February 25, 2009
Classmates.com spoof downloads poorly detected malware

The spam looks like this:

That's a very dangerous site. If you were to visit the site you would see this:

It's another one of those malware sites with an image that looks like a youtube video. Looking like a video window means nothing. You can even make an image like that yourself!
- On your Windows desktop (if you have XP at least), you can click "Start" then "Programs," "Accessories" and scroll down to open "Paint."
- Go to any video on youtube.com. Start watching, then hit the pause button.
- On your keyboard, click the button that says "PrtSc" or "PrntScrn" or some other abbreviation for "print screen."
- Go back to the Paint window you have open and hit Ctrl-V to paste into the window.
- If you have photo editing software, of course, you can crop it to get rid of all the stuff around the video screen, write in the caption and five star rating on top of the screen,etc.

Just like this image, clicking on it isn't going to start any video playing. But unlike this spoof site, at least it won't start a trojan downloading onto your computer.

Of course, this site has nothing to do with Classmates.com. Look at the URL:

http://classmates.registration.priority.messagecentre-bheod60vx.registeredsmile.com/videoL83.htm

Remember the rule -- Read to the first single slash mark, then read backward to find the real location of a site. In this case, it's "registeredsmile.com."

Whether you click on the video, the Adobe logo, or don't click anything at all, it will try to load a file called "Adobemedia10.exe" on your computer by an automatic page refresh. So you should obviously have your browser set to always ask where to store a file you are downloading, so you can cancel the download, or rename the file to something harmless like Adobemedia10.exe.txt. You obviously wouldn't want to visit with Internet Exporer, and you'd want javascripts shut off in your browser or with an extension like Noscript.

I won't list the whois information here, because it appears these scumbags stole the identity of an elderly man in Tucson to register the site. They may have stolen his credit card number to pay for it, too. The registrar is Bizcn.com, in China.

The malware itself is very poorly detected, so if you were expecting your antivirus to protect you, it probably didn't:

Terms like "heuristic" and "suspicious" mean those programs didn't recognize it, either, but they recognized general characteristics about it that caused them to detect possible danger. "Trojan" means malware that will open up your computer to allow attackers access from the outside. That allows the criminals to get your information or to install worse programs than this once your antivirus software has been turned off.

February 24, 2009
Waledac domain update

Judging from the search engine strings that bring people to this page, there's a lot of interest in whether the domains being used to spread the Waledac trojan are legitimate sites. The Shadowserver list is a little out of date, so here are the current ones I can find:

New:

Surviving:

Codecouponsite.com? Greatsalestax.com? Deathtaxi.com?? The sites are refusing visitors right now, so there's no way of knowing what the new theme is yet.

Well, if you get spam that promises a coupon for a tax-free download of a Death Cab for Cutie song, whatever you do, don't click on it. ;)

February 23, 2009
Paypal phish

This phish arrived in plain text only -- no hidden html tags to conceal the real location of the link target. We'll overlook the typos and grammatical errors. After all, they're claiming to be writing from Luxembourg (though it's hard to imagine anyone misspelling "account" in the subject line). And "paypal-verify-information.com" sounds official. I mean, PayPal wouldn't let somebody else have a site with that name, would they?

The site looks very much like PayPal:

A look at the whois information clears up any ambiguity:

That domain is definitely not owned by ebay or PayPal. The contact email address is a free email account with another company (Microsoft's Hotmail), instead of using "@paypal.com." And it was just registered four days ago. Even if PayPal were aggressive at shutting down domain names that infringe on their trademark -- which sadly, isn't their strong suit -- you can't expect them to have found this so fast. And Xin Net doesn't seem to have a lot of fluent English speakers in their abuse department who might recognize something like this or even set up filters to prevent such domains from being registered.

Of course the domain registration is only half the issue -- who's hosting this website? You can check various sites that offer "DIG," or "traversal" to find out a site's IP address, and the owner of that IP range ought to know whose computer is assigned to that address:

Look at all those IP ranges. Do those people even know each other?

So for ten IP addresses, we've got nine hosting services in seven countries on three continents speaking four languages. That's not what real companies do, no matter how hard they're trying to keep their websites from being taken down by attacks. This is a botnet, and none of these hosts has any idea they're hosting this phish.

And just to prove it further, let's retry our DIG:

Not even the same ten! That 180 refers to how many seconds those IP addresses will last. They can change every three minutes.

This may be something called "rockphish." Since anti-phishing groups typically were taking down phish sites by contacting the hosting services, this strategy makes it nearly impossible to do that. By the time the phish fighters look up the IP address, the site has moved. These have to be reported to the domain registrars.

Unfortunately, the Castlecops Phishing Incident Report and Termination program was shut down when that site was closed. Reporting there was better than reporting yourself, as they would also attempt to intercept the data being downloaded by the phishers, so victims could be warned. So it was actually best not to report it yourself, so their volunteers could access the site for forensic investigation. No other agency was doing that for all phish spoofing all brands. Without PIRT, you will have to report phish to the individual spoofed banks/financial institutions.

For PayPal, you can create an email to [email protected] and paste in the entire email source view with headers -- but if you are on Verizon or another ISP with outgoing spam filters, you won't be able to mail it. :(

PayPal also has a web form to enter the URL of the phishing site itself: https://www.paypal.com/us/ewf/f=pps_spf . Then it's up to PayPal to have their investigators do what Castlecops volunteers used to do.

February 14, 2009
Capital One Bank phish

That's what the spam looks like in MailwasherPro, which is a safe way to view potentially dangerous emails before downloading to an email client, like Outlook or Thunderbird, that displays all the lovely images and layout encoded in html (the language of web pages). It's pretty pathetic, full of typos, and it's hard to believe it would convince anyone. It doesn't matter -- that part of the spam doesn't even bother to display the link to the phishing site, anyway. They know folks screening their emails with MailwasherPro aren't the ones gullible enough to fall for this spoof. Their real plan is hidden in the html code.

Now, compare this with what you see if you were to actually open this directly in an email client like Outlook. Please understand that I normally have my email client set to NOT load any images unless I approve it for a particular email. I did not load these without first checking the html code to make sure that none of the images were being downloaded from the spammers' site -- just viewing images could tell him who opened his email. (But this guy would rather leach bandwidth from Capital One. He just uses their images instead of copying them onto his own site.)

That looks a little more convincing. And there's a button with a real link, unlike the text view.

Going back to MailwasherPro, or to the "view source" on your email client, look to see where the links are in this email. You'll see lots to "images.capitalone.com" that look like this:

"img src" means it's downloading an image. That's not where the spammer is trying to lure us.

There is one link to the phishing website -- the one that goes with that button that says "Log In." It looks like this:

Bingo -- the "a href" tells us where the phishing site really is. Notice there's another image link right after it -- the spammer is linking it to an image of a log in button on Capital One's own site. You click the button in the spam, you go to his site. The fact that the picture of the button comes from the real Capital One website doesn't make any difference. Only the "a href" does.

(The "=" signs are just there to show line breaks. Each time your email client sees an equal sign with a line break after it, it knows it isn't a real equal sign and puts the lines back together into a single line.)

Read left to right until you get to the first single slash mark "/" , then read back to find the real location of the site: htm-mode.be

As we found in a previous phish analysis, .be is the country code for Belgium. It's called a "TLD" or "top level domain" and is like the ".com" in other web addresses.

What does the site itself look like? Can't tell. The site is already shut down, probably because the registrar for htm-mode.be pulled the plug, though their whois information does not give enough information to tell. If you attempt to report the domain using Complainterator, it chokes due to their non-standard whois format, but you can manually enter the domain name into the traversal you get from complainterating any other domain to get

http://private.dnsstuff.com/tools/traversal.ch?domain=htm-mode.be&type=a&src=complainterator&token=complainterator

which shows all the root servers reporting

That means the domain no longer exists as far as the rest of the internet can tell. The "a" record tells what numeric address goes with the domain name, and is necessary for computers to translate the address you enter in your browser -- like "http://google.com" -- into what computers understand, which is numbers like "74.125.45.100." But the registrar still appropriately has htm-mode.be listed as "registered," so the spammer can't just turn around and register the same name with a different registrar.

That all happened within three hours of it arriving in my inbox, which is great work for whoever discovered it and reported it and for whoever shut it down. Every minute one of these is alive is time for the phisher to start collecting personal information and banking passwords. This one may have been shut down before the phisher was even able to offload any data that victims had already entered.

February 14, 2009
Cookies and spyware scanning

People usually get disturbed when they run their first spyware scan from a program like "AdAware" or "Spybot Search and Destroy." Invariably, those programs will find massive numbers of "unwanted" files. Most of them will be something called "cookies."

Cookies are small files put on your computer by websites you visit. They contain information that will be provided to that website -- and sometimes to other websites -- during that and subsequent visits to the site. But they are not executable files that can harm your computer, like "spyware."

Cookies by themselves are not evil. If you ever buy anything on line, your "shopping cart" requires your computer to accept cookies. Much as retailers might want to collect every shred of data about you, they really don't want to store it all on their own computers. Cookies allow that data to be stored on the computer of each user. So as you add things to your shopping cart, that data is stored on cookies on your computer, and when you check out, your computer can provide the information about everything you selected. Similarly, if you visit a site that requires you to sign in with a password, a cookie allows that site to keep you logged in when you navigate from one page to another on the site.

Advertisers also use cookies. They aren't just trying to show you ads; they want to create sales for their clients. So whenever possible, they want to show you ads about things you would be interested in. So if you visit the website of your local newspaper and always click on the technology pages, they may give you a cookie that will cause their site to preferentially show you ads for computer equipment. Since you might prefer to see that instead of ads for household cleaning products, that's not necessarily a bad thing either.

But sometimes you might not want to share that much information about yourself. Many internet marketing agencies are collecting personally identifiable data and matching things together. They probably have a file with your name, address, email, age, occupation, income, hobbies, spouse and children's names, etc. Or if they don't, they would like to.

And sometimes, cookies may provide information about you that you don't want on record, accurate or not. So if you searched for "fun for girls" to find activities for your daughter and her friends on a playdate and clicked on the wrong link in the search results, you might find yourself getting a lot of ads and even spam for porn sites.

The spyware programs look for cookies for third party advertisers you may not want having too much comprehensive information about you. But you can also control this yourself, too. There are browser settings that allow you to block third party cookies, to delete cookies after you log off, to delete cookies after a certain period of time, or to not accept cookies from a company if you have deleted their cookies once already. (For Internet Explorer and Firefox, you have to enter each cookie-giving website on a blacklist yourself, instead of having the one-click delete+block feature of another Mozilla browser, SeaMonkey.)

Even if you aren't worried about the privacy issue, if you are using Internet Explorer you probably want to find your cookie file and do some culling. That file tends to become massive enough to slow down your computer. (The Tools => Internet Options window allows you to delete them all, but you may not want to do that.)

For Windows XP or Windows 2000:
C:\Documents and Settings\[username]\Cookies\
Temporary Internet Files (also slows your computer):

For Windows Vista:
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Cookies\

For Windows ME/98/NT/95:
C:\Windows\Profiles\[username]\Cookies\ or
C:\Windows\Cookies\ if there is no Profiles folder

Internet Explorer saves each cookie as a separate text file. Usually the title of the file will tell you where it is from; if not, it is safe to click on the cookies to read the text inside. That will probably give you the URL of the site it came from. The personal data about you is probably encoded.

Are there some cookies you don't want to delete? Definitely, if you have been getting automatically logged onto one of your favorite websites, be sure you know the password before you delete any cookies from that site -- or visit the password change page to pick a new one first -- as you will have enter your information again once the cookie is gone.

"It's real fine, my 419"

I get a half dozen of these "419" spams every day. (The name comes from the article number of the law they violate.) They're also known as "Nigerian" spams, since so many of the spammers claim to live there (and many do live there), or "advanced fee fraud spams."

The spams appear out of nowhere, with elaborate sob stories and offering vast sums of money for little work. Once someone responds to one, the spammer will attempt to get the victim to send him money -- to pay taxes, bribe officials, pay shipping, whatever. They will come up with reasons as long as the victim continues to believe. Some victims have gone so far as travel to Africa to meet the scammers, and have been kidnapped and tortured in order to induce their relatives to send even more money. So while it's easy to be harsh on anyone so greedy as to fall for these obvious scams, don't dismiss the 419 spammers as some type of minor pranksters.

What made this spam stand out? Because the salutation specifically mentioned my first and last name, city, and nearly the correct postal code. Up until now, all the 419's I've received were conspicuously missing any mention of my name, considering how much money they claimed to be ready to trust me with. They'd even use the story that they found me because I share the same last name as a wealthy deceased person with no heirs, yet address the email to "Dear Recipient."

It's not hard to find matched lists of names and email addresses, so no one should think for a minute this is more likely to be a legitimate offer. But it may mean the 419-ers are finding it harder to find gullible prey and are going to extra effort and expense to create a more credible spam. I suspect we'll see a lot more of it.

February 13, 2009
Javeline study on ID theft debunked

Wired's Kevin Poulsen and computer forensics researcher Gary Warner have both blogged on a report from Javeline Strategy and Research which came to the surprising conclusion that only 11% of identity theft was due to cybercrime like malware or financial institution data breaches.

While there's certainly no harm in following the recommendations in the Javeline report -- shred your trash, don't use non-secure website ordering, don't carry more ID cards in your wallet than you need, yadda, yadda -- their reassurances about cyberbreaches are not very reassuring.

They came to their 11% figure by contacting 4,784 people and asking them if they were victims of identity theft. (The summary report on their website doesn't say how that random sample was chosen.) Of those people, they were able to identify and interview 482 fraud victims.

Here is an attractive pie graph of their results:

The blue shading is supposed to indicate problems having nothing to do with electronic data breaches. But notice the disclaimer at bottom right: "Based on the 35% of victims who know how their information was obtained." That means most of the people didn't know how their data was stolen. The 35% who said they knew are not going to be a random subset -- no one who got mugged and lost a wallet is going to say they have no idea how it happened, for instance.

These folks do surveys for a living. They know this is very weak data. It's very annoying when someone with data like this tries to create a sound bite that makes it sound definitive -- especially when they are working for people who might have reason to make consumers blame themselves instead of the banks handling their data.

Spamtrackers volunteers talk to identity theft victims, too. There is at least one group of spammers who use stolen identities and credit/debit cards to register the domain names for the websites where they sell their counterfeit drugs and other crap. ,(Talking to the victim to confirm that the registration is fraudulent is one of the strongest ways to convince a registrar a domain should be suspended.)

Of the victims we talk to, most are hearing for the first time that their data was stolen. These domains were often registered months earlier, and the identity theft and small credit card charges weren't even noticed at the time. So it's no surprise most don't know how it happened, either. And of those who think they do know, it's pure conjecture -- they may suspect the web retailer they used for the first time or an employee at their bank or just the internet in general, but they really have no information to back it up.

You can't do a scientific survey and tease that kind of information out of people. You're supposed to give them a carefully worded question and record which answer they chose, not delve into how they came to that conclusion. So the problem is less that the folks at Javeline came up with weak data than that they are trying to make it sound stronger than it is.

Meanwhile, the biggest surprise is that 482 people who already had had their identities stolen once were willing to talk to someone who called on the phone to ask personal questions. Besides telephone polls excluding a lot of people who aren't home, don't use land lines, or don't answer phone calls from people whose phone numbers they don't recognize, all but the most gullible people are going to be pretty suspicious about people calling on the phone to ask questions once they've been burned once.

February 9, 2009
CNN reports on illegal pharmacies

CNN has posted a video on their website reporting on the difficulty law enforcement has in shutting down illegal internet pharmacies that sell prescriptions drugs, including controlled substances, to anyone who wants them. It's good to see the problem getting some attention, but there are some important points they didn't report.

* While they give a figure of 800,000 illegal websites selling drugs, I'm guessing this includes all the multiple domain names for sites like Canadian Pharmacy that keep using new ones to avoid spam filters. Very few pharma sites have a legitimate bricks-and-mortar store to cover their illegal activities. Those of us working at Castlecops.com and Inboxrevenge.com have probably shut down well over 50,000 scam pharmacies ourselves (see a very partial listing of domain shutdowns here).

* These illegal pharmacies can only operate with the tacit cooperation of legitimate companies: domain registrars, hosting companies/internet service providers, payment processors. If a site's domain registration was paid with a stolen credit card number, and the bank knows it and has already taken their money back, why doesn't the registrar suspend the domain? And why the hell is that site able to get a merchant account and process credit card payments in real time? If the website is hosted on a fast-flux botnet, and every bot in that net is an innocent computer owner infected with malware, why is it so difficult to get internet service providers to accept reports and get their customers some help? If all the domains are registered with fake information, why does it take 45 days for ICANN to process a WDPRS report for every one of them, once a pattern of fraud is established?

The 800,000 figure sounds daunting. But as we have found with registrar reporting, all it takes is one registrar or hosting employee who "gets it" to quickly and consistently shut these domains down. Within a month or two, the spammers will take most of their business elsewhere. When the criminals are concentrated on a few networks or registrars, it becomes much easier for upstream/accrediting bodies to shut those bad actors down. Just ask McColo and ESTDomains.

* True, there aren't enough law enforcement personnel to devote to this and cover all the violent criminals, too. But there are a lot of volunteers willing to do some of the grunt work documenting these crimes. The SIRT program, which lost its hosting when Castlecops folded, was credited with assisting in gathering evidence in the Herbal King case, which is still ongoing. Those volunteers are very anxious to get back to work. And frankly, there would be more of them except for the burnout involved in gathering evidence about such massive and ostentatiously fraudulent operations only to find registrars, hosts, and banks aren't interested because the individual losses aren't large..

If anyone from CNN is reading, we'd love to help you out with this story. Frankly, people are almost certainly dying from unreported reactions to what they received or didn't receive from these scam pharmacies -- some media attention here can save lives. For a good exposition of just how crooked these pharmacies are, I'd recommend starting with the My Canadian Pharmacy spamwiki article. And drop by InboxRevenge.com forums to ask questions; you'll get an earful.

Add: Interesting follow up from LegitScript.com's blog.

Where's Waledac?

Another Valentine's day, another bunch of ecards from secret admirers. This year the malware infection is called "Waledac." It's just like the Storm Worm, except it isn't.

It's an entirely different trojan, but it's still spread by the same type of spam messages, still hosted on fast flux botnets with refresh rates of less than one second, still controlled via peer to peer networking. That means it needs a lot of computers under its control to keep moving around so often. And if you go to one of these ecard sites, you're probably connecting to someone's home or office PC, not any big computer server somewhere. You could even be connecting to your own computer. (It's possible to do that; you don't get a busy signal or anything. ;) )

Since it moves so often, you're unlikely to look up its location at exactly the moment it's serving files from your own computer. And you won't notice anything slowing down, since it will only be hosting those files for a fraction of a second at a time. In the past, you could just put your own IP address in your browser with one of the virus's file names -- for instance, if you knew you were logged onto the internet with the IP address 192.168.1.1, you could put "192.168.1.1/img.jpg" in your Firefox browser and see the image above. The virus won't do that now, unfortunately.

As always, the important thing is to avoid getting infected in the first place. Make sure your antivirus is up to date, and make sure nothing has shut it off while you weren't looking. Make sure you have an outgoing firewall (Windows firewall only blocks incoming traffic), so that if a trojan on your computer tries to contact its friends, your firewall will raise a stink. Don't use Internet Explorer, and when you use other browsers like Firefox, have javascript turned off by default using the Noscript add on. Also, set your browser to always ask where to put any downloaded file, even if you always want it in the same place, so you are always alerted that a download is occurring. It's much harder to get rid of something once it's already insinuated itself into your computer files.

For those of you who manage a network and who want a way to find out which of your users is infected, it isn't necessary to sit around waiting for someone to send you abuse reports. First, go to SecurityZone.org for a list of recent Waledac domains. Pick one that hasn't been shut down. For example, "yourdatabank.com" is active right now.

Create a text file with the line

Repeat that line over and over hundreds of times. I do this using Excel, putting the text string into the first line, then copying that line into a long block of subsequent lines. Then copy that whole thing into your text file a few times in a row, and save it.:

Change the extension of the saved file from .txt to .cmd. Put it in a folder that has a copy of dig.exe in it (dig.exe is included in the Botnet Reporter download at Spamtrackers.eu). Then click on the file to run it. When it finishes, you can click it again a few times, too.

Open the resulting file "yourdatabank.com.IP.txt" with Excel, sort the IP addresses it has collected, and find the ones on your network.

You can also use Botnet Reporter, which will do all the heavy lifting for you, and even look up the hosting networks for all the IPs it collects. But since Waledac moves much more frequently than Botnet Reporter scans, it's probably more practical to just get a half hour's worth of IP addresses of people who are all logged in right now. On a PC, the .cmd file will check the IP address of the domain you specify about six times a second, and about every other one of them will be a new IP location.

ADD: New picture, new domains this evening:

(Awwww, don't they just make you want to hand your computer over to the Russian Business Network?)

New domain names:

Hmmm...."yourteamdoc.com" and "freedoconline.com." Could a medical theme be in the planning?

Addendum 2/17/09: Shadowserver is keeping a list of current names at http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

Here are a few since their last update:

Still working the Valentine's day theme, and the sites still have the valentines' theme. But are they planning a work-at-home scheme making beaded jewelry spoof?

February 8, 2009
"Try Via/Cia for free today"

The ED Pill Store guys never give up. You have to hand that to them. Occasionally, they manage to get their mailing software to work and actually include a URL in their spam, like kaifruse.com.

Naturally, since it's being spammed, you know to stay away. But suppose you just came across this site while surfing the internet? Are there clues to tell you it's a scam?

One of the first things you can check is the "whois" for the domain name, kaifruse.com. There are lots of places to look it up. In this case, most of them are not pulling up all the information. Even their own registrar, eName, has very incomplete information at http://ename.com/whois.do?value=kaifruse.com&x=44&y=3 :

I looked around further and managed to find somewhat more complete information at Network Solutions, a registrar that actually has nothing to do with this domain, but which somehow is doing better at retrieving the whois information at http://www.networksolutions.com/whois-search/kaifruse.com :

For more information, please go to http://whois.ename.com. The previous information has been obtained either directly from the registrant or a registrar of the domain name other than Network Solutions. Network Solutions, therefore, does not guarantee its accuracy or completeness. Show underlying registry data for this record Current Registrar: XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP IP Address: 118.129.149.150 (ARIN & RIPE IP search) IP Location: KR(KOREA)-REPUBLIC OF-KYONGGI-DO Lock Status: clientDeleteProhibited

The fact is that any site spammed so heavily is going to have fake information in the whois. But good luck contacting someone in Beijing whose site is registered in China and hosted in Korea to prove it.

And check the date "Creation Date 2009-2-5 22:26:00" Yes, that really means that this site did not exist or even have a name prior to February 5 2009. The spam arrived February 6.

When you look at the actual site, your "free Via/Cia" actually involves $20 shipping. But they say there is a moneyback guarantee. right? Well, how useful is that for a site that only created the day before? You don't get much more "fly by night" than that.

Their home page helpfully includes a form for you to complete to get your "Via/Cia free." That takes you to a page called "secure checkout" at http://kaifruse.com/checkout.php?action=checkout&type=edpill . But look up at the top, where that URL is displayed. It's http, not https. That's not secure. Remember that you aren't physically "on" the spammer's computer; you're on your own computer. And your order isn't going to magically jump from your computer to the spammer's. It has to travel through telephone and data cables from one "node" to another, being routed via the most efficient way to its destination. Nodes are places like your internet provider's data center, various universities, and other major data centers, with your order traveling from one to the other like stepping stones on its trip. Your order can be read as it travels through any one of those nodes. That's what "insecure" means and it's the reason people tell you to pay attention before you enter personal data on a website.

For example, I can go to traceroute.org and choose one of many servers that will do a "traceroute," finding all the stops an order would make if it started on their computer. I get results like this:

So that was twenty stops from Washington State to Korea, and every one has the ability to see who is ordering medicine for their erections and what their credit card numbers are.

Yet these spammers have the gall to put this on their FAQ page:

Nope, no "face-to-face hello's." You don't know who they are, but they know who you are. You have no idea who's going to see your information, and frankly, the guys at stop #20 are the scariest ones of the whole trip. You know they're dishonest.

Oh, and just because you "know what you are looking for" doesn't mean it's safe to get erectile dysfunction drugs without a prescription. The spammer doesn't ask what medications you're taking, what you're allergic to, or what your other medical problems are. He wouldn't know what to do with that information if he had it.

With all the different doctors people come into contact with when they are very ill, it's hard enough to avoid medication interactions. Taking a medication that isn't in your record anywhere is particularly dangerous. You may already be on a medication that will interact with Viagra or Cialis, but may have been taking it safely for so many years that your doctor isn't thinking about reminding you that it will interact with a drug you aren't supposed to be taking in the first place. Or you may be given a new drug in an emergency, and you may not even be conscious to tell the hospital staff what you've been taking.

Erectile dysfunction drugs interact with nitrates, drugs that typically are started in dire emergency situations. The first time you get chest pain, are you going to discuss your illegal drug purchases with the paramedics? And in front of the woman you've been having sex with?

If you think you'll be able to tell which drugs have nitrates in them, see if you can pick the six nitrate-containing medicines in this list:

Apresoline
BiDil
Duricef
Furosemide
Ismo
Isordil
Metformin
Metronidazole
Nitrodur
Nitrofurantoin
Nitrostat
Nix
Plavix
Quinidine
Ranitidine
Transderm Nitro
Zyprexa

February 2, 2009
SiL's Open Letter to Law Enforcement about scam pharma site "Canadian Pharmacy"

Yeah, that pretty much sums it up. You probably recognize the ubiquitous spam messages for sites with names like "wisewarm.com," "zoomfair.com," "teachhave.com," and other two-word domain names as the most common type of spam you receive, especially if you have access to the emails blocked by your spam filters.

Canadian Pharmacy (which may show the title "European Pharmacy" or "United Pharmacy" if you are visiting from outside North America) tries to "hit the inbox" by registering thousands of domain names and using each for only a few hours. By the time the spam filters have added one domain name to their lists, all the spam is advertising another.

Of course, most of the potential victims of this scam aren't answering their emails that fast, so the sites need to stay alive long enough for those folks to place their orders. It's still worth reporting them and getting them shut down to reduce the potential profits to spammers and the potential harm to the public, even if the spam is already sent.

The perpretrators of this scam couldn't carry out this type of abuse of the internet's resources without using criminal means to hide their identities. In addition, they hijack other people's computers for mailing the spam and hosting the websites, and use "fast-flux botnet hosting" to make it difficult for anyone to identify and disinfect those hijacked computers. To people familiar with how these criminals operate, it's beyond belief anyone would actually swallow any pills the Canadian Pharmacy spammers might actually manage to smuggle into the country.

Spamming is just the visible tip of a large iceberg of criminal activity. And the criminals operate quite openly, because spam somehow is considered merely an annoyance, a "quality of life issue." Yet in a world that depends so heavily on the internet, this criminal element is a threat equal to anything we feared from "Y2K." It's time for a holistic approach to internet crime, addressing spam and all the filth that lies beneath its surface slime.

Addenda:

Glavmed posted a response on their websites briefly; the text and SiL's counterresponse are here.

Forum discussion is here.

The ED Pill Store

The regulars at the NANAE forum came up with some Rules of Spam. Among them are

Rule#1: Spammers lie
Rule#2: If a spammer appears to be telling the truth, see Rule#1
Rule#3: Spammers are stupid

Whoever is responsible for the ED Pill Store crap is a real spammer's spammer. Especially under the criteria of Rule #3.

Normally, I would assume there would be a group of affiliates mailing for the brand, so not all the spam would come from the same mailer. But it's hard to believe that all the spammers who are stupid in exactly the same way all decided to mail for ED Pill Store.

Not only does he send out bucketloads of spam in short bursts of identical messages, using the same old subject lines and fake "from" lines -- I mean, seriously, dude, if the spam filter blocks one, why would it miss any of the others? -- he has serious difficulties with his spam mailing software. He just can't seem to include the URL he wants us to visit. The majority of the time (literally!), the spam arrives with only half the URL link, or with no URL in it at all. Is this supposed to poison spam filters? Like no one is going to mark something as spam if it says

just because it doesn't include your URL? Hel-looo! This is the most easily identified crap in the inbox. If I can write a filter for MailwasherPro that catches every one of these, does the spammer really expect the commercial spam filtering programs to have any difficulty?

And when he does include a URL, he's got some interesting choices of domain names. Like "perkclap.com." Did anyone explain to that guy what "clap" is slang for in English? It's not the sort of thing you want people thinking about when you're trying to sell them fake drugs for erectile dysfunction.

Oh, yeah. Rule#3.

There's a discussion forum for this brand that you can join at InboxRevenge.com (in the registered users area).