Pharmacy spammer -- Pills vendor intelligence

[ VoyUser Login optional ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, 2, [3], 4, 5, 6, 7 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 08:45:06 06/10/04 Thu
Author: Repost
Subject: Pharmacy spammer

Some tidbits about the HBE pharmacy spammer using the domains

lifesmile.biz / marketing88.net / nsmarkk1.net / marketingg1.net /
nns[1,2].net / nnse3.net

for name servers to host a bunch of pharmacy sites in China.

Currently:

NS1.NNS1.NET 218.65.86.41
NS1.NNSE3.NET 219.147.198.137
NS1.NNS2.NET 218.65.120.170

On these three IP addresses ksmailers.com (best0nl1ne.biz) is hosted, a site
for "affiliates" . As an affiliate you can generate sale statistics of
other affiliates just by changing a number in some URL and by using a valid
PHP session cookie. In this way *hourly* sale and visit statistics can be
obtained of (e.g.) the spamruns:

http://groups.google.com/groups?&scoring=d&q=abuse+refid=93

While generating reports I encountered some interesting error messages.
One error message was:

| Warning: fopen(): php_network_getaddresses: getaddrinfo failed:
| Name or service not known in /wwwroot/www.ksmailers.com/GetOptOut.php
| on line 9 
| Warning: fopen(http://http://69.57.146.38/
| removelist.php?refid=177): failed to open stream: Success in /wwwroot/
| www.ksmailers.com/GetOptOut.php on line 9 
| 
| Warning: fread(): supplied argument is not a valid stream resource
| in /wwwroot/www.ksmailers.com/GetOptOut.php on line 11
| 
| Warning: fclose(): supplied argument is not a valid stream
| resource in /wwwroot/www.ksmailers.com/GetOptOut.php on line
| 14 

On IP 69.57.146.38 www.Coopson.com, textlinkxchange.com, casino-corner.com,
buy-mobile-phone.com (among others) are hosted. Possibly Mr. Cooper
supplied some services or software to the pharmacy spammer.

After subscribing as an affiliate on http://www.ksmailers.com one gets an
autmatic reply from IP

69.44.60.108
hbecustomerservice.com

This IP belongs to ServerBeach / Williams Communications . Back in May I
logged spam attempts from another Serverbeach IP (69.44.152.221)
spamvertizing http://medd165.com . That webpage had a number of porn
pictures on it, which all linked to a trojan called join.exe . See
http://groups.google.com/groups?selm=10adepd32aniq96@corp.supernews.com

The email from hbecustomerservice.com is signed by:

Nate Poupko
Director of business development
icq#167239249
ph: (MUNGED) <--- a mobile phone number in Toronto
nate AT ksmailers.com

This name is also mentioned on
http://affiliateforce2003.com/passengers.html .

Here Nate Poupko is listed as a representative of date.com on an "internet
affiliate marketing summit", 24-28 April 2003. Date.com is related to
Webfinity: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2072

So this gives a hint that the HBE pharmacy spamming gang is related to
Webfinity.

Three Canadians that probably are involved in the pharmacy spamming gang
have been identified sofar: Ratelle, Gravel (both from Montreal) and Poupko
(Toronto). I am not sure whether these three persons are the most important
ones.

On 220.175.8.21, 218.65.120.163, 219.147.198.135 the following domains are
hosted:

mark8ting.biz (porn page that installs a trojan)
beneditutti.com (phone home domain for a trojan)
makeyrday.biz (phone home domain for a trojan)
advancemtk.com (hosting of trojans that get downloaded by a trojan)
marketigntools23.com (hosting of trojans that get downloaded by a trojan)

Hbecenter.com is hosted on 218.65.120.170, 219.147.198.137 and 218.65.86.41.
This domain is used for "customer support" and generating statistics (in
the directory http://hbecenter.com/inc/ ) .

The domain antispam00.com has been registered by the spammers as well. I do
not know what the purpose is of antispam00.com .

--
feike

[ Next Thread | Previous Thread | Next Message | Previous Message ]

[ VoyUser Login ] Not required to post.
Post a public reply to this message | Go post a new public message
* Notice: Posting problems? [ Click here ]
* HTML allowed in marked fields.
Message subject (required):

Name (required):

Expression ^{(Optional mood/title along with your name) Examples: (happy, sad, The Joyful, etc.) help)}

E-mail address (optional):

Type your message here:
>Some tidbits about the HBE pharmacy spammer using the >domains > >lifesmile.biz / marketing88.net / nsmarkk1.net / >marketingg1.net / >nns[1,2].net / nnse3.net > >for name servers to host a bunch of pharmacy sites in >China. > >Currently: > >NS1.NNS1.NET 218.65.86.41 >NS1.NNSE3.NET 219.147.198.137 >NS1.NNS2.NET 218.65.120.170 > >On these three IP addresses ksmailers.com >(best0nl1ne.biz) is hosted, a site >for "affiliates" . As an affiliate you can generate >sale statistics of >other affiliates just by changing a number in some URL >and by using a valid >PHP session cookie. In this way *hourly* sale and >visit statistics can be >obtained of (e.g.) the spamruns: > >http://groups.google.com/groups?&scoring=d&q=abuse+refi >d=93 > >While generating reports I encountered some >interesting error messages. >One error message was: > >| Warning: fopen(): php_network_getaddresses: >getaddrinfo failed: >| Name or service not known in >/wwwroot/www.ksmailers.com/GetOptOut.php >| on line 9 >| Warning: fopen(http://http://69.57.146.38/ >| removelist.php?refid=177): failed to open stream: >Success in /wwwroot/ >| www.ksmailers.com/GetOptOut.php on line >9 >| >| Warning: fread(): supplied argument is not a >valid stream resource >| in /wwwroot/www.ksmailers.com/GetOptOut.php >on line 11 >| >| Warning: fclose(): supplied argument is not >a valid stream >| resource in >/wwwroot/www.ksmailers.com/GetOptOut.php on line >| 14 > >On IP 69.57.146.38 www.Coopson.com, >textlinkxchange.com, casino-corner.com, >buy-mobile-phone.com (among others) are hosted. >Possibly Mr. Cooper >supplied some services or software to the pharmacy >spammer. > >After subscribing as an affiliate on >http://www.ksmailers.com one gets an >autmatic reply from IP > >69.44.60.108 >hbecustomerservice.com > >This IP belongs to ServerBeach / Williams >Communications . Back in May I >logged spam attempts from another Serverbeach IP >(69.44.152.221) >spamvertizing http://medd165.com . That webpage had a >number of porn >pictures on it, which all linked to a trojan called >join.exe . See >http://groups.google.com/groups?selm=10adepd32aniq96@co >rp.supernews.com > >The email from hbecustomerservice.com is signed by: > >Nate Poupko >Director of business development >icq#167239249 >ph: (MUNGED) <--- a mobile phone number in Toronto >nate AT ksmailers.com > >This name is also mentioned on >http://affiliateforce2003.com/passengers.html . > >Here Nate Poupko is listed as a representative of >date.com on an "internet >affiliate marketing summit", 24-28 April 2003. >Date.com is related to >Webfinity: >http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=R >OK2072 > >So this gives a hint that the HBE pharmacy spamming >gang is related to >Webfinity. > >Three Canadians that probably are involved in the >pharmacy spamming gang >have been identified sofar: Ratelle, Gravel (both from >Montreal) and Poupko >(Toronto). I am not sure whether these three persons >are the most important >ones. > >On 220.175.8.21, 218.65.120.163, 219.147.198.135 the >following domains are >hosted: > >mark8ting.biz (porn page that installs a trojan) >beneditutti.com (phone home domain for a trojan) >makeyrday.biz (phone home domain for a trojan) >advancemtk.com (hosting of trojans that get downloaded >by a trojan) >marketigntools23.com (hosting of trojans that get >downloaded by a trojan) > > >Hbecenter.com is hosted on 218.65.120.170, >219.147.198.137 and 218.65.86.41. >This domain is used for "customer support" and >generating statistics (in >the directory http://hbecenter.com/inc/ ) . > >The domain antispam00.com has been registered by the >spammers as well. I do >not know what the purpose is of antispam00.com . > > >-- >feike

Notice: Copies of your message may remain on this and other systems on internet. Please be respectful.

[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 2.94, ConfDB:
Before posting please read our privacy policy.
VoyForums^(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2008 Voyager Info-Systems. All Rights Reserved.