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:32 -0500
(69.31.86.137)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.139)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.140)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:29 -0500
(69.31.86.132)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.13
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.141)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.142)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.147)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.144)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.145)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.143)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.146)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.14
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:56 -0500
(69.31.86.26)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.149)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:56 -0500
(69.31.86.25)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.151)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:33 -0500
(69.31.86.150)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:56 -0500
(69.31.86.31)
220 server56.xtraff.com ESMTP Postfix
(69.31.86.155)
220 server56.xtraff.com ESMTP Postfix
(69.31.86.156)
220 server56.xtraff.com ESMTP Postfix
(69.31.86.157)
220 server56.xtraff.com ESMTP Postfix
(69.31.86.15
220 server1.xtraff.com ESMTP Postfix
(69.31.86.45)
220 relay.mixmag.ru ESMTP
(69.31.86.7
220 host001 ESMTP
(69.31.86.8
220 relay.mixmag.ru ESMTP
(69.31.86.79)
220 host001 ESMTP
(69.31.86.93)
220 host001 ESMTP
(69.31.86.94)
220 host001 ESMTP
(69.31.86.91)
220 host001 ESMTP
(69.31.86.90)
220 gabber226 ESMTP
(69.31.86.176)
220 gabber226 ESMTP
(69.31.86.177)
220 gabber226 ESMTP
(69.31.86.17
220 gabber226 ESMTP
(69.31.86.179)
220 sebasta ESMTP
(69.31.86.196)
220 sebasta ESMTP
(69.31.86.19
220 sebasta ESMTP
(69.31.86.197)
[220 server59.xtraff.com ESMTP Postfix
(69.31.86.201)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.115)
220 bannedhost.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 22:43:35 -0500
(69.31.86.200)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.189)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.116)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.190)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.191)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.18
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.193)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.194)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.187)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.186)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.195)
220 302.bdsmprofit.com ESMTP Sendmail 8.11.6/8.11.6; Sat, 3 Jan 2004 22:47:19 -0800
(69.31.86.192)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.117)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.204)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.205)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.203)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.207)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.20
incoming220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.209)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.210)
220 kosyan208.named1.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:41:55 GMT
(69.31.86.202)
220 host.incestmoney.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:52:32 -0500
(69.31.86.206)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.11
[220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.215)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.216)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.217)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.214)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.219)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.220)
220 jps.ru ESMTP CommuniGate Pro 4.1.4
(69.31.86.21
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.119)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.224)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.120)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.121)
69.31.86.244
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.227)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.122)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.225)
69.31.86.253
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.226)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.22
220 relay.mixmag.ru ESMTP
(69.31.86.180)
220 relay.mixmag.ru ESMTP
(69.31.86.181)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.230)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.231)
220 server1.xtraff.com ESMTP Postfix
(69.31.86.253)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.123)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.232)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500



(69.31.86.229)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.234)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.233)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:35:59 -0500
(69.31.86.236)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.124)
220 server19.xtraff.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:40:54 GMT
(69.31.86.245)
220 server19.xtraff.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:40:54 GMT
(69.31.86.246)
220 server19.xtraff.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:40:54 GMT
(69.31.86.247)
220 server19.xtraff.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:40:54 GMT
(69.31.86.24
220 server19.xtraff.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:40:54 GMT
(69.31.86.244)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.125)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.126)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.127)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.100)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.97)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:36:02 -0500
(69.31.86.235)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.101)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:36:02 -0500
(69.31.86.23
220 server1.xtraff.com ESMTP Postfix

(69.31.86.250)
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:36:02 -0500
(69.31.86.237)
220 server19.xtraff.com ESMTP Sendmail 8.11.6/8.11.6; Sun, 4 Jan 2004 02:40:56 GMT
(69.31.86.249)
[220 localhost.localdomain ESMTP Sendmail 8.12.10/8.11.6; Sun, 4 Jan 2004 02:36:02 -0500
(69.31.86.239)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.99)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.102)
220 pornpic.org ESMTP Postfix
(69.31.86.86)
220 pornpic.org ESMTP Postfix
(69.31.86.84)
220 pornpic.org ESMTP Postfix
(69.31.86.87)
220 pornpic.org ESMTP Postfix
(69.31.86.85)
220 srv209.hcolo.com ESMTP Postfix
(69.31.86.96)
220 pornpic.org ESMTP Postfix
(69.31.86.240)

____________________________

More child porn...
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13623


Brit info -

Yambo Financials Ltd.
14 Hook Road, Epsom, Surrey,
KT19 8TH, United Kingdom
tel: +44 (0) 871-9008-668
fax: +44 (0) 871-9008-668
tel.: +1-866-YAMBOCS
(toll-free for USA and Canada)
support@yambo.biz

Seen/checked out that address due to spam connections over a year ago, and it does exist - but it's listed as a residential area:

14 Hook Road, EPSOM, Surrey KT19 8TH,(KT19-8TH-1D9)
Registered Occupants: JUEL AHMED, MOJAHID ALI, ANWAR ISLAM, SALEHA KHATUN
No hits on British White Pages (Phone Book) for those names/that location

+44 871 is a UK rerouting code, with a premium price tag (15c/minute)
Rerouting meaning it probably ends up in Russia...

USA, WA state?
support@yambo.biz,
by mail: 16541 Redmond Way Ste 261-C,
Redmond WA 98052,

USA, NY state?
or by phone: 212-301-7424.

USA, Florida?!
Yambo Financials Inc.
1001 SW 16th Avenue, #103
Gainesville, FL 32601
US
1.212.301.7424

This address is an apartment complex.

Then the domains... note how they secondary on a free DNS service (XNAME)...

Registrant:
Yambo Financials Ltd.
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Domain Name: YAMBOCS.COM

Administrative Contact:
Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Technical Contact:
Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Record last updated 06-25-2003 03:49:22 AM
Record expires on 10-03-2008
Record created on 10-03-2002

Domain servers in listed order:
NS1.YAMBO.BIZ 66.111.36.80
NS2.YAMBO.BIZ 69.93.6.13
NS0.XNAME.ORG 195.20.105.149
NS1.XNAME.ORG 213.133.115.5
UDNS1.ULTRADNS.NET 204.69.234.1
UDNS2.ULTRADNS.NET 204.74.101.1

_________

Registrant:
Yambo Financials Ltd.
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Domain Name: YAMBOBANK.COM

Administrative Contact:

Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB +44.8719008667
Fax:+44.8719008668


Technical Contact:
Support, Customer support@yambo.biz
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


Record last updated 07-31-2003 05:14:57 AM
Record expires on 07-07-2005
Record created on 07-07-2003

Domain servers in listed order:
NS1.YAMBO.BIZ 66.111.36.80
NS2.YAMBO.BIZ 69.93.6.13

____________

Domain Name: EXCHANGE-STORE.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS3.YDEDICATED.COM
Name Server: NS4.YDEDICATED.COM
Status: ACTIVE
Updated Date: 12-aug-2003
Creation Date: 12-aug-2003
Expiration Date: 12-aug-2004

Domain Name: YDEDICATED.COM
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Whois Server: whois.directnic.com
Referral URL: http://www.directnic.com
Name Server: NS0.XNAME.ORG
Name Server: NS1.YAMBO.BIZ
Name Server: NS2.YAMBO.BIZ
Name Server: NS1.XNAME.ORG
Status: ACTIVE
Updated Date: 14-jan-2004
Creation Date: 12-mar-2003
Expiration Date: 12-mar-2005

Registrant:
Yambo Financials Inc.
1001 SW 16th Avenue, #103
Gainesville, FL 32601
US
1.212.301.7424


Domain Name: YDEDICATED.COM

Administrative Contact:
Service, Customer customerservice@yambo.biz
1001 SW 16th Avenue, #103
Gainesville, FL 32601
US
1.212.301.7424


Technical Contact:
Service, Customer customerservice@yambo.biz
1001 SW 16th Avenue, #103
Gainesville, FL 32601
US
1.212.301.7424 Record last updated 11-02-2003 11:38:44 AM
Record expires on 03-12-2005
Record created on 03-12-2003

Domain servers in listed order:
NS1.YAMBO.BIZ 66.111.36.80
NS2.YAMBO.BIZ 69.93.6.13
NS0.XNAME.ORG 195.20.105.149
NS1.XNAME.ORG 213.133.115.5

domain: supportex.net
status: production
organization: IM
owner: Dmitry Tsokur
email: dmitry@imedia.ru
title: CTO
address: Vyborgskaya, 16
city: Moscow
state: RF
postal-code: 125212
country: RU
admin-c: dmitry@digitaldesign.ru#0
tech-c: dmitry@digitaldesign.ru#0
billing-c: dmitry@digitaldesign.ru#0
nserver: ns1.lowesthosting.com
nserver: ns2.lowesthosting.com
registrar: JORE-1
created: 2001-09-24 14:53:47 UTC JORE-1
modified: 2002-09-14 09:23:19 UTC JORE-1
expires: 2004-09-24 08:53:31 UTC
source: joker.com


db-updated: 2004-02-12 17:17:09 UTC


domain: DIGITALDESIGN.RU
type: CORPORATE
nserver: ns1.digitaldesign.ru. 66.111.44.190
nserver: ns2.digitaldesign.ru. 212.188.13.155
state: REGISTERED, DELEGATED
person: DMITRY A TSOKUR
phone: +7 095 2321795
e-mail: dmitry@supportex.net
registrar: RUCENTER-REG-RIPN
created: 2001.10.16
paid-till: 2004.10.16
source: RIPN


Last updated on 2004.02.12 19:03:41 MSK/MSD

__________

Hosted on Foonet criminal spam hoster.

--- looking up http://www.yambocs.com
--- performing WHOIS on "69.65.31.14", please wait...
--- contacting server whois.geektools.com

OrgName: CREATIVE INTERNET TECHNIQUES
OrgID: CRTV
Address: 3982 POWELL ROAD
Address: SUITE 225
City: POWELL
StateProv: OH
PostalCode: 43065
Country: US

NetRange: 69.65.0.0 - 69.65.63.255
CIDR: 69.65.0.0/18
NetName: CRTV
NetHandle: NET-69-65-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.FOONET.NET
NameServer: NS3.FOONET.NET
Comment: abuse@foonet.net or http://abuse.foonet.net to
Comment: report abuse
RegDate: 2003-07-30
Updated: 2003-07-30

TechHandle: CA544-ARIN
TechName: Admin, CIT
TechPhone: +1-740-881-0323
TechEmail: ip-admin@foonet.net

OrgTechHandle: CA544-ARIN
OrgTechName: Admin, CIT
OrgTechPhone: +1-740-881-0323
OrgTechEmail: ip-admin@foonet.net

_________

vpnsurf.com A 62.65.252.226
ssl4all.com A 62.65.252.226
euservers.net A 62.65.252.226
host2010.com A 62.65.252.226
bestteenstgp.com A 62.65.252.226

_________
--- looking up 62.65.252.227

NS.EUSERVERS.NET
NS.NAME14.COM
NS.HOST2010.COM

--- looking up 62.65.252.228

NS2.EUSERVERS.NET
NS2.NAME14.COM
NS2.HOST2010.COM
_________

At: http://ssl4all.com/contact.html

We also reachable online:
By Email info@ssl4all.com
(mailto:mailto:info@vpnsurf.com)
Using ICQ 129442917
(http://wwp.icq.com/scripts/contact.dll?msgto=274104701)

Virtual World Ltd. (c) 2003,All other trademarks and service marks are the properties of their respective owners.
Design by MaximatoR (c) 2003

_________

--- contacting nameserver: ns2.host2010.com [62.65.252.228]

ssl4all.com SOA
origin = ns.euservers.net
mail addr = info@ssl4all.com
serial = 2004051301
refresh = 14400 (4 hours)
retry = 7200 (2 hours)
expire = 3600000 (41 days 16 hours)
minimum ttl = 86400 ()
ssl4all.com NS ns.euservers.net
ssl4all.com NS ns2.euservers.net
ssl4all.com NS ns4.euservers.net
ssl4all.com A 62.65.252.226
ssl4all.com MX 0 ssl4all.com
ftp.ssl4all.com A 62.65.252.226
mail.ssl4all.com CNAME ssl4all.com
localhost.ssl4all.com A 127.0.0.1
http://www.ssl4all.com CNAME ssl4all.com

--- DNS Zone transfer completed

_______

SBL11410
62.65.252.64/26 @ starman.ee
2003-11-05 17:07:06
Pavka / Artofit / lolitas-art.net/MonsterHost
_______

Registration Service Provided By: NAME15.COM
Contact: support@ssl4all.com
Website: http://name15.com

Domain Name: HOST2010.COM

Registrant:
Virtual World Ltd.
Andrey Burdin (client09@ssl4all.com)
313 Victoria House
Victoria
null,n/a
SC
Tel. +187.78542861

Creation Date: 23-Mar-2000
Expiration Date: 23-Mar-2005

Domain servers in listed order:
ns2.host2010.com
ns.host2010.com


Administrative Contact:
Virtual World Ltd.
Andrey Burdin (client09@ssl4all.com)
313 Victoria House
Victoria
null,n/a
SC
Tel. +187.78542861

Technical Contact:
Virtual World Ltd.
Andrey Burdin (client09@ssl4all.com)
313 Victoria House
Victoria
null,n/a
SC
Tel. +187.78542861

Billing Contact:
Virtual World Ltd.
Andrey Burdin (client09@ssl4all.com)
313 Victoria House
Victoria
null,n/a
SC
Tel. +187.78542861

Status:ACTIVE
_______

Note: Earlier in 2004, name15.com was registered directly by "Yambo Financials" as the registrant. The WHOIS has since been changed to:

Registration Service Provided By: NAME15.COM
Contact: support@ssl4all.com
Website: http://name15.com

Domain Name: NAME15.COM

Registrant:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Creation Date: 16-May-2003
Expiration Date: 16-May-2006

Domain servers in listed order:
24572.dns1.myorderbox.com
24572.dns2.myorderbox.com
24572.dns3.myorderbox.com
24572.dns4.myorderbox.com


Administrative Contact:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Technical Contact:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Billing Contact:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Status:ACTIVE

_______

Registration Service Provided By: NAME15.COM
Contact: support@ssl4all.com
Website: http://name15.com

Domain Name: EUSERVERS.NET

Registrant:
Exodus Hosting OU
Roman Cherkesov (info@euservers.net)
Karberi 4
Tallin
null,13812
EE
Tel. +372.53403952

Creation Date: 19-Oct-2003
Expiration Date: 19-Oct-2005

Domain servers in listed order:
ns.euservers.net
ns2.euservers.net


Administrative Contact:
Exodus Hosting OU
Roman Cherkesov (info@euservers.net)
Karberi 4
Tallin
null,13812
EE
Tel. +372.53403952

Technical Contact:
Exodus Hosting OU
Roman Cherkesov (info@euservers.net)
Karberi 4
Tallin
null,13812
EE
Tel. +372.53403952

Billing Contact:
Exodus Hosting OU
Roman Cherkesov (info@euservers.net)
Karberi 4
Tallin
null,13812
EE
Tel. +372.53403952

Status:ACTIVE

_______


Registration Service Provided By: NAME15.COM
Contact: support@ssl4all.com
Website: http://name15.com

Domain Name: BESTTEENSTGP.COM

Registrant:
None
Tema (ataman@nekto.net)
mira 25 78
Moskow
null,118025
RU
Tel. +95.2598928

Creation Date: 28-Mar-2004
Expiration Date: 28-Mar-2005

Domain servers in listed order:
ns.euservers.net
ns2.euservers.net


Administrative Contact:
None
Tema (ataman@nekto.net)
mira 25 78
Moskow
null,118025
RU
Tel. +95.2598928

Technical Contact:
None
Tema (ataman@nekto.net)
mira 25 78
Moskow
null,118025
RU
Tel. +95.2598928

Billing Contact:
None
Tema (ataman@nekto.net)
mira 25 78
Moskow
null,118025
RU
Tel. +95.2598928

Status:ACTIVE

_______


Registration Service Provided By: NAME15.COM
Contact: support@ssl4all.com
Website: http://name15.com

Domain Name: NAME14.COM

Registrant:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Creation Date: 11-Nov-2003
Expiration Date: 11-Nov-2004

Domain servers in listed order:
ns.host2010.com
ns2.host2010.com


Administrative Contact:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Technical Contact:

Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Billing Contact:
Individual
Andrey Burdin (ab@ssl4all.com)
Lyakisheva 9-169
Perm
,614051
RU
Tel. +791.27831530

Status:ACTIVE
_______

Their "about us" text from a Yambo Bank website:

About the Company

Yambo Financials Ltd. is a USA-based company with its main office located in Seattle, WA. Yambo.biz has appeared on the market of eCommerce at the beginning of 2001. It is a fast growing company that was founded as an online banking solution and is successfully developing as a platform for processing of all payment methods online. Yambo.biz lets any business or consumer with an email address to securely, conveniently, and cost-effectively send and receive payments online. Our network is built on the existing financial infrastructure of bank accounts and credit cards to create a global, real-time payment solution.

Yambo Financials Ltd. is a private company, where 100% of its stocks belong to employees and founders. We have worked with various clients from all over the world. And we have always shown the ability to meet their needs for the most affordable prices. The main business principle for us is giving our customers the fastest response and the best value for money. Our aim is to become a global standard for online payments, offering our service to users in many countries including the United States.

Yambo Financials Ltd. provides a unique service to its clients, called Online Y-Banking. Using Y-Banking services of Yambo.biz you can get a bank account, personal or business, in one of the biggest European banks and you can manage all the funds on your bank account from your browser through Yambo.biz Payment Gateway.

Our Team

We have about 30 people working in Yambo Financials Ltd. All our team members are young and full of energy. Their professionalism and commitment was what helped our company make headway. Our customer support team is dedicated to help you any time you need and can be reached online, by phone, regular mail or email.

Why work with us?

If you are interested in working with us, then our team of qualified specialists stands ready to provide you with expert advice and services. You can contact us any time by email.


==============================================
ICQ# 157-906-563 / 157906563 used in these russian forum posts:

http://luxuru.com/pbb/topic7680.html&sid=dacef621f951eee5a9ccecf93f44876b
and
http://www.master-x.com/forum/postings/188016/
and
http://209.25.213.58/forum/topics/30011/

(Babelfish translation)
[...]
In order to become a participant in the action, leave your contact information (ICQ, email) and number of your calculation in Yambo.biz here or send to us on email gifts@yambo.biz or ICQ # 157-906-563.

Related URLs
Usenet search for: Yambo Financials

PARTNERS IN SPAM: Pavka / Artofit (or same as)

PARTNERS IN SPAM: Tripac International Limited / Laurence Fagan

PARTNER IN SPAM: Ruslan "Inkey" Hakimov / iNkus LTD

PARTNER IN SPAM: Eddie Davidson (based on shared hosting)

More links to Yambo Financials: Link #1 / Link #2 / Link #3 / Link #4

Seem to run, or control much of " teletube.net / whythe-internet.com" spamhaus at SBL13989

The address of this ROKSO record is: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK3095
Logged Offline
Private Message Reply: 116 - 181
DarkShado
Posted on: Friday, October 13th, 2006, 10:46pm Report to Moderator
New Member


Posts: 5
Looks like as of todays date Yambo.biz is up and working

http://www.yambo.biz/

10/13/06 23:43:57 dns http://www.yambo.biz
Mail for http://www.yambo.biz is handled by yambo.biz
Canonical name: yambo.biz
Aliases:
 http://www.yambo.biz
Addresses:
 66.49.249.188


10/13/06 23:44:38 IP block http://www.yambo.biz
Trying 66.49.249.188 at ARIN
Trying 66.49.249 at ARIN

OrgName:    Canaca-com Inc.
OrgID:      CANAC
Address:    1650 Dundas St East Unit 203
City:       Mississauga
StateProv:  ON
PostalCode: L4X-2Z3
Country:    CA

ReferralServer: rwhois://ns.canaca.net:4321

NetRange:   66.49.128.0 - 66.49.255.255
CIDR:       66.49.128.0/17
NetName:    CANACA-COM
NetHandle:  NET-66-49-128-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: NS.CANACA.NET
NameServer: NS2.CANACA.NET
Comment:    Please use abuse@canaca.com for all abuse reports such
Comment:    as SPAM, DDoS Attacks etc. NOTE: This is the only abuse contact and reports
Comment:    sent to any other addresses within Canaca will not be answered !
RegDate:    2004-02-10
Updated:    2004-09-02

RNOCHandle: PLO5-ARIN
RNOCName:   Louro, Paul
RNOCPhone:  +1-905-275-0723
RNOCEmail:  paul@canaca.com

OrgTechHandle: SHE13-ARIN
OrgTechName:   Heriques, Sandro
OrgTechPhone:  +1-905-275-0723
OrgTechEmail:  sandro@canaca.com

# ARIN WHOIS database, last updated 2006-10-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Checking server [whois.neulevel.biz]

Results:
Domain Name:                                 YAMBO.BIZ
Domain ID:                                   D2914606-BIZ
Sponsoring Registrar:                        INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM
Sponsoring Registrar IANA ID:                291
Domain Status:                               clientTransferProhibited
Domain Status:                               clientUpdateProhibited

Registrant ID:                               IMG-495311
Registrant Name:                             Customer Support
Registrant Organization:                     Yambo Financials Ltd.
Registrant Address1:                         14 Hook Road
Registrant City:                             Epsom
Registrant State/Province:                   Not Applicable
Registrant Postal Code:                      19KT 8TH
Registrant Country:                          Great Britain (UK)
Registrant Country Code:                     GB
Registrant Phone Number:                     +44.8719008667
Registrant Facsimile Number:                 +44.8719008668
Registrant Email:                            pio.yambo@gmail.com

Administrative Contact ID:                   IMG-495311
Administrative Contact Name:                 Customer Support
Administrative Contact Organization:         Yambo Financials Ltd.
Administrative Contact Address1:             14 Hook Road
Administrative Contact City:                 Epsom
Administrative Contact State/Province:       Not Applicable
Administrative Contact Postal Code:          19KT 8TH
Administrative Contact Country:              Great Britain (UK)
Administrative Contact Country Code:         GB
Administrative Contact Phone Number:         +44.8719008667
Administrative Contact Facsimile Number:     +44.8719008668
Administrative Contact Email:                pio.yambo@gmail.com

Billing Contact ID:                          IMG-495311
Billing Contact Name:                        Customer Support
Billing Contact Organization:                Yambo Financials Ltd.
Billing Contact Address1:                    14 Hook Road
Billing Contact City:                        Epsom
Billing Contact State/Province:              Not Applicable
Billing Contact Postal Code:                 19KT 8TH
Billing Contact Country:                     Great Britain (UK)
Billing Contact Country Code:                GB
Billing Contact Phone Number:                +44.8719008667
Billing Contact Facsimile Number:            +44.8719008668
Billing Contact Email:                       pio.yambo@gmail.com

Technical Contact ID:                        IMG-495311
Technical Contact Name:                      Customer Support
Technical Contact Organization:              Yambo Financials Ltd.
Technical Contact Address1:                  14 Hook Road
Technical Contact City:                      Epsom
Technical Contact State/Province:            Not Applicable
Technical Contact Postal Code:               19KT 8TH
Technical Contact Country:                   Great Britain (UK)
Technical Contact Country Code:              GB
Technical Contact Phone Number:              +44.8719008667
Technical Contact Facsimile Number:          +44.8719008668
Technical Contact Email:                     pio.yambo@gmail.com

Name Server:                                 NS.CANACA.NET
Name Server:                                 NS2.CANACA.NET
Created by Registrar:                        INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM

Last Updated by Registrar:                   INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM

Domain Registration Date:                    Thu Apr 11 12:35:11 GMT 2002
Domain Expiration Date:                      Fri Apr 10 23:59:59 GMT 2009
Domain Last Updated Date:                    Wed May 03 15:41:23 GMT 2006

>>>> Whois database was last updated on: Sat Oct 14 03:48:32 GMT 2006 <<<<
Logged Offline
Private Message Reply: 117 - 181
dj
Posted on: Monday, October 16th, 2006, 4:47am Report to Moderator
Super Spam Fighter



Posts: 108
Back with a vengence this weekend!!

I have had 50 Spam mails yesterday and today so far with -
Cialis Soft Tabs as low as $5.78
Viagra Professional as low as $4.07
Viagra Soft Tabs as low as $4.1
Cialis as low as $5.67
Generic Viagra as low as $3.5
Levitra as low as $11.97
Propecia as low as $1.03

This problem is called Erectile Dysfunction(ED).
The only way to solve it is to take Viagra or Cialis (Super Viagra) medications before you have sex.
You can spend thousands and buy them at your local drug store.
But you can spend less and order same quality Viagra and Cialis at MyCanadianPharmacy on-line store.

They dont go to the MyCanadianPharmacy style website but to the International Legal RX site.

They are all identical text in the message, with a title like "Need some help?", "Tired with your poor health?" and from a name like Reginald, Thomas, Nicholas, Philip, Richard, Gilbert, Geoffrey. So at least at the moment they are easy to filter out.

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 118 - 181
dj
Posted on: Monday, October 16th, 2006, 4:57am Report to Moderator
Super Spam Fighter



Posts: 108
Plus 5 from Pharmacy Express with titles Re: VlkAGRA and content -
Hi,
VlkAGRA for LESS http://www.nimikionldefunhdesunjas.com


>

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 119 - 181
MarkGiles
Posted on: Monday, October 16th, 2006, 5:44am Report to Moderator
All-Star


Posts: 363
Shut-down instructions for that site are in the McAfee Site Advisor.
You have the plug-in installed, right?  It takes you to
http://www.siteadvisor.com/sites/nimikionldefunhdesunjas.com

You can install the plug-in for Firefox or IE at http://www.siteadvisor.com/
Logged Offline
Private Message Reply: 120 - 181
dj
Posted on: Tuesday, October 17th, 2006, 12:42pm Report to Moderator
Super Spam Fighter



Posts: 108
International Legal RX have excelled themselves this week. Yesterday for three of my email accounts I had 90 identical emails from them (except that they all pointed to a different url), 50 emails today so far.

Is everyone getting this number or am I just getting everyones rubbish ?

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 121 - 181
comdetroit
Posted on: Wednesday, October 18th, 2006, 12:38pm Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
Yes, I have received record numbers of pharmacy spam within the last 3-5 days.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 122 - 181
Kev
Posted on: Thursday, October 19th, 2006, 9:05pm Report to Moderator
New Member



Gender: Male
Posts: 2
This may seem like a silly idea, but I was wondering if it is technically possible to give the spammers a dose of their own medicine. Everyday I receive 20 - 30 spam emails for My Canadian pharmacy. The obvious solution is to have the spam site shut down. Unfortunately howver it seems to reappear again just as quickly.

My thought is to create a script that automatically (and continuously) orders their product using bogus credit card details. If multiple people we doing this then surely the spammers website would become inundated with rubbish and, consiquently, become un-useable.

I can't see the spammers being in much of a position to turn around and winge to our service providers that we are giving them a hard time, particularly when it is the spammers themselves that have invited us to purchase their products.

Does anyone else have any thoughts about this plan of attack, or am I just out there with the pixies.
Logged Offline
Private Message Reply: 123 - 181
comdetroit
Posted on: Friday, October 20th, 2006, 9:50pm Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
The spammers couldn't whine because they normally hijack the server they are on. The real problem is that there are idiots out there actually buying from them.

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 124 - 181
Kev
Posted on: Sunday, October 22nd, 2006, 8:03am Report to Moderator
New Member



Gender: Male
Posts: 2
In that case my idea, if feasable, may help to save these idiots from themselves.

This ties in well with the trend being set by both government and insurance agencies.....Wrap people in so much cotton wool that it is impossible for them to hurt themselves or anyone else. Then take the stupid people (the ones we read about in the Darwin Awards) and give them an extra layer.

IMHO, people who are idiotic enough to resort to purchasing and consuming potentially dangerous drugs from an unknown, faceless source rather than an approved / accredited medical practicioner pretty much deserve what they get.

That does of course assume that they actually receive anything after completing the check-out procedure.
Logged Offline
Private Message Reply: 125 - 181
comdetroit
Posted on: Monday, October 23rd, 2006, 9:13am Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
I'm sure most of these sites are scams similar to phishing scams. If not phishing scams, you probably get fake drugs.  I would never buy anything from an email (there are a few exceptions-I have a few companies that send me special offers which are emails I asked to have sent to me).

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 126 - 181
spamislame
Posted on: Monday, October 23rd, 2006, 1:11pm Report to Moderator
Spam Fighter


Posts: 66
Hey there.

Kev: I began building precisely what you described sometime back around October of last year. Then they modified their forms so that any third-party script posting would not be recognized. Went back to the drawing board.

I created similar retaliation utilities, with varied success, to go after HealthSuite, Pharmacy Express and several others. The function was always the same:

- Randomly select a product and place an order
- Check out
- Generate realistic-looking but completely fake personal data
- Generate fake a credit card number (numerous types) which would pass the most basic test any site performs, a "mod10" check.

The odds of the account number plus expiration date being valid was one in several trillion. The odds were much more extreme for the personal data.

Mark Giles and I have been investigating and reporting these sites to ISP's for months now. I haven't seen any huge difference in the overall spam tactics these losers employ, only momentary switches in tactics. You can post individual orders one at a time, and combine that with TOR / Privoxy for randomized IP addresses. I notice with the My Canadian Pharmacy sites, if you place enough fake orders from one IP address, it inevitably gets banned (but the spam keeps coming, go figure.)

I'm open to any other form of retaliation against these assholes. Leeching is of no use since the machines they host everything on are actually owned by members of the public, who are unaware that they're being used for these purposes.

Also, comdetroit, you are correct: it's considered a validated fact that nobody has ever received ANY product once they place an order with any of the My Canadian Pharmacy, International LegalRX or US Drugs sites. The FBI and Interpol (not to mention several pharmacy oversite organizations) consider all of these sites to be primarily used for credit card fraud, not the sales of illegal pharmaceuticals.

Mostly fyi.

SiL
Logged Offline
Private Message Reply: 127 - 181
MarkGiles
Posted on: Monday, October 23rd, 2006, 7:19pm Report to Moderator
All-Star


Posts: 363
Many if not most of the Pharmacy sites have a Site Advisor bulletin letting browsers know the nature of the fraud.

Samples
http://www.siteadvisor.com/sites/jiggyelction.com
http://www.siteadvisor.com/sites/rx-euro.com
http://www.siteadvisor.com/sites/badesuntionkederin.com

Site Advisor is a free plug-in that runs on Internet Explorer or Firefox.
Logged Offline
Private Message Reply: 128 - 181
Dave
Posted on: Friday, October 27th, 2006, 4:25pm Report to Moderator
New Member


Posts: 19

Registrant:
Yambo Financials Ltd.
14 Hook Road
Epsom, Not Applicable 19KT 8TH
GB
+44.8719008667
Fax:+44.8719008668


For what its worth these uk phone numbers do not work

also
Name & Registered Office:
YAMBO FINANCIALS LIMITED
155 REGENTS PARK ROAD
LONDON
NW1 8BB
Company No. 04441960

       
Status: Active - Proposal to Strike off
Date of Incorporation: 20/05/2002

Country of Origin: United Kingdom
Company Type: Private Limited Company
Nature of Business (SIC(03)):
7499 - Non-trading company
Accounting Reference Date: 31/05
Last Accounts Made Up To: 31/05/2004  (DORMANT)
Next Accounts Due: 31/03/2006 OVERDUE
Last Return Made Up To: 15/06/2005
Next Return Due: 13/07/2006 OVERDUE
Last Members List: 15/06/2005
Previous Names:
No previous name information has been recorded over the last 20 years.
Branch Details
There are no branches associated with this company.

and

Mail Services
Complete Virtual Office for £99 per month

Use our London address for mail reception and forwarding. Your new office address is 155 Regents Park Road, London. You use the full street address and not suite numbers that indicate multiple business at a single address.

You can choose to have your mail sent to you daily, weekly or monthly. All of your mail is handled by trained professionals ensuring complete confidentiality and efficiency.

service provided by  ofiz.com, 155 Regents Park Road, London, England.


Dave- UK resident
Logged Offline
Private Message Reply: 129 - 181
lambe07
Posted on: Saturday, October 28th, 2006, 1:23pm Report to Moderator
New Member


Posts: 1
I am the person that hosted

1 ANDYLAMBE.COM.
2 ATLANTICLIFEQUOTE.COM.
3 CCIPNG.COM.
4 LAMBEFINANCIAL.COM.
5 LAMBESOLUTIONS.COM.
6 PEICREDITBULLETIN.COM.
7 PEILIFEQUOTE.COM.

I was with a awful Hosting company and was frequently hacked by spammers and email servers were taken over. I appologize for any inconvenience but can assure you this was not intentional as I absolutely hate spammers. I have since switched hosting companies and this has resolved issue. You will no longer see spam from any of my domains.
Logged Offline
Private Message Reply: 130 - 181
comdetroit
Posted on: Saturday, October 28th, 2006, 9:17pm Report to Moderator
Spam Fighter


Gender: Male
Posts: 52
I was the one who called you. Thank you for your quick response in helping us fight these idiots. There have been many like you that have been violated by spammers.


Quoted Text
I am the person that hosted

1 ANDYLAMBE.COM.
2 ATLANTICLIFEQUOTE.COM.
3 CCIPNG.COM.
4 LAMBEFINANCIAL.COM.
5 LAMBESOLUTIONS.COM.
6 PEICREDITBULLETIN.COM.
7 PEILIFEQUOTE.COM.

I was with a awful Hosting company and was frequently hacked by spammers and email servers were taken over. I appologize for any inconvenience but can assure you this was not intentional as I absolutely hate spammers. I have since switched hosting companies and this has resolved issue. You will no longer see spam from any of my domains.

I was the one who called you. They have since moved a number of times. Thanks for your help and quick response!

Everything Internet
http://www.comdetroit.com
Detroit Area  
http://www.comdetroit.net
Logged Offline
Site Private Message Reply: 131 - 181
radu
Posted on: Saturday, November 4th, 2006, 11:54am Report to Moderator
New Member


Gender: Male
Posts: 2
Back to the Pharmacy scam.
I've been getting *tons* of emails from, mostly, International Legal Rx, although it's started to widen (stocks and other stuff as well).
Signed up with BlueFrog just before it got shot down.
Using SpamCop ever since, faithfully report every and each email.
Most of them get picked up and reported by SpamCop.
Have not noticed any significant decrease in spam.
I have days I "only" receive 20 emails, days I get 40-50.
But I keep sending them to SpamCop, maybe just maybe "they" will get tired of me and drop my name off the list?  99% of spams are from International Rx.

A new development (at least for me)
I use an Identical ID - like firstname.lastname) on a couple of email systems.
One of them is the one I get spammed on.
I started getting spam on the second one, a couple of weeks ago.
I have read somewhere that spammers pick up compromised ID and run it thru using every conceivable domain.
Bet that's how they got to my second ID, as well as the GMAIL account I "never" use.
Anyway, this appears hopeless, does it?
Logged Offline
Private Message Reply: 132 - 181
radu
Posted on: Saturday, November 4th, 2006, 12:01pm Report to Moderator
New Member


Gender: Male
Posts: 2
Oh.
Forgot to mention I complained to the Better Business Bureau in Utah (that's where International Rx claims to be, at least in my spams) and they actually tried contacting Int. Rx.
No such address, they got letter of inquiry back from the post office.
No such corporation/business in Utah.
I was researching this before I "stumbled" into this site/thread.
Logged Offline
Private Message Reply: 133 - 181
voidstar
Posted on: Sunday, November 26th, 2006, 5:55pm Report to Moderator
New Member


Posts: 1
Pharmacy Express are the only a$$hole$ who have been spamming me all throughout the Thanksgiving holiday.  My employer subscribes to Microsoft Exchange Hosting Services (aka Frontbridge) and PE's spam is getting through 100% no matter now many copies I forward to their investigation dept.

Here's the latest info I have:
Domain in all my emails: RX555.com
Code
Domain Name.......... rx555.com
Creation Date........ 2006-11-21 18:05:59
Registration Date.... 2006-11-21 18:05:59
Expiry Date.......... 2007-11-21 18:05:59
Organisation Name.... Bai Ming
Organisation Address. Bei Jing
Organisation Address.
Organisation Address. Bei Jing
Organisation Address. 100021
Organisation Address. BJ
Organisation Address. CN

Admin Name........... Bai Ming
Admin Address........ Bei Jing
Admin Address........
Admin Address........ Bei Jing
Admin Address........ 100021
Admin Address........ BJ
Admin Address........ CN
Admin Email..........  
Admin Phone.......... +86.1076885548
Admin Fax............ +86.1076885548

Name Server.......... ns0.hertunjinkdastion.com
Name Server.......... ns0.vckionldesunjas.com

I did my part and submitted a fake order and here's the response:
Code
We appreciate your choice and are glad to see you among our customers!
All the data regarding your order was sent to the e-mail address mentioned in the registration form, but we would recommend you to save the order ID of your transaction for further queries. Your order ID is RX002-061036. Please print and save the information from this page.

All your questions about the delivery period, bank statement and similar queries connected with the billing services you may address our support team using the e-mail address support@myrxsrvshop.com or by call (toll free numbers: 1-888-241-8489 or 1-888-242-0845). We guarantee the response to your emails within 24 hours.

There is an opportunity to see your purchase status with all the needed information concerning your order at user center. By using user center you can speak with our support representative online. Your user center account available at http://www.pillsuitesupport.com/cgi-bin/userCenter/login.cgi ? userLogin = nIanTiNg & userPassword = siseStIt.

You are granted a 20% discount for all other purchases you will make with us. To take part in the programm and use your discount, please, use this link: http://www.pillsuite.com/index.asp ? userLogin = nIanTiNg & userPassword = siseStIt

Please note that the delivery may be carried out up to 40 days.
Logged Offline
Private Message Reply: 134 - 181
MarkGiles
Posted on: Monday, November 27th, 2006, 3:52pm Report to Moderator
All-Star


Posts: 363
rx555 is no longer accessible. Its name servers can not resolve it

25.0% of queries will end in failure at 121.36.124.62 (ns0.hertunjinkdastion.com) - nameserver loop detected (XIN Net)

25.0% of queries will end in failure at 61.31.214.78 (ns0.vckionldesunjas.com) - query timed out (Beijing Innovative Linkage Technology)

50.0% of queries will end in failure at 203.86.5.34 (ns0.vckionldesunjas.com) - query timed out

For more details see the Site Advisor
http://siteadvisor.com/sites/rx555.com
Logged Offline
Private Message Reply: 135 - 181
MarkGiles
Posted on: Tuesday, November 28th, 2006, 2:58am Report to Moderator
All-Star


Posts: 363
Dammit, the sucker is back.  He moved one of the nameservers to another address

Nameserver 1 = ns0.vckionldesunjas.com [61.163.200.186]            Working
Nameserver 2 = ns0.hertunjinkdastion.com [121.36.124.62]     Timeout

The site that rx555.com is running on is the same as the first nameserver, 61.163.200.186    
Logged Offline
Private Message Reply: 136 - 181
MarkGiles
Posted on: Wednesday, November 29th, 2006, 5:27am Report to Moderator
All-Star


Posts: 363
And then again, today, they are both timing out.
Die, sucker, die.


----------
If this is bullet-proof, it's shot full of holes!
Logged Offline
Private Message Reply: 137 - 181
spamannoyed
Posted on: Wednesday, November 29th, 2006, 1:00pm Report to Moderator
New Member


Posts: 3
i am in no way computer literate, but I am a victim of these spam emails.

I have read through the forums about Pharmacy Express and My Canadian Pharmacy, but i have become confused by recent posts claiming that they are NOT the same company.  The website banner states 'Pharmacy Express' and the pharmacy checker window offers the company address (fake) as My Canadian Pharmacy.  The 'registered' name of the company is quite simply Pharmacy.  
So are they the same or not?

Just recieved another one, but i'm not sure how to access the information to find out who the server is to report them to.  Pretty much a quiet day (so far) as i've only received 8 so far.

Also, could someone answer me this. By clicking on the emails link, will i receive even more spam?

Is it safer to copy and paste into explorer?

Sorry for being niave, but if I have to learn these things to stop spam, then so be it.
Logged Offline
Private Message Reply: 138 - 181
spamannoyed
Posted on: Wednesday, November 29th, 2006, 1:50pm Report to Moderator
New Member


Posts: 3
I've just taken the link from the latest spam and put it in DNSstuff.com under WHOIS lookup.  I'm not sure if this is of any use, but which part should i be looking at to find out who to email?  Further searches with this information show that the actual email addresses blocked out are xxeqwe@hotmail.com.

Am I getting anywhere or just shooting in the dark?

Domain Name.......... neruijinkadesunhafun.com
 Creation Date........ 2006-11-23 18:31:38
 Registration Date.... 2006-11-23 18:31:38
 Expiry Date.......... 2007-11-23 18:31:38
 Organisation Name.... Bai Ming
 Organisation Address. Bei Jing
 Organisation Address.
 Organisation Address. Bei Jing
 Organisation Address. 100021
 Organisation Address. BJ
 Organisation Address. CN

Admin Name........... Bai Ming
 Admin Address........ Bei Jing
 Admin Address........
 Admin Address........ Bei Jing
 Admin Address........ 100021
 Admin Address........ BJ
 Admin Address........ CN
 Admin Email.......... ******@hotmail.com
 Admin Phone.......... +86.1076885548
 Admin Fax............ +86.1076885548

Tech Name............ Bai Ming
 Tech Address......... Bei Jing
 Tech Address.........
 Tech Address......... Bei Jing
 Tech Address......... 100021
 Tech Address......... BJ
 Tech Address......... CN
 Tech Email........... ******@hotmail.com
 Tech Phone........... +86.1076885548
 Tech Fax............. +86.1076885548

Bill Name............ Bai Ming
 Bill Address......... Bei Jing
 Bill Address.........
 Bill Address......... Bei Jing    
 Bill Address......... 100021    
 Bill Address......... BJ    
 Bill Address......... CN  
 Bill Email........... ******@hotmail.com
 Bill Phone........... +86.1076885548
 Bill Fax............. +86.1076885548
 Name Server.......... ns0.hertunjinkdastion.com
 Name Server.......... ns0.vckionldesunjas.com
Logged Offline
Private Message Reply: 139 - 181
Ryan
Posted on: Wednesday, November 29th, 2006, 2:03pm Report to Moderator
Spam Fighter



Posts: 76
Hi spamannoyed,

Forget about e-mailing them, the hotmail addresses are randomly-generated addresses that have a 3-month time to live...

If you really want to stop these guys, you need to attack them by cutting off the nameservers and domains. We did this when they were registered with us, and that killed them for a while, but it looks like they have set up camp elsewhere.

You need to contact:

1) the registrar of the domain: file a false whois records complaint, and cite the domain for spam. An ICANN accredited registrar must act if the whois info is fake (looks fake to me). If a registrar has an anti-spam policy, then this can also help you cut off their site.

Their current registrar is:

  Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
  Referral URL: http://www.dns.com.cn

Which is bad. This registrar has 96.10% of all its registered active spamming nameservers still listed as of today (meaning, they don't care if they register spammers).


2) the web host (I don't know who this is off hand)...
In the event that their spamming activities is against the host sales contract,

Replying directly to a spam e-mail, or any address related to it is the best way to get **more** spam...  

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 140 - 181
spamannoyed
Posted on: Wednesday, November 29th, 2006, 3:00pm Report to Moderator
New Member


Posts: 3
Thanks for your very speedy reply Ryan.  You advice is greatly appreciated.

Meanwhile i have contacted a police force and the Trading Standards Agency as we are fortunate in the UK to have had a few laws passed this year, which means they have more power to take action against these criminals.  

The trading standards are quite interested in the 'pharmacutical' goods that this company (claims) to offer as they are looking to make an example of someone who offers counterfeit medicines.

Unfortunatley, as long as mugs, sorry, people, actually buy from these sites, then the criminals will always have a reason to be there.  

Surely it's more embarrassing complaining to a stranger in a call centre that your credit card has been wrongly used for fraudelaunt purchases and then explaining how the criminals got your details rather than getting a prescription from your GP for 'down there' problems?

Maybe thats why Visa don't think/care that its a problem as not many of the victims contact them to admit how stupid/naive that they have been.
Logged Offline
Private Message Reply: 141 - 181
MarkGiles
Posted on: Wednesday, November 29th, 2006, 7:48pm Report to Moderator
All-Star


Posts: 363
Here are pharmacy scam sites attributed to Leo Kuvayev, Spamhaus #2 on the top 10 list of spammers

    Pharmacy Express
    Health Suite
    ED Choice
    Finest RX


Here are pharmacy and fake watch sites attributed to Alex Poyakov, Spamhaus #1

    My Canadian Pharmacy
    International Legal RX
    US Drugs / American Pharmacy
    Canadian Health&Care
    Mortgage / Finance
    HGH Life
    Hoodia Life
    Exquisite Replicas (fake watches)
    Caviar


Those lists are not exhaustive.
The records for these two lowlifes is at spamhaus
http://www.spamhaus.org/statistics/spammers.lasso
Logged Offline
Private Message Reply: 142 - 181
spamislame
Posted on: Wednesday, November 29th, 2006, 9:45pm Report to Moderator
Spam Fighter


Posts: 66

Quoted from spamannoyed
The website banner states 'Pharmacy Express' and the pharmacy checker window offers the company address (fake) as My Canadian Pharmacy.  The 'registered' name of the company is quite simply Pharmacy.  
So are they the same or not?


From an operational and functional standpoint: no.
In terms of where the money trail appears to lead: no.

My Canadian Pharmacy (and the dozens of other sites related to it including US Drugs, International Legal RX, etc.) are part of the Yambo Financials spam gang. There is ample evidence of this, all documented at Spamhaus.

Yambo usually means: Alex Polyakov, but it's a group of indeterminate size. Those sites are alleged to be fronts for credit card and identity theft. Nobody has ever received any actual product after placing an order on these sites.

Their URLs are fairly distinct in nature and are almost always a ".info" domain. They're also shorter in length than the ones for Pharmacy Express. Their "order processing" is extremely non-distinct and offers no confirmation info, even for genuine, legitimate orders.

Pharmacy Express is known to be operated by Leo Kuvayev, part of the Pavka/Artovit gang. These sites apparently do actually ship their (illegal, fake) pharmaceuticals after orders are placed, and there is a highly sophisticated order tracking system behind these sites. The domains which are spamvertised for these sites are identical in naming convention to those being used as command and control of the recently-discovered spamthru bot virus. (aka warezov)

This first link draws the distinct comparison between the two:

http://www.f-secure.com/weblog/archives/archive-112006.html#00001018

The rest are essentially monitoring new variants:

http://www.f-secure.com/weblog/archives/archive-112006.html#00001029
http://www.f-secure.com/weblog/archives/archive-112006.html#00001027

If you've seen Pharmacy Express domains lately, the format of those urls should be recognizable.

So yes: they are different and distinct from a number of different viewpoints.

Recently we've seen some odd behavior in that some urls are spamvertised which either redirect to a US Drugs site, or act like a Pharmacy Express site. This is interesting in that it may mean: they're both from the same place. Or: it could mean that Yambo and BadCow are joining forces.


Quoted from spamannoyed
Just recieved another one, but i'm not sure how to access the information to find out who the server is to report them to.  Pretty much a quiet day (so far) as i've only received 8 so far.


They have been pretty slow lately. I am seeing a lot more for Man-XL sites. Besides stocks that's about it.

Reporting them: they never give a working email address at any point. Not on the sites themselves, not in the domain registration, not in the DNS server registration.

You can report the DNS servers to the appropriate registrars (search on any of the postings by Mark Giles on this forum, he outlines the process in great detail.) That so far does eventually work.


Quoted from spamannoyed
Also, could someone answer me this. By clicking on the emails link, will i receive even more spam?


Nothing makes any difference. Not clicking on any link doesn't decrease it. I've clicked on almost every single link for the past eight months and I saw no difference whatsoever. The only ones I would ever alter are those with tracking subdomains. EDChoice is the most recent example of that feature. Removing the subdomain presents a so-called "opt out" page (which - guess what? - doesn't work.)


Quoted from spamannoyed
Is it safer to copy and paste into explorer?


Wait, what? You just said "Explorer" and "safer" in the same sentence.

I would never recommend anyone EVER use Explorer. If an exploit is one day run on any of these sites: Explorer will run it. Period. Use FireFox. I can't stress that enough. MUCH safer browser.

And no: copying and pasting has absolutely no effect on the resulting url's operation.


Quoted from spamannoyed
Sorry for being niave, but if I have to learn these things to stop spam, then so be it.


Understood.

You definitely should stop using IE if you plan on investigating any of this stuff.

Sorry to go on but you did ask for whether they were different and that's not easy to answer briefly.

SiL
Logged Offline
Private Message Reply: 143 - 181
Ryan
Posted on: Wednesday, November 29th, 2006, 11:46pm Report to Moderator
Spam Fighter



Posts: 76

Quoted from spamislame


I would never recommend anyone EVER use Explorer. If an exploit is one day run on any of these sites: Explorer will run it. Period. Use FireFox. I can't stress that enough. MUCH safer browser.


Double that!

Get this now: http://www.mozilla.com/en-US/firefox/

I will go one step further: get a Mac! (the new generation will let you install Window$ as well...so you can keep your XP apps)

I use the 3 major OS (Mac, Linux, and to reproduce client error messages, Window$), and I can tell you that the first two are without any question the safest (for various technical and social reasons).

Spamislame is totally correct: nobody has *any* business using Internet Explorer these days.



A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 144 - 181
conolan
Posted on: Thursday, December 7th, 2006, 3:05am Report to Moderator
New Member


Posts: 1
I'm forwarding my pharmacy express emails to askvisausa@visa.com. Pharmacy Express say they take Visa only. Can we lean on Visa and get thme to stop providing merchant services?
Logged Offline
Private Message Reply: 145 - 181
spamislame
Posted on: Monday, December 11th, 2006, 10:33am Report to Moderator
Spam Fighter


Posts: 66

Quoted from conolan
I'm forwarding my pharmacy express emails to askvisausa@visa.com. Pharmacy Express say they take Visa only. Can we lean on Visa and get thme to stop providing merchant services?


I have been attempting to do just that since May of this year. I receive no response whatsoever. The more immediate problem is finding out who is actually processing their orders for them. Since that all occurs on the back end only, we may never know.

Credit card companies always market themselves as "looking out for consumers" when it comes to fraud or personal data. In reality I notice that they never respond to ANY complaint regarding illegal or fraudulent activity on these sites. I'll never understand that.

If you have any better luck, post about it here.

SiL
Logged Offline
Private Message Reply: 146 - 181
phrodude
Posted on: Thursday, December 14th, 2006, 2:28pm Report to Moderator
New Member


Posts: 2
A question that I was wondering about?

Can't we/someone just spam the spamers? We know who 'they' are, Leo Kuvayev and co. I'm sure there is a way to get their own email addresses as I'm sure this problem does affect some people who are capable of finding them...
Logged Offline
Private Message Reply: 147 - 181
Ryan
Posted on: Thursday, December 14th, 2006, 3:40pm Report to Moderator
Spam Fighter



Posts: 76
Sure, one can spam them, and indeed it is not difficult to get one of their real e-mail addresses. However that is not really a solution, because it does not provide an incentive for them to change their behavior.

It is like a parent yelling at a kid to stop yelling...What does the kid learn, but that he who yells loudest and longest wins...

Spammers will be stopped when that activity is no longer rewarded by suckers who 'purchase' the products, when it is made illegal to do so in every corner of the globe, when the trustee authorities and registrars come together with a clear objective to block such activity, when all web hosts or contacts of registered servers are held liable for the spamming activity that willingly condone, and when it is easier to pursue spammers legally across international borders.

There are some problems though: free speech (and what that means to various countries and how it influences their laws), free markets, capitalist forces (ethics vs. greed), human nature, slow market evolution, conflicting cultural and international regulatory aims regarding domain name registration rules, technological barriers, different laws and systems of government between states and nations, the windows operating system.

We just have to take it one step at a time, and across international borders (though pretty much all the spam originates in the United States: http://www.spamhaus.org/statistics/countries.lasso )




A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 148 - 181
MarkGiles
Posted on: Thursday, December 14th, 2006, 3:40pm Report to Moderator
All-Star


Posts: 363
Shutting down their bizzniss has more effect.
Anyone can defeat a spam attack by
1. change email address and let just your friends know
2. effective filters
Logged Offline
Private Message Reply: 149 - 181
Ryan
Posted on: Thursday, December 14th, 2006, 3:45pm Report to Moderator
Spam Fighter



Posts: 76
I agree with Mark on this,

For example, I get roughly 2000+ spams per day, and only  4 or 5 make it through my filters.
I will also add, get a Mac, or use a Linux distribution.

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 150 - 181
phrodude
Posted on: Thursday, December 14th, 2006, 4:25pm Report to Moderator
New Member


Posts: 2
Ok, so I do agree with all those points.

This is where I'm coming from though. Spamming will not end anytime soon or in my view to a satisfactory conclusion. I own a mac and use OSX and don't have a major problem spam but, I find it very irritating. I recently started getting spam a work too, yet again not a big problem my filters work the furthest they get is my spam box, but still irritating.

I had problems before with spam (windows, IE, etc...). I don't like the fact that I have to change my email address just to avoid it and wait for it to pile up again and so on... while these guys get off hassle free.

Between now and when a real solution is reached (as you rightly pointed out), I'd like the to be able to have the pleasure of knowing that these guys are getting a taste of their own medicine. However petty that may sound sometimes it's the small things that make it all that much easier.
Logged Offline
Private Message Reply: 151 - 181
Ryan
Posted on: Thursday, December 14th, 2006, 4:32pm Report to Moderator
Spam Fighter



Posts: 76
In other words: a terrorist's terrorist.

That is nonetheless a horrible cycle where vengeance rules over justice, but nonetheless it is understandable and human, so nobody will blame you for feeling that way, certainly not me.

I suppose the best solution is to find your personal role in the anti-spam movement and carry it out to the furthest extent possible. You can then take comfort in knowing that you are helping the larger effort in a tangible way - and one that is offensive and not defensive.

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 152 - 181
spamislame
Posted on: Thursday, December 14th, 2006, 9:38pm Report to Moderator
Spam Fighter


Posts: 66

Quoted from phrodude
I don't like the fact that I have to change my email address just to avoid it and wait for it to pile up again and so on... while these guys get off hassle free.


You have just outlined precisely what got me started fighting these bastards.

I consider filters to be an insult. The very notion that the entire world is expected to filter more than 90% of all email so they can get to the piddly 10% or less that is actually their real communications makes me absolutly livid. I recognize we won't stop that problem anytime in the immediate future but it pisses me off greatly that nobody in an official position has moved a single muscle to do anything. So it falls to ragtag groups like this one, or the ones on thescambaiter or thecarpcstore. So be it.

You can reatliate quite effectively (and I do mean retaliate, not just filter and hope that more doesn't show up, because it will) by reporting every goddamn domain you find spamvertised in your overflooded inbox. There are lots of avenues within this and other forums which will outline how to do so and to whom.

Besides that, people like me build retaliation utilities to fight back against one or more of the most common sites out there which maliciously continue to flood our email addresses with absolute mess that we never asked for.

Take a look around. You will find them. Take a closer look at the spam coming in and make a note of which domains come in, and for which "products." Then look for (or ask for the location of) retaliation tools for those sites.

Sorry to run off again. It frustrates me that all these years later nobody is actually stopping these assholes.

SiL
Logged Offline
Private Message Reply: 153 - 181
dj
Posted on: Sunday, December 17th, 2006, 5:30am Report to Moderator
Super Spam Fighter



Posts: 108
The problem with reporting is -
1. The sheer quantity. I got 145 spam mails yesterday, probably not many compared to some people but enough. I could spend all day just sending off reports to the registrars. I have set up some rules to help sort them so that at least I can report a load of replica watches one day and all the approved loan applications the next in one go.
2. The inertia or complicity of some of the registrars to spamming. I have been getting one variety os spam mail since September offering loans if I fill out a form. A variety of urls are used - ahrw015.com, ahs015.com, ui732.com, hl523.com, ui730.com, ui728.com, af370.com, ui727.com, ui725.com, jf132.com, fg679.com, by131.com, af367.com, fg327, ui398.com and 5656fg.com among others. All on nameservers hosted by BEIJING INNOVATIVE, several hundred complaints / removal requests sent. All ignored. When I last checked all these sites still work.

It wont stop me though. If everyone did this rather than a dedicated few,the sites would get taken down faster and it would be less profitable to spam. This is all about profit, which is why filters dont help, they dont reduce profit, taking down sites does reduce profit!


Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 154 - 181
Ryan
Posted on: Sunday, December 17th, 2006, 6:00am Report to Moderator
Spam Fighter



Posts: 76
I would be interested in seeing if these are disposable domains (created and destroyed within 5 days to avoid the Registry fee to the registrar, thus allowing the registrar to not be charged for the creation of the domain, and thus the spammer getting the domains for free for a 5-day spamming spree. Has anyone looked into this technical possibility?

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 155 - 181
dj
Posted on: Sunday, December 17th, 2006, 12:50pm Report to Moderator
Super Spam Fighter



Posts: 108
No these ones are permanent urls. ui398.com was around early September and I have just checked and it is still active and working. You get your moneysworth with a Spam site on Beijing Innovative servers! I dont know why they bother going anywhere else.  >

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 156 - 181
Ryan
Posted on: Sunday, December 17th, 2006, 1:11pm Report to Moderator
Spam Fighter



Posts: 76
Wow. That is incredible  

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 157 - 181
moragmac
Posted on: Wednesday, December 27th, 2006, 9:35am Report to Moderator
New Member


Posts: 2
 I also get some spam from Pharmacy Express and I own a Mac.  My husband and I have email adds and the only spam goes to his adds and not to mine.  We do not get many but they are still irritating.  I am glad i found this site and will try some of the suggestions.  Thanks.
Logged Offline
Private Message Reply: 158 - 181
spamislame
Posted on: Wednesday, December 27th, 2006, 12:33pm Report to Moderator
Spam Fighter


Posts: 66

Quoted from moragmac
 I also get some spam from Pharmacy Express and I own a Mac.  My husband and I have email adds and the only spam goes to his adds and not to mine.  We do not get many but they are still irritating.  I am glad i found this site and will try some of the suggestions.  Thanks.


I'd just like to chime in here: running a mac is absolutely no protection against spammers. Your email address is likely handled via a unix server, that makes no difference either. Spammers will do anything they can, legal or not (usually not), to capture as many live email addresses as possible. Once they get them, whether a live human being can read the messages they send or not, they will spam it. Count on it.

SiL
Logged Offline
Private Message Reply: 159 - 181
gwilliams290
Posted on: Thursday, December 28th, 2006, 12:38pm Report to Moderator
New Member


Posts: 1
OK, I'm going to add myself to the list of the abused by the Pharmacy Express folks. I'm also getting about 25-30 e-mails a day from these guys. So far I've been just adding each mailing to my "blocked sender" list. I've been doing that for the last few days so I should be up on them by about 75 "blocks". Ooops, it sounds like they're adding more new sites per day than I can block.
Seriously, I'm open to any real solutions to slow/stop these guys.
Logged Offline
Private Message Reply: 160 - 181
Ryan
Posted on: Thursday, December 28th, 2006, 4:46pm Report to Moderator
Spam Fighter



Posts: 76
Hi Sil,

Right you are: a mac will NOT make a difference in the spam you get. It will protect the user from nasty attachments or links that sometimes may accompany them though. I should have been more clear on this point. Thanks for taking me to task.

The other day I had a URL that pointed to an .exe file that was reported to contain a virus. Only problem: I had to find a PC to run it on because it was harmless (read: dead in the water) on my Linux and Mac, and I had to independently test it...

So I still recommend that any anti-spammer (and everyone else in the world for that matter) use a (properly configured) Mac or Linux as their workhorse, just to add an extra level of security, and to prevent their computer from being turned into a zombie computer (http://en.wikipedia.org/wiki/Zombie_computer) for spammers to launch Denial of Service Attacks like the one that targeted Blue Frog this year, or to relay spam.

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 161 - 181
Rob
Posted on: Friday, January 12th, 2007, 4:35am Report to Moderator
New Member


Posts: 1
First, sorry for my bad Englisch, I'am from the Netherlands I'have bin spammed by Pharmacy Express Corp sinds end of december 2006. In the beginning with text-spam and now with picture-spam. They use everytime different e-mailadresses from all over the world.

On their website they have a licence file with the following adres;

Pharmacy Express Corp
1460 Don Mills Rd. at York Mills, 2rd floor
Don Mills, ON M3B 2X9
Proberly Ontario Canada

I'hope this information wil help against this idiot pil-spammer

Rob
Logged Offline
Private Message Reply: 162 - 181
spamislame
Posted on: Friday, January 12th, 2007, 9:13am Report to Moderator
Spam Fighter


Posts: 66
That address is, of course, completely fake. (also: "2rd"?!)

We've been combatting these morons for the past year or more. Nobody knows where they *actually* are. They lie with every single word on their site.

If you look around you will find tons of information on these spammers, and even a few tools to fight back.

SiL
Logged Offline
Private Message Reply: 163 - 181
gfix
Posted on: Friday, January 12th, 2007, 9:39am Report to Moderator
New Member


Posts: 1
I'm adding my name to the long list of victims. I've fought spam valiantly for years now. I have my own domain, and I've employed tricks since the very first moment I had it to combat spam. I always sign up for exampledomain things online with exampledomainSIGNUP@mydomain.com (wherein exampledomain is their domain name, and mydomain is my actual domain). When/if they sell my name, I know who sold me out to whom, and I've caught out businesses several times that way over the years. If a particular SIGNUP name starts getting rocked with spam, I make a list-serve at my host's page for that particular name, allow nobody to join, and bounce all messages from non-members, which seals it up permanently, and I've done that for several heavily spammed addresses now, and it felt great. Also, I have a catchall account, with a SIGNUP folder to which I filter all things with SIGNUP in the To: field. Inside that, I have a few subfolders for particular SIGNUP addresses, to gather certain things, like financial companies' emails, or those from online services I use. I also forward all mail to my "real address," at my domain (which no longer actually exists at my domain) to Spamcop, and have them filter it, and forward whatever gets through that to a secret, weird name at my domain that no random person should be able to guess at my site.

However, since about October or November of last year, these Pharmacy people have been spamming people using my domain in the return field of their spams. This makes it seem like I'm spamming them. The part before the @ is always random, and of random lengths, so I can't filter against it, and I can't retaliate, because these are other innocent victims. I don't have anything against them - they're just trying to block the original jerks. Over the course of about 2 months now I've received bounced spam daily from either people/companies with spam blockers, or from servers telling me a particular person's address no longer exists there. I get between 1500 and 2000 per day, and as of this morning, it's more than 93,000 bounced messages in all. I save them, in case I can use them one day to help take down these unscrupulous spammers. Currently it's all image spam for 22rx.com, though it's changed over the weeks through various other domains - all the same scam. It started as text spam, with no images, all linking to crazy URLs, but they all ended up being fronts for the same Pharmacy crap.

Everything I've found online says all anyone can do in these cases is wait "about 5 days to a week" for it to die down. Well, it's been months now, and there's no let up. I have to leave my computer on, and email client open all the time to filter the messages as they come in, several per minute, or it takes forever to filter them later in the day. I can no longer check my mail from work, as my home PC has to constantly purge the server by downloading the messages to filter them. I missed a really important shipping info problem one day because of it, which cost me money, and hurt a business relationship with a company. I missed an important mail from a family member about calling someone at a particular time, because I didn't get it 'til I got home. The number of filters I've had to create for every kind of bounce/non-existent user message in various languages has grown huge, and still there are new ones all the time. I wish at the very least everyone had the same few bounce messages - something easy like "The computer thinks this is spam," or "user doesn't exist at this server," with any other details inside the actual message. That would simplify filtration for the poor souls like me who are having their domains spoofed.

3 more spoofed/bounced spams came in while I typed this.
Logged Offline
Private Message Reply: 164 - 181
Ryan
Posted on: Friday, January 12th, 2007, 3:49pm Report to Moderator
Spam Fighter



Posts: 76
Hi Gfix, welcome!

Unfortunately, there is not really a technical solution to that problem, as anyone can forge a from address, thus causing what you see. And the 5 days to a week thing is nonsense - they have no incentive to stop...

It is just like if you write someone else's address on a letter and mail it via the post to an address that does not exist, the post office will return it to the address listed as the sender...

This has happened to everyone I know (myself included) if that will make you feel better.

The solution is to put pressure on the parties involved in the spamming to stop...and learning how to do that is the nature of forums such as this!

You should find what role you are comfortable playing in the anti-spam community and go at it...this will at least make you feel better, and at most help stop spam!

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 165 - 181
Dave
Posted on: Saturday, January 13th, 2007, 6:33pm Report to Moderator
New Member


Posts: 19
Hi Guys its me again fumbling about in the spamisphere! needing more help.
I know what to do but bottled it (Partly)
Have a spam  from? cessfull.com  I can do the needful reporting it to registrars etc
but having nothing better to do thought id look at the site and looks like its a mess
came up with    (after deleting most)

body,p,. . . . . . ; } .logo { /* background-image: url(http://213.240.234.132:8080/legalrx/images/logo.gif);......... { background-image: url(http://213.240.234.132:8080/legalrx/images/main_photo.jpg);

Guessing this means a hole in someones security I was going to warn 213.240.234.132
which should have been easy but who is it? WHOIS comes up with Interbgc.com a jolly interesting site if your bulgarian.
Anyway not to be outdone I typed  213.240.234.132 into my browser box and came up with
a "surveillance camera"?!!  which gave up very little information. However viewing page info
all the small images that make up the "camera" are in an image file at 213.240.234.132
and if you  enter  213.240.234.132/images it comes up with a company             Emstoneamerica.com.  
A Whois on that  has no info about that company as such and as the Responsible (HA HA)
Party is at Registerfly and the registrar is Enom I have as I say bottled it.
The company may be ligit but I cant google anything useful - its a good story tho and all a bit odd. Did wonder if i had just  transposed some digits in the numbers but it all looks ok
they are still in my browserbox.
Any ideas - I could now  email Emstoneamerica  BUT where does the Bulgarian site fit in and why would emstoneamerica  be in an images file on their site? The DNS reports for both
suggest they both have holes?
Logged Offline
Private Message Reply: 166 - 181
MarkGiles
Posted on: Saturday, January 13th, 2007, 10:16pm Report to Moderator
All-Star


Posts: 363
Excellent work.  I too have previously done a similar operation, and located that same security camera.

What you have at that IP address is a dedicated computer that is able to be used remotely to view the image from the DVR security camera. You need to have the ID and Passwords to activate it.  The IP address belongs to that Bulgarian operation, and they have already been alerted to the problem (Jan 5).

My best bet is that the computer running the security application has a trivial root password. Yes, that's right, for a security system! Our Alex has guessed the password, logged in, and set up his trojan proxy image server application.
The site owner is unaware that the system has been compromised, but at least the IP address owner has been advised.

The DVR security camera software and hardware were provided by Emstone America - hence the backlink.
Logged Offline
Private Message Reply: 167 - 181
Dave
Posted on: Sunday, January 14th, 2007, 8:28am Report to Moderator
New Member


Posts: 19
I have re alerted the Bulgars - cant do any harm.
Todays project is  everythinggone.com  which has raised the "little bit of knowledge" problem I did the research and came up with YESNIC. owner in USA. Everythinggone.com ends up at Vigramax.net  owner in MEXICO who is registered with  COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM  but whilst it was loading I spotted it came via duthc.net  owner in BRAZILwho again is registered with COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM but on a different set of name servers.

Anyway the little bit of knowledge comes in (and you experts are all going to laugh) in that in trying to tie these together I made queries in all the boxes on DNS STUFF and  enquiry on all three in  the DNS lookup comes up with 89.104.115.22  http://aplusherbals.com/? which has before and after pictures which prove beyond  doubt that if you have the camera nearer the object you photograph it appears to be larger ( Plusher Balls??). But getting back to the initial make you laugh line  clicking on the answer box "89.104.115.22"  comes up with SMART Ltd who are registered in RUSSIA and the punchline question is what is DNS Traversal ( in very simple terms please) and should  I be contacting anyone at SMART?
(is   Mezenin Vyacheslav Sergeevich allegedly a spamgangster.) or just go for the registrars


Its some time back but this looks good to me:http://216.239.59.104/search?q.....amp;ct=clnk&cd=2
Logged Offline
Private Message Reply: 168 - 181
Dave
Posted on: Sunday, January 14th, 2007, 8:37am Report to Moderator
New Member


Posts: 19
Sorry - dont know how the smiley got there -  I NEVER use them it should be a double questionmark and a bracket  perhaps admin can delete it?
Logged Offline
Private Message Reply: 169 - 181
whar10
Posted on: Monday, January 15th, 2007, 5:43pm Report to Moderator
New Member


Posts: 1
I had noticed that my company e-mail account was filling up with spam, and have recently tried to send complaint notices to the company requesting that I be removed from the list.  Hah!  I only seem to be getting more.  When I googled "Jack Poppins Reanimatology Canada" I only got your site.  Boy, do I feel like I've been had.

Glad you guys are on top of this.  In the meantime, what can I do personally to stop this particular spammer?

Mary Wharton
Long and Foster
Associate Broker
Springfield, VA
whar10@aol.com
Logged Offline
Private Message Reply: 170 - 181
admin
Posted on: Monday, January 15th, 2007, 10:16pm Report to Moderator
Administrator Group



Posts: 15

Quoted from Dave
Sorry - dont know how the smiley got there -  I NEVER use them it should be a double questionmark and a bracket  perhaps admin can delete it?


That should do it----select "Disable Smiles?" before posting a message.  Otherwise, the board interprets things like :) and in your case ??) as a smiley graphic it should substitute.
Logged Offline
Private Message Reply: 171 - 181
MarkGiles
Posted on: Tuesday, January 16th, 2007, 6:14pm Report to Moderator
All-Star


Posts: 363

Quoted from Dave

Todays project is everythinggone.com


I did the usual tracking

Start with everythinggone.com

When loaded, it is redirected to vigramax.net
So I ignore everythinggone.com because it is probably one of many that redirect. Spammer is putting out lots of red herrings hoping people will chase them, rather than the redirected central site.

What are the name servers for vigramax.net?  
> DNSSTUFF.COM > Host name > DNS lookup on A record
http://www.dnsstuff.com/tools/lookup.ch?name=vigramax.net&type=A
All that gives is the Address 89.104.126.6
Click on it to find it is in St Petersburg, Russia.

Go back and instead, click on the traversal option further down the page.
http://www.dnsstuff.com/tools/traversal.ch?domain=vigramax.net&type=A
The spammed web site uses name servers with the same IP address
ns1.maindns4.com [89.104.126.6]
ns2.maindns4.com [89.104.126.6]

What can we find out about maindns4.com?
> DNSSTUFF.COM > Whois lookup on maindns4.com > and then click to E-mail address option
http://www.dnsstuff.com/tools/whois.ch?ip=maindns4.com&email=on
It is registered on CSL GMBH, Germany, whose website is http://www.joker.com

The registrant is Mexican Eduardo Macias with an address at querendamx.com
Try loading that as a web page http://querandamx.com and you end up at rx4you2.com
Keep digging with google and you find Tolmen Star Enterprises, and reports of pharmacy spamming, and mysecurepay.net. mysecurepay.net is where the vigramax.net ordering (https) page goes, too.

mysecurepay.net [89.104.115.22] has an IP address in Russia, and at that address http://89.104.115.22 is a herbalking site. Typical.

How do you complain at joker?  You need to register at http://www.joker.com and then fill in the form, and follow the email trail.
Logged Offline
Private Message Reply: 172 - 181
tracker
Posted on: Wednesday, January 17th, 2007, 11:06am Report to Moderator
Frequent Contributor


Posts: 41
Mark, out of curiosity, how long did it take you to perform all of those steps?

And Whar10, unfortunately since the majority of spam involves phishing or other fraudulent incentives, asking criminals to stop spamming you is similar to giving a burglar the keys to your home and asking them to look after things while you’re on vacation.  Some legitimate sites will remove you from their email lists, however they no longer make up the majority of spammers.  There is good info on this site for fighting spammers, but unfortunately you’ll notice that there isn’t a quick and easy fix to end the spam war.  Wouldn’t it be nice if it were!
Logged Offline
Private Message Reply: 173 - 181
MarkGiles
Posted on: Wednesday, January 17th, 2007, 4:05pm Report to Moderator
All-Star


Posts: 363
tracker.
How long? Two answers.
1. It takes me about a minute to get the info I want for a spam - which is the registrar providing the spammed site's name servers and whom to contact there.
2. It took me several minutes to document the example and post it as an example of how the technique for complaining to registrars about name servers.

A comment on a quick and easy fix for spamming. By analogy, these days one nuke won't stop a war. And spam has been evolving and mutating and growing over many years now. It will take many measures from many people to reduce it to a minimal level. It's a long way from 80% to 5%
Logged Offline
Private Message Reply: 174 - 181
thesolution
Posted on: Wednesday, January 31st, 2007, 11:47am Report to Moderator
New Member


Posts: 1
You are all spineless and hopeless. This forum, until now, is good for nothing but putting a band-aid on an open, pustulating laceration.  Your filters and talk do nothing more than get them excited so that they can enjoy the challange of winning. That IS a part of what they do. Take the damned blinders off and think outside your little politically correct boxes.
The pharmacy express guys have to register somewhere and it seems from what I have been reading that the domain guys have info that is required to find the pharmacy guys.  Somebody knows something. The trick is to find that first, distantly related "guy"......let's say,  the owner of http://www.domainsbyproxy.com/.
If he were approached in his sleep he would probably be quite helpful. People gotta sleep,  including the pharmacy guy(s).
It COULD be brought to an end. It's all a matter of making examples of those who do us harm. Didn't you ever hear when growing up that it is OK to defend yourselves?  Most of you did, and I think you understand that if somebody slaps you, the answer is not to slap them back,  but to slap the holy hell out of them.  It's all a matter of money, guts and personal convictions that drive the world. How is it that the scumbags are winning. Don't good people have the guts to secure a better future.  All damned day,  I see fraud. I do alot on ebay and ebay is overwhelmed with fraud. pirated accounts, auctions for non-existant high-dollar items, and a sucker born every minute. The losses are so staggering, yet are comparible to the profits by the scammers/spammers/fraudsters- "evil-doers".  
  They hire dummies to steal credit card numbers and use those credit card numbers to buy services and tools that facilitate taking our money and more of our credit card numbers  ad infinitum.  Am I the only one who is just fucking fed up with it?  Am I the only one that wants a better world for my youngsters and yours.  Are there no other voices for justice?  
Logged Offline
Private Message Reply: 175 - 181
Ryan
Posted on: Wednesday, January 31st, 2007, 3:28pm Report to Moderator
Spam Fighter



Posts: 76

Quoted from thesolution
the domain guys have info that is required to find the pharmacy guys.  Somebody knows something. The trick is to find that first, distantly related "guy"......let's say,  the owner of http://www.domainsbyproxy.com/.(


Thesolution, please read some more posts in this forum before you start talking about "domain guys" lol. I think you will quickly see that the situation is more complicated that you may think...

Also, we discuss how to eliminate spam, not filter it. It is very easy to shut down spam sites -or hinder their operations - which is what this forum is largely devoted to.


A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 176 - 181
MarkGiles
Posted on: Wednesday, January 31st, 2007, 8:08pm Report to Moderator
All-Star


Posts: 363

Quoted from thesolution
You are all spineless and hopeless. [blah blah].  Are there no other voices for justice?  


Thanks for the rant, thesolution. Now then, what is the solution?

Logged Offline
Private Message Reply: 177 - 181
Hemingray
Posted on: Sunday, April 15th, 2007, 8:18pm Report to Moderator
New Member


Posts: 1
New forum user.

I also began receiving PE emails at my Gmail address. I've discovered that they are using "zombie proxies" to link to their site. I've managed to get some of them shut off by the ISPs. If you reverse DNS the hostnames (ledrx, etc), You will notice almost all of them resolve to residential HSI connections. Attempting to surf directly to one of these addresses results in a 502 error.
Logged Offline
Private Message Reply: 178 - 181
MarkGiles
Posted on: Monday, April 16th, 2007, 12:35am Report to Moderator
All-Star


Posts: 363
Neat. That's how Spamcop does it, too.
Logged Offline
Private Message Reply: 179 - 181
pharmacy express
Posted on: Sunday, August 5th, 2007, 12:30am Report to Moderator
New Member


Posts: 1
Hi,  Until May 2006 I was the owner of PharmacyExpress - a New Zealand registered pharmacy, using several domain names including pharmacyexpress,com

We experienced the same problems of spammers using our email address and company name in their spam for several months.  We were reciving 10,000 bounced emails per hour at the peak and had to pull our servers offline, and were investigated by the telcos.

To make matters worse, we were even sued for spamming in a US court !!

Just thought I would introduce my self - will the real PharmacyExpress please stand up !!
Logged Offline
Private Message Reply: 180 - 181
MarkGiles
Posted on: Thursday, August 16th, 2007, 12:07am Report to Moderator
All-Star


Posts: 363
"Pharmacy Express" was a most unfortunate choice.  The background to the whole story is at
http://www.spamtrackers.eu/wiki/index.php?title=Pharmacy_Express

These hoods trimmed off all your kiwi feathers before you could even get your project off the ground.
Logged Offline
Private Message Reply: 181 - 181
 Pages: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 : All
Recommend Print

Locked Board Board Index    The Latest Offenders  [ previous | next ] Switch to:

Thread Rating

There have been 1 votes for this thread.
 
Forum Rules
You may not post new threads
You may not post new threads
You may not post polls
You may not post attachments
HTML is off
Blah Code is on
Smilies are on

Powered by E-Blah Platinum 9 © 2001-2005