News Blog and Archives:

December 2010

The highest number of spam-spewing computers is in the U.S. -- Is yours one of them?

August 2010

A pleasant discovery, thanks to spammers

Spammers spoofing antispammers' email addresses

June 2010

Google Groups: "This site could harm your computer."

April 2010

Your friend is freaked out at the moment

December 2009

Malware writers vying to violate virgin computers

Fake security scan scamming Skype users

Google scammers take aim at Barack Obama

November 2009

Favicons and fake-icons

Spamit Must Fall

Spamming universities

June 2009

May 2009

April 2009

March 2009

February 2009

January 2009

December 2008


Resource Links

February 2009 spoof downloads poorly detected malware

Waledac domain update

PayPal phish

Capital One Bank phish

Cookies and spyware scanning

"It's real fine, my 419"

Javeline study on ID theft debunked

CNN reports on illegal pharmacies

Where's Waledac?

"Try Via/Cia for free today"

SiL's Open Letter to Law Enforcement about scam pharma site "Canadian Pharmacy"

The ED Pill Store

This site is best viewed in Firefox or Seamonkey browsers. We do not recommend the use of Internet Explorer browser due to the risk of getting infected with malicious software without any warning while surfing the web.

February 25, 2009 spoof downloads poorly detected malware

The spam looks like this:

Subject: Annual 2009 Classmates Meeting has become the premier meeting

Special video report February 25, 2009:

One of your classmates has sent you a video invitation:
"Read the story and see photos of my wedding and our tour,Please discover our
video invitation to your family. I hope to get back from you soon..."

Proceed to open full message text:[code number that may identify who responded to the spam]

Sincerely, Phillip Kaufman.
2009 Classmates Organisation Message Centre.


That's a very dangerous site. If you were to visit the site you would see this:

It's another one of those malware sites with an image that looks like a youtube video. Looking like a video window means nothing. You can even make an image like that yourself!
- On your Windows desktop (if you have XP at least), you can click "Start" then "Programs," "Accessories" and scroll down to open "Paint."
- Go to any video on Start watching, then hit the pause button.
- On your keyboard, click the button that says "PrtSc" or "PrntScrn" or some other abbreviation for "print screen."
- Go back to the Paint window you have open and hit Ctrl-V to paste into the window.
- If you have photo editing software, of course, you can crop it to get rid of all the stuff around the video screen, write in the caption and five star rating on top of the screen,etc.

Just like this image, clicking on it isn't going to start any video playing. But unlike this spoof site, at least it won't start a trojan downloading onto your computer.

Of course, this site has nothing to do with Look at the URL:

Remember the rule -- Read to the first single slash mark, then read backward to find the real location of a site. In this case, it's ""

Whether you click on the video, the Adobe logo, or don't click anything at all, it will try to load a file called "Adobemedia10.exe" on your computer by an automatic page refresh. So you should obviously have your browser set to always ask where to store a file you are downloading, so you can cancel the download, or rename the file to something harmless like Adobemedia10.exe.txt. You obviously wouldn't want to visit with Internet Exporer, and you'd want javascripts shut off in your browser or with an extension like Noscript.

I won't list the whois information here, because it appears these scumbags stole the identity of an elderly man in Tucson to register the site. They may have stolen his credit card number to pay for it, too. The registrar is, in China.

The malware itself is very poorly detected, so if you were expecting your antivirus to protect you, it probably didn't:


a-squared Trojan-PWS.Win32.Delf!IK
AhnLab-V3 -
AntiVir -
Authentium -
Avast -
BitDefender -
CAT-QuickHeal -
ClamAV -
Comodo -
DrWeb -
eSafe Suspicious File
eTrust-Vet -
F-Prot -
F-Secure -
Fortinet -
GData -
Ikarus Trojan-PWS.Win32.Delf
K7AntiVirus -
Kaspersky Heur.Downloader
McAfee -
McAfee+Artemis -
Microsoft -
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx1 -
Rising -
SecureWeb-Gateway -
Sophos Sus/DelpDldr-A
Sunbelt -
Symantec -
TheHacker -
TrendMicro -
VBA32 -
ViRobot -
VirusBuster -

Terms like "heuristic" and "suspicious" mean those programs didn't recognize it, either, but they recognized general characteristics about it that caused them to detect possible danger. "Trojan" means malware that will open up your computer to allow attackers access from the outside. That allows the criminals to get your information or to install worse programs than this once your antivirus software has been turned off.

February 24, 2009
Waledac domain update

Judging from the search engine strings that bring people to this page, there's a lot of interest in whether the domains being used to spread the Waledac trojan are legitimate sites. The Shadowserver list is a little out of date, so here are the current ones I can find:




YOURVALENTINEPOEMS.COM The sites are refusing visitors right now, so there's no way of knowing what the new theme is yet.

Well, if you get spam that promises a coupon for a tax-free download of a Death Cab for Cutie song, whatever you do, don't click on it. ;)


February 23, 2009
Paypal phish

From: PayPal Secure Team <>
Subject: Important Information Regarding Your Limited Accoutn !


Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account.

For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address,e-mail address).
2. An inability to accurately verify your selected option of payment due to an internal error within our processors.

Please update and verify your information by checking the link below: (if you can't open it just copy the link in your internet browser)

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

PayPal Account Review Department

Copyright Š 1999-2009 PayPal. All rights reserved.

PayPal (Europe) S.&#224; r.l. & Cie, S.C.A.
Soci&#233;t&#233; en Commandite par Actions
Registered Office: 5th Floor 22-24 Boulevard Royal L-2449, Luxembourg
RCS Luxembourg B 118 349

This phish arrived in plain text only -- no hidden html tags to conceal the real location of the link target. We'll overlook the typos and grammatical errors. After all, they're claiming to be writing from Luxembourg (though it's hard to imagine anyone misspelling "account" in the subject line). And "" sounds official. I mean, PayPal wouldn't let somebody else have a site with that name, would they?


The site looks very much like PayPal:


A look at the whois information clears up any ambiguity:

Domain Name:

Status: ok

Whois Server:
Referral URL:

Expiration Date: 2010-02-19
Creation Date: 2009-02-19
Last Update Date: 2009-02-19

Name Servers:

Organization : wang qiang
Name : liubing
Address : wuhan
City : wuhanshi
Province/State : hubeisheng
Country : china
Postal Code : 430000
Phone Number : 86-027-59724978
Fax : 86-027-59724978
Email: [email protected]

That domain is definitely not owned by ebay or PayPal. The contact email address is a free email account with another company (Microsoft's Hotmail), instead of using "" And it was just registered four days ago. Even if PayPal were aggressive at shutting down domain names that infringe on their trademark -- which sadly, isn't their strong suit -- you can't expect them to have found this so fast. And Xin Net doesn't seem to have a lot of fluent English speakers in their abuse department who might recognize something like this or even set up filters to prevent such domains from being registered.

Of course the domain registration is only half the issue -- who's hosting this website? You can check various sites that offer "DIG," or "traversal" to find out a site's IP address, and the owner of that IP range ought to know whose computer is assigned to that address:

; <<>> DiG 9.2.3 <<>>

; IN A

;; ANSWER SECTION: 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A

;; WHEN: Mon Feb 23 12:19:34 2009


Look at all those IP ranges. Do those people even know each other? -
Free SAS / ProXad
8, rue de la Ville L'Eveque
75008 Paris
France -
(business customer of Bell Canada)
160 Elgin Street
Ottawa ON K2P-2C4
(This may be an abandoned IP block, as a Google search returns lots of reports of abuse related to it, but no explanation of what "HSE" is. There are government agencies at this address.) -
11000 Belgrade
Serbia -
Apolo -Gold-Telecom-Per
Dorrego, 2520, piso 3°
1425 - Capital Federal -
Argentina -
Shaw Communications Inc.
Suite 800
630 - 3rd Ave. SW
Calgary AB T2P-4L4
Canada -
Telmex Colombia S.A.
Carrera. 7 No. 71-52 Torre B Piso 18, 11111,
11111 - Bogota - DC
Columbia -
Tiscali UK Limited
20 Broadwick Street
London W1F 8HT
UK -
83 rue saint Fuscien
80007 Amiens Cedex 01
Free SAS / ProXad
8, rue de la Ville L'Eveque
75008 Paris
France -
10200 Linn Station Road
Suite 125
Louisville KY 40223

So for ten IP addresses, we've got nine hosting services in seven countries on three continents speaking four languages. That's not what real companies do, no matter how hard they're trying to keep their websites from being taken down by attacks. This is a botnet, and none of these hosts has any idea they're hosting this phish.

And just to prove it further, let's retry our DIG:

; <<>> DiG 9.2.3 <<>>

; IN A

;; ANSWER SECTION: 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A 180 IN A

;; WHEN: Mon Feb 23 13:28:17 2009

Not even the same ten! That 180 refers to how many seconds those IP addresses will last. They can change every three minutes.

This may be something called "rockphish." Since anti-phishing groups typically were taking down phish sites by contacting the hosting services, this strategy makes it nearly impossible to do that. By the time the phish fighters look up the IP address, the site has moved. These have to be reported to the domain registrars.

Unfortunately, the Castlecops Phishing Incident Report and Termination program was shut down when that site was closed. Reporting there was better than reporting yourself, as they would also attempt to intercept the data being downloaded by the phishers, so victims could be warned. So it was actually best not to report it yourself, so their volunteers could access the site for forensic investigation. No other agency was doing that for all phish spoofing all brands. Without PIRT, you will have to report phish to the individual spoofed banks/financial institutions.

For PayPal, you can create an email to [email protected] and paste in the entire email source view with headers -- but if you are on Verizon or another ISP with outgoing spam filters, you won't be able to mail it. :(

PayPal also has a web form to enter the URL of the phishing site itself: . Then it's up to PayPal to have their investigators do what Castlecops volunteers used to do.


February 14, 2009
Capital One Bank phish

Capital One&reg; TowerNET Form and Treasury Optimizer Form are readyDear customer,
We would like to inform you that we have released a new version of TowerNET Form. This form is required to be completed by all TowerNET users. If you are a former customer of the North Fork bank, using Treasury Optimizer service for online banking, please use the same button to login and choose Treasury Optimizer form from a menu on the web-site.Please use the "Log In" button below in order to access the Form.

Addus to your address book
Please addour address—shown in the "From" line above—to yourelectronic address book to make sure that important account messagesdon't get blocked by a SPAM filter.Important Information from Capital One

This e-mail was sent to [my email address] and contains informationdirectly related to your account with us, other services to which you havesubscribed, and/or any application you may have submitted.

The site may be unavailable during normal weekly maintenance or due tounforeseen circumstances.

*Your online payment posts the same day when it's made before 3:00 p.m.Eastern Time (ET) Monday through Saturday. Payments made after 3:00 p.m.ET Monday through Friday will post the following day. Payments made after3:00 p.m. ET on Saturday and anytime on Sunday will post to your accounton Monday. Payments will not be posted on Thanksgiving, Christmas and NewYears day.

Capital One is an Equal Housing Lender.

Capital One and its service providers are committed to protecting yourprivacy and ask you not to send sensitive account information through e-mail.You can view our privacy policy and contact information at you are not a Capital One customer and believe you received this messagein error, please notify us by responding to this e-mail.

©2009 Capital One Services, Inc. Capital One is a federally registered servicemark. All rights reserved.

EBM52 001 001

That's what the spam looks like in MailwasherPro, which is a safe way to view potentially dangerous emails before downloading to an email client, like Outlook or Thunderbird, that displays all the lovely images and layout encoded in html (the language of web pages). It's pretty pathetic, full of typos, and it's hard to believe it would convince anyone. It doesn't matter -- that part of the spam doesn't even bother to display the link to the phishing site, anyway. They know folks screening their emails with MailwasherPro aren't the ones gullible enough to fall for this spoof. Their real plan is hidden in the html code.

Now, compare this with what you see if you were to actually open this directly in an email client like Outlook. Please understand that I normally have my email client set to NOT load any images unless I approve it for a particular email. I did not load these without first checking the html code to make sure that none of the images were being downloaded from the spammers' site -- just viewing images could tell him who opened his email. (But this guy would rather leach bandwidth from Capital One. He just uses their images instead of copying them onto his own site.)

That looks a little more convincing. And there's a button with a real link, unlike the text view.

Going back to MailwasherPro, or to the "view source" on your email client, look to see where the links are in this email. You'll see lots to "" that look like this:

<img src=3D"
c1/images/wiyw.jpg" border=3D"0" width=3D"600" height=3D"101">

"img src" means it's downloading an image. That's not where the spammer is trying to lure us.

There is one link to the phishing website -- the one that goes with that button that says "Log In." It looks like this:

<a href=3D"
confirmmode/dlstack/formpage.aspx?id=[lots of numbers that probably encode my email address]=
43518"><img src=3D"
ebm52/vc1/images/login.gif" border=3D"0" width=3D"53" height=3D"20"></a><=

Bingo -- the "a href" tells us where the phishing site really is. Notice there's another image link right after it -- the spammer is linking it to an image of a log in button on Capital One's own site. You click the button in the spam, you go to his site. The fact that the picture of the button comes from the real Capital One website doesn't make any difference. Only the "a href" does.

(The "=" signs are just there to show line breaks. Each time your email client sees an equal sign with a line break after it, it knows it isn't a real equal sign and puts the lines back together into a single line.)

Read left to right until you get to the first single slash mark "/" , then read back to find the real location of the site:

As we found in a previous phish analysis, .be is the country code for Belgium. It's called a "TLD" or "top level domain" and is like the ".com" in other web addresses.

What does the site itself look like? Can't tell. The site is already shut down, probably because the registrar for pulled the plug, though their whois information does not give enough information to tell. If you attempt to report the domain using Complainterator, it chokes due to their non-standard whois format, but you can manually enter the domain name into the traversal you get from complainterating any other domain to get

which shows all the root servers reporting

[Reports no a record (NXDOMAIN)]

That means the domain no longer exists as far as the rest of the internet can tell. The "a" record tells what numeric address goes with the domain name, and is necessary for computers to translate the address you enter in your browser -- like "" -- into what computers understand, which is numbers like "" But the registrar still appropriately has listed as "registered," so the spammer can't just turn around and register the same name with a different registrar.

That all happened within three hours of it arriving in my inbox, which is great work for whoever discovered it and reported it and for whoever shut it down. Every minute one of these is alive is time for the phisher to start collecting personal information and banking passwords. This one may have been shut down before the phisher was even able to offload any data that victims had already entered.


February 14, 2009
Cookies and spyware scanning

People usually get disturbed when they run their first spyware scan from a program like "AdAware" or "Spybot Search and Destroy." Invariably, those programs will find massive numbers of "unwanted" files. Most of them will be something called "cookies."

Cookies are small files put on your computer by websites you visit. They contain information that will be provided to that website -- and sometimes to other websites -- during that and subsequent visits to the site. But they are not executable files that can harm your computer, like "spyware."

Cookies by themselves are not evil. If you ever buy anything on line, your "shopping cart" requires your computer to accept cookies. Much as retailers might want to collect every shred of data about you, they really don't want to store it all on their own computers. Cookies allow that data to be stored on the computer of each user. So as you add things to your shopping cart, that data is stored on cookies on your computer, and when you check out, your computer can provide the information about everything you selected. Similarly, if you visit a site that requires you to sign in with a password, a cookie allows that site to keep you logged in when you navigate from one page to another on the site.

Advertisers also use cookies. They aren't just trying to show you ads; they want to create sales for their clients. So whenever possible, they want to show you ads about things you would be interested in. So if you visit the website of your local newspaper and always click on the technology pages, they may give you a cookie that will cause their site to preferentially show you ads for computer equipment. Since you might prefer to see that instead of ads for household cleaning products, that's not necessarily a bad thing either.

But sometimes you might not want to share that much information about yourself. Many internet marketing agencies are collecting personally identifiable data and matching things together. They probably have a file with your name, address, email, age, occupation, income, hobbies, spouse and children's names, etc. Or if they don't, they would like to.

And sometimes, cookies may provide information about you that you don't want on record, accurate or not. So if you searched for "fun for girls" to find activities for your daughter and her friends on a playdate and clicked on the wrong link in the search results, you might find yourself getting a lot of ads and even spam for porn sites.

The spyware programs look for cookies for third party advertisers you may not want having too much comprehensive information about you. But you can also control this yourself, too. There are browser settings that allow you to block third party cookies, to delete cookies after you log off, to delete cookies after a certain period of time, or to not accept cookies from a company if you have deleted their cookies once already. (For Internet Explorer and Firefox, you have to enter each cookie-giving website on a blacklist yourself, instead of having the one-click delete+block feature of another Mozilla browser, SeaMonkey.)

Even if you aren't worried about the privacy issue, if you are using Internet Explorer you probably want to find your cookie file and do some culling. That file tends to become massive enough to slow down your computer. (The Tools => Internet Options window allows you to delete them all, but you may not want to do that.)

For Windows XP or Windows 2000:
C:\Documents and Settings\[username]\Cookies\
Temporary Internet Files (also slows your computer):

For Windows Vista:

For Windows ME/98/NT/95:
C:\Windows\Profiles\[username]\Cookies\ or
C:\Windows\Cookies\ if there is no Profiles folder

Internet Explorer saves each cookie as a separate text file. Usually the title of the file will tell you where it is from; if not, it is safe to click on the cookies to read the text inside. That will probably give you the URL of the site it came from. The personal data about you is probably encoded.

Are there some cookies you don't want to delete? Definitely, if you have been getting automatically logged onto one of your favorite websites, be sure you know the password before you delete any cookies from that site -- or visit the password change page to pick a new one first -- as you will have enter your information again once the cookie is gone.

"It's real fine, my 419"

With warm heart I offer my friendship, and greetings, and I hope this mail meets you in good time. However strange or surprising this contact might seem to you as we have not met personally or had any dealings in the past, I humbly ask that you take due consideration of its importance and immense benefit. I duly apologize for infringing on your privacy; if this contact is not acceptable to you First and foremost I wish to introduce my self properly to you. My name is Maxwell Khumalo project coordinator Gautrain under ground mass rapid transit railway system construction project in Johannesburg .

I facilitated the award of the contract for the Construction of the Gautrain under ground mass rapid transit railway system to Bombela Consortium which is a partnership between Bombardier Transportation, Bouygues Travaux Publics, Murray & Roberts, the Strategic Partners Group and RATP Development. In return to this gesture I received a compensation of US (dollars) 20 M.

The approval of the award of the R25 Billion construction program was done based on many factors including merit. During the screening period the BEE (Black Economic Empowerment) group posed a resistance to such a huge capital project on the grounds that such funds should be plunged into areas that would benefit the poor since it has been noted that the government is only concerned with the affairs of the rich and outsiders. I argued that the Gautrain , 80-kilometre mass rapid transit railway system will ultimately link Johannesburg, Pretoria, and OR Tambo International Airport and that it will l relieve the traffic congestion in the Johannesburg – Pretoria traffic corridor as well as offer commuters a viable alternative to road transport, as Johannesburg has a limited public transport infrastructure. On winning the legal tussle and subsequently facilitating the award of the contract to Bombela Consortium I received the monetary compensation.

The reason why I am contacting you is because the said fund was not secured in a bank account due to the nature of the deal and also due to the fact that the BEE (Black Economic Empowerment movement ) may discover about the compensation. I am looking for an oversea partner to receive this fund in an oversea account.

All conformable documents to back up this claim will be made available to you prior to your acceptance. Meanwhile, I have worked out the strategies and technicalities to attain a hitch free transfer hence I am offering you 30% of the total funds for your assistance.

If you are interested in handling this life changing and promising transaction of mine, please reply via this email address below and as well email me your direct telephone number for discussion of this deal in further details.

Fax number: +1 44 870 495 1987
Fax number: +1 44 870 495 9729
Telephone number 1: +44 703182 3587
Telephone number 2: +44 703 182 5989
Email 1: [email protected]
Email 2: [email protected]
ATTN: Maxwell Khumalo

Please for the seriousness of this matter; send me a fax in the two fax numbers above. Also forward same message to the two email addresses provided. Additionally make sure that you contact me on any of the phone numbers for a brief telephone discussion. I am in the United Kingdom because of this matter and await your reply. It is important that you send me both emails and faxes as our email systems these days are becoming unreliable hence I need to make sure that one way or the other, I get your message. Call me also when you send the message at +44 703182 3587 or +44 703 182 5989
. Awaiting your reply.
Maxwell Khumalo

I get a half dozen of these "419" spams every day. (The name comes from the article number of the law they violate.) They're also known as "Nigerian" spams, since so many of the spammers claim to live there (and many do live there), or "advanced fee fraud spams."

The spams appear out of nowhere, with elaborate sob stories and offering vast sums of money for little work. Once someone responds to one, the spammer will attempt to get the victim to send him money -- to pay taxes, bribe officials, pay shipping, whatever. They will come up with reasons as long as the victim continues to believe. Some victims have gone so far as travel to Africa to meet the scammers, and have been kidnapped and tortured in order to induce their relatives to send even more money. So while it's easy to be harsh on anyone so greedy as to fall for these obvious scams, don't dismiss the 419 spammers as some type of minor pranksters.

What made this spam stand out? Because the salutation specifically mentioned my first and last name, city, and nearly the correct postal code. Up until now, all the 419's I've received were conspicuously missing any mention of my name, considering how much money they claimed to be ready to trust me with. They'd even use the story that they found me because I share the same last name as a wealthy deceased person with no heirs, yet address the email to "Dear Recipient."

It's not hard to find matched lists of names and email addresses, so no one should think for a minute this is more likely to be a legitimate offer. But it may mean the 419-ers are finding it harder to find gullible prey and are going to extra effort and expense to create a more credible spam. I suspect we'll see a lot more of it.


February 13, 2009
Javeline study on ID theft debunked

Wired's Kevin Poulsen and computer forensics researcher Gary Warner have both blogged on a report from Javeline Strategy and Research which came to the surprising conclusion that only 11% of identity theft was due to cybercrime like malware or financial institution data breaches.

While there's certainly no harm in following the recommendations in the Javeline report -- shred your trash, don't use non-secure website ordering, don't carry more ID cards in your wallet than you need, yadda, yadda -- their reassurances about cyberbreaches are not very reassuring.

They came to their 11% figure by contacting 4,784 people and asking them if they were victims of identity theft. (The summary report on their website doesn't say how that random sample was chosen.) Of those people, they were able to identify and interview 482 fraud victims.

Here is an attractive pie graph of their results:

The blue shading is supposed to indicate problems having nothing to do with electronic data breaches. But notice the disclaimer at bottom right: "Based on the 35% of victims who know how their information was obtained." That means most of the people didn't know how their data was stolen. The 35% who said they knew are not going to be a random subset -- no one who got mugged and lost a wallet is going to say they have no idea how it happened, for instance.

These folks do surveys for a living. They know this is very weak data. It's very annoying when someone with data like this tries to create a sound bite that makes it sound definitive -- especially when they are working for people who might have reason to make consumers blame themselves instead of the banks handling their data.

Spamtrackers volunteers talk to identity theft victims, too. There is at least one group of spammers who use stolen identities and credit/debit cards to register the domain names for the websites where they sell their counterfeit drugs and other crap. ,(Talking to the victim to confirm that the registration is fraudulent is one of the strongest ways to convince a registrar a domain should be suspended.)

Of the victims we talk to, most are hearing for the first time that their data was stolen. These domains were often registered months earlier, and the identity theft and small credit card charges weren't even noticed at the time. So it's no surprise most don't know how it happened, either. And of those who think they do know, it's pure conjecture -- they may suspect the web retailer they used for the first time or an employee at their bank or just the internet in general, but they really have no information to back it up.

You can't do a scientific survey and tease that kind of information out of people. You're supposed to give them a carefully worded question and record which answer they chose, not delve into how they came to that conclusion. So the problem is less that the folks at Javeline came up with weak data than that they are trying to make it sound stronger than it is.

Meanwhile, the biggest surprise is that 482 people who already had had their identities stolen once were willing to talk to someone who called on the phone to ask personal questions. Besides telephone polls excluding a lot of people who aren't home, don't use land lines, or don't answer phone calls from people whose phone numbers they don't recognize, all but the most gullible people are going to be pretty suspicious about people calling on the phone to ask questions once they've been burned once.


February 9, 2009
CNN reports on illegal pharmacies

CNN has posted a video on their website reporting on the difficulty law enforcement has in shutting down illegal internet pharmacies that sell prescriptions drugs, including controlled substances, to anyone who wants them. It's good to see the problem getting some attention, but there are some important points they didn't report.

* While they give a figure of 800,000 illegal websites selling drugs, I'm guessing this includes all the multiple domain names for sites like Canadian Pharmacy that keep using new ones to avoid spam filters. Very few pharma sites have a legitimate bricks-and-mortar store to cover their illegal activities. Those of us working at and have probably shut down well over 50,000 scam pharmacies ourselves (see a very partial listing of domain shutdowns here).

* These illegal pharmacies can only operate with the tacit cooperation of legitimate companies: domain registrars, hosting companies/internet service providers, payment processors. If a site's domain registration was paid with a stolen credit card number, and the bank knows it and has already taken their money back, why doesn't the registrar suspend the domain? And why the hell is that site able to get a merchant account and process credit card payments in real time? If the website is hosted on a fast-flux botnet, and every bot in that net is an innocent computer owner infected with malware, why is it so difficult to get internet service providers to accept reports and get their customers some help? If all the domains are registered with fake information, why does it take 45 days for ICANN to process a WDPRS report for every one of them, once a pattern of fraud is established?

The 800,000 figure sounds daunting. But as we have found with registrar reporting, all it takes is one registrar or hosting employee who "gets it" to quickly and consistently shut these domains down. Within a month or two, the spammers will take most of their business elsewhere. When the criminals are concentrated on a few networks or registrars, it becomes much easier for upstream/accrediting bodies to shut those bad actors down. Just ask McColo and ESTDomains.

* True, there aren't enough law enforcement personnel to devote to this and cover all the violent criminals, too. But there are a lot of volunteers willing to do some of the grunt work documenting these crimes. The SIRT program, which lost its hosting when Castlecops folded, was credited with assisting in gathering evidence in the Herbal King case, which is still ongoing. Those volunteers are very anxious to get back to work. And frankly, there would be more of them except for the burnout involved in gathering evidence about such massive and ostentatiously fraudulent operations only to find registrars, hosts, and banks aren't interested because the individual losses aren't large..

If anyone from CNN is reading, we'd love to help you out with this story. Frankly, people are almost certainly dying from unreported reactions to what they received or didn't receive from these scam pharmacies -- some media attention here can save lives. For a good exposition of just how crooked these pharmacies are, I'd recommend starting with the My Canadian Pharmacy spamwiki article. And drop by forums to ask questions; you'll get an earful.


Add: Interesting follow up from's blog.

Where's Waledac?

Another Valentine's day, another bunch of ecards from secret admirers. This year the malware infection is called "Waledac." It's just like the Storm Worm, except it isn't.

It's an entirely different trojan, but it's still spread by the same type of spam messages, still hosted on fast flux botnets with refresh rates of less than one second, still controlled via peer to peer networking. That means it needs a lot of computers under its control to keep moving around so often. And if you go to one of these ecard sites, you're probably connecting to someone's home or office PC, not any big computer server somewhere. You could even be connecting to your own computer. (It's possible to do that; you don't get a busy signal or anything. ;) )

Since it moves so often, you're unlikely to look up its location at exactly the moment it's serving files from your own computer. And you won't notice anything slowing down, since it will only be hosting those files for a fraction of a second at a time. In the past, you could just put your own IP address in your browser with one of the virus's file names -- for instance, if you knew you were logged onto the internet with the IP address, you could put "" in your Firefox browser and see the image above. The virus won't do that now, unfortunately.

As always, the important thing is to avoid getting infected in the first place. Make sure your antivirus is up to date, and make sure nothing has shut it off while you weren't looking. Make sure you have an outgoing firewall (Windows firewall only blocks incoming traffic), so that if a trojan on your computer tries to contact its friends, your firewall will raise a stink. Don't use Internet Explorer, and when you use other browsers like Firefox, have javascript turned off by default using the Noscript add on. Also, set your browser to always ask where to put any downloaded file, even if you always want it in the same place, so you are always alerted that a download is occurring. It's much harder to get rid of something once it's already insinuated itself into your computer files.

For those of you who manage a network and who want a way to find out which of your users is infected, it isn't necessary to sit around waiting for someone to send you abuse reports. First, go to for a list of recent Waledac domains. Pick one that hasn't been shut down. For example, "" is active right now.

Create a text file with the line

dig >>

Repeat that line over and over hundreds of times. I do this using Excel, putting the text string into the first line, then copying that line into a long block of subsequent lines. Then copy that whole thing into your text file a few times in a row, and save it.:

dig >>
dig >>
dig >>
dig >>
dig >>
dig >>
dig >>
etc., etc., etc.

Change the extension of the saved file from .txt to .cmd. Put it in a folder that has a copy of dig.exe in it (dig.exe is included in the Botnet Reporter download at Then click on the file to run it. When it finishes, you can click it again a few times, too.

Open the resulting file "" with Excel, sort the IP addresses it has collected, and find the ones on your network.

You can also use Botnet Reporter, which will do all the heavy lifting for you, and even look up the hosting networks for all the IPs it collects. But since Waledac moves much more frequently than Botnet Reporter scans, it's probably more practical to just get a half hour's worth of IP addresses of people who are all logged in right now. On a PC, the .cmd file will check the IP address of the domain you specify about six times a second, and about every other one of them will be a new IP location.


ADD: New picture, new domains this evening:

(Awwww, don't they just make you want to hand your computer over to the Russian Business Network?)

New domain names: (yeah, it's really spelled that way)

Hmmm...."" and "" Could a medical theme be in the planning?

Addendum 2/17/09: Shadowserver is keeping a list of current names at

Here are a few since their last update:

Still working the Valentine's day theme, and the sites still have the valentines' theme. But are they planning a work-at-home scheme making beaded jewelry spoof?


February 8, 2009
"Try Via/Cia for free today"

The ED Pill Store guys never give up. You have to hand that to them. Occasionally, they manage to get their mailing software to work and actually include a URL in their spam, like

Naturally, since it's being spammed, you know to stay away. But suppose you just came across this site while surfing the internet? Are there clues to tell you it's a scam?

One of the first things you can check is the "whois" for the domain name, There are lots of places to look it up. In this case, most of them are not pulling up all the information. Even their own registrar, eName, has very incomplete information at :

I looked around further and managed to find somewhat more complete information at Network Solutions, a registrar that actually has nothing to do with this domain, but which somehow is doing better at retrieving the whois information at :

For more information, please go to

The previous information has been obtained either directly from the registrant or a registrar of the domain name other than Network Solutions. Network Solutions, therefore, does not guarantee its accuracy or completeness.

Show underlying registry data for this record

IP Address: (ARIN & RIPE IP search)
Lock Status: clientDeleteProhibited

The fact is that any site spammed so heavily is going to have fake information in the whois. But good luck contacting someone in Beijing whose site is registered in China and hosted in Korea to prove it.

And check the date "Creation Date 2009-2-5 22:26:00" Yes, that really means that this site did not exist or even have a name prior to February 5 2009. The spam arrived February 6.

When you look at the actual site, your "free Via/Cia" actually involves $20 shipping. But they say there is a moneyback guarantee. right? Well, how useful is that for a site that only created the day before? You don't get much more "fly by night" than that.

Their home page helpfully includes a form for you to complete to get your "Via/Cia free." That takes you to a page called "secure checkout" at . But look up at the top, where that URL is displayed. It's http, not https. That's not secure. Remember that you aren't physically "on" the spammer's computer; you're on your own computer. And your order isn't going to magically jump from your computer to the spammer's. It has to travel through telephone and data cables from one "node" to another, being routed via the most efficient way to its destination. Nodes are places like your internet provider's data center, various universities, and other major data centers, with your order traveling from one to the other like stepping stones on its trip. Your order can be read as it travels through any one of those nodes. That's what "insecure" means and it's the reason people tell you to pay attention before you enter personal data on a website.

For example, I can go to and choose one of many servers that will do a "traceroute," finding all the stops an order would make if it started on their computer. I get results like this:

1 ( 0.269 ms 0.197 ms 0.188 ms

2 ( 0.273 ms 0.219 ms 0.215 ms

3 uwcr-hsh-01-vlan1939 ( 0.302 ms 0.282 ms 0.279 ms

4 ( 0.372 ms 0.369 ms 0.315 ms

5 ( 0.459 ms 0.414 ms 0.386 ms

6 ( 0.483 ms 0.355 ms 0.351 ms

7 ( 25.284 ms 25.182 ms 25.265 ms
MPLS Label=31306 CoS=0 TTL=1 S=1

8 ( 25.453 ms 25.075 ms 24.955 ms
MPLS Label=16783 CoS=0 TTL=255 S=1

9 ( 25.521 ms 25.179 ms 25.467 ms
MPLS Label=0 CoS=0 TTL=255 S=1
MPLS Label=16186 CoS=0 TTL=255 S=0

10 ( 25.306 ms 25.411 ms 25.193 ms
MPLS Label=30066 CoS=0 TTL=1 S=1

11 ( 24.774 ms 24.649 ms 24.739 ms

12 ( 22.654 ms 21.717 ms 21.668 ms

13 ( 21.869 ms 21.913 ms 21.589 ms

14 ( 167.272 ms 155.470 ms 156.928 ms

15 ( 147.566 ms 148.290 ms 149.520 ms

16 ( 162.265 ms 164.750 ms 162.148 ms

17 ( 169.086 ms 166.301 ms 164.185 ms

18 ( 156.525 ms 155.502 ms 154.989 ms

19 ( 165.933 ms 174.305 ms 167.852 ms

20 ( 150.541 ms 148.312 ms 152.830 ms


So that was twenty stops from Washington State to Korea, and every one has the ability to see who is ordering medicine for their erections and what their credit card numbers are.

Yet these spammers have the gall to put this on their FAQ page:

What is the advantage from ordering from your website rather than buying at my regular pharmacy?

Besides the huge savings, you have the advantage of privacy. There’s just no replacement for ordering in the privacy of your own home. You will feel no discomfort from purchasing medications online, though you might otherwise feel embarrassed about them. All of our packages are shipped in plain wrappings that do not indicate the contents. No face-to-face hello's with the cashier who knows your whole family; no teenage stock-clerks whispering in the aisles; and no detailed "Rewards Card" records of your every purchase. Nobody will know about your meds except for you. Your privacy is completely safe with us and your information will never be used in any way other than for proper shipment of your orders.

Is it safe to order and pay for medications online?

Absolutely. If you already know what you are looking for, then you do not need a doctor visit just to get a prescription. If you are not sure what is right for you and have never visited a doctor about your condition, or you are not sure what your condition is, we suggest an initial consultation, just to confirm that Viagra or Cialis is truly what you need.

Paying for you medication(s) through our website is completely safe. Your credit card information is processed through a state-of-the-art, 128-bit, secure server and your information is kept completely confidential and used for order processing or verification only.

Nope, no "face-to-face hello's." You don't know who they are, but they know who you are. You have no idea who's going to see your information, and frankly, the guys at stop #20 are the scariest ones of the whole trip. You know they're dishonest.

Oh, and just because you "know what you are looking for" doesn't mean it's safe to get erectile dysfunction drugs without a prescription. The spammer doesn't ask what medications you're taking, what you're allergic to, or what your other medical problems are. He wouldn't know what to do with that information if he had it.

With all the different doctors people come into contact with when they are very ill, it's hard enough to avoid medication interactions. Taking a medication that isn't in your record anywhere is particularly dangerous. You may already be on a medication that will interact with Viagra or Cialis, but may have been taking it safely for so many years that your doctor isn't thinking about reminding you that it will interact with a drug you aren't supposed to be taking in the first place. Or you may be given a new drug in an emergency, and you may not even be conscious to tell the hospital staff what you've been taking.

Erectile dysfunction drugs interact with nitrates, drugs that typically are started in dire emergency situations. The first time you get chest pain, are you going to discuss your illegal drug purchases with the paramedics? And in front of the woman you've been having sex with?

If you think you'll be able to tell which drugs have nitrates in them, see if you can pick the six nitrate-containing medicines in this list:

Transderm Nitro


February 2, 2009
SiL's Open Letter to Law Enforcement about scam pharma site "Canadian Pharmacy"

"If you have an email address of any sort, it is very likely that you're at least mildly aware of Canadian Pharmacy. It's the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years."

-SiL's I Kill Spammers blog, Feb. 2, 2009

Yeah, that pretty much sums it up. You probably recognize the ubiquitous spam messages for sites with names like "," "," "," and other two-word domain names as the most common type of spam you receive, especially if you have access to the emails blocked by your spam filters.

Canadian Pharmacy (which may show the title "European Pharmacy" or "United Pharmacy" if you are visiting from outside North America) tries to "hit the inbox" by registering thousands of domain names and using each for only a few hours. By the time the spam filters have added one domain name to their lists, all the spam is advertising another.

Of course, most of the potential victims of this scam aren't answering their emails that fast, so the sites need to stay alive long enough for those folks to place their orders. It's still worth reporting them and getting them shut down to reduce the potential profits to spammers and the potential harm to the public, even if the spam is already sent.

The perpretrators of this scam couldn't carry out this type of abuse of the internet's resources without using criminal means to hide their identities. In addition, they hijack other people's computers for mailing the spam and hosting the websites, and use "fast-flux botnet hosting" to make it difficult for anyone to identify and disinfect those hijacked computers. To people familiar with how these criminals operate, it's beyond belief anyone would actually swallow any pills the Canadian Pharmacy spammers might actually manage to smuggle into the country.

Spamming is just the visible tip of a large iceberg of criminal activity. And the criminals operate quite openly, because spam somehow is considered merely an annoyance, a "quality of life issue." Yet in a world that depends so heavily on the internet, this criminal element is a threat equal to anything we feared from "Y2K." It's time for a holistic approach to internet crime, addressing spam and all the filth that lies beneath its surface slime.


Glavmed posted a response on their websites briefly; the text and SiL's counterresponse are here.

Forum discussion is here.

The ED Pill Store

The regulars at the NANAE forum came up with some Rules of Spam. Among them are

Rule#1: Spammers lie
Rule#2: If a spammer appears to be telling the truth, see Rule#1
Rule#3: Spammers are stupid

Whoever is responsible for the ED Pill Store crap is a real spammer's spammer. Especially under the criteria of Rule #3.

Normally, I would assume there would be a group of affiliates mailing for the brand, so not all the spam would come from the same mailer. But it's hard to believe that all the spammers who are stupid in exactly the same way all decided to mail for ED Pill Store.

Not only does he send out bucketloads of spam in short bursts of identical messages, using the same old subject lines and fake "from" lines -- I mean, seriously, dude, if the spam filter blocks one, why would it miss any of the others? -- he has serious difficulties with his spam mailing software. He just can't seem to include the URL he wants us to visit. The majority of the time (literally!), the spam arrives with only half the URL link, or with no URL in it at all. Is this supposed to poison spam filters? Like no one is going to mark something as spam if it says


<html><body><div align="center"><br><b><font color=#FF0000 size="5">***SAIL***<br><br>16 Vi<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> fvb </span>agra Pi<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> fri </span>lls FR<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> oa </span>EE<br> or<br> 16 Ci<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> rb </span>alis P<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> qk </span>ills F<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> jb </span>REE</font></b><br><br>Bri<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> zh </span>ng dou<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> hw </span>ble ene<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> pql </span>rgy to your lo<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> cw </span>vemaking!Fi<span style="FONT-SIZE: 2px; FLOAT: right; COLOR: white"> qe </span>nd out how you can get wo<span style="FONT-SIZE: 2px; FLOAT: right; COLOR:


just because it doesn't include your URL? Hel-looo! This is the most easily identified crap in the inbox. If I can write a filter for MailwasherPro that catches every one of these, does the spammer really expect the commercial spam filtering programs to have any difficulty?

And when he does include a URL, he's got some interesting choices of domain names. Like "" Did anyone explain to that guy what "clap" is slang for in English? It's not the sort of thing you want people thinking about when you're trying to sell them fake drugs for erectile dysfunction.

Oh, yeah. Rule#3.

There's a discussion forum for this brand that you can join at (in the registered users area).





Reference, tools, and organizations:


How to get help if your identity was used to register a spamvertised website

About us

The InboxRevenge fallback sites

Due to frequent retaliation attacks by spammers, keeps a list of alternate websites where members can remain in contact and continue their spam fighting efforts throughout the duration of attacks: