Spamtrackers.org

News Blog and Archives:

December 2010

The highest number of spam-spewing computers is in the U.S. -- Is yours one of them?

August 2010

A pleasant discovery, thanks to spammers

Spammers spoofing antispammers' email addresses

June 2010

Google Groups: "This site could harm your computer."

April 2010

Your friend is freaked out at the moment

December 2009

Malware writers vying to violate virgin computers

Fake security scan scamming Skype users

Google scammers take aim at Barack Obama

November 2009

Favicons and fake-icons

Spamit Must Fall

Spamming universities

June 2009

May 2009

April 2009

March 2009

February 2009

January 2009

December 2008

 

Resource Links

November 2009

Favicons and fake-icons

Spamit Must Fall

Spamming universities


This site is best viewed in Firefox or Seamonkey browsers. We do not recommend the use of Internet Explorer browser due to the risk of getting infected with malicious software without any warning while surfing the web.

News:

November 22, 2009
Favicons and fake-icons

cheap-rx4u.com is one of the domains for "Online Pharmacy," a spamvertised fake pharmacy brand, full of obviously fraudulent statements. It's a bit of a stretch to believe they will actually send you something after they get your credit card, let alone to believe that the stuff they send you will be real drugs. (The claim that they sell "Tamiflu BRAND" is one pretty obvious lie -- if Roche, the company that makes Tamiflu, can't satisfy the demand from legitimage pharmacies paying full price, why would they sell any of that limited supply to some outfit that sells the pills for less than what real pharmacies pay wholesale?)

One of the claims they make is that they are "256 bit secure."

 

And in the address bar at the top of the page, just in front of the "http://cheaprxru.com," you will see the image of a little padlock.

 

A real secure site would have had an address beginning with "https://," not "http://," and the padlock would have been at the outside frame of the browser window, not in the address bar. For instance, this is what it looks like in Firefox, displayed in the lower right hand corner of your screen:

The little image next to the address is called a "favicon." It's only there to make it easy for you to bookmark websites. You can just left-click the icon and drag it onto your desktop to create a link to the page. It works whether a website has used a special image for its favicon or whether your browser is just using its own image.

If you look at the top of this page, you'll see the exact same padlock image. We copied it from the cheaprx4u.com page. Even though spamtrackers.org is not a secure site, there is nothing stopping us from using a padlock for a favicon.

The real padlock appears at the bottom of the browser window when you view sites whose address starts with "https://" instead of "http://" It means that the information being transmitted is encrypted -- sent in a secret code.

But why is a secure site important?

When you type into a form on a website and hit "submit," it doesn't magically end up in the computer hosting the website. Like everything else on the internet, it is relayed from one computer to another as it travels around the world. Unencrypted "packets" of information can be read at every computer they pass through. In most cases, you don't really care. But if you're sending a credit card number or ordering medication for a personal medical problem, you don't want strangers all over the world to be able to collect that information.

A "traceroute" is a way of seeing which computers your packet would pass through on its way to the site where you're submitting information. A packet may not take exactly the same route every time, and all the entries probably look like gobbledygook to you, but what it will show you is how many different computers can potentially collect your data.

Here is a traceroute done by demon.net's traceroute tool to cheap-rx4u.com:

NetTools Whois query
Traceroute on cheap-rx4u.com

1 lon1-service-1x2-s54.router.demon.net (194.159.246.193) 0.772 ms 0.620 ms 0.591 ms

2 park-inside-4-g1-0-1-s255.router.demon.net (193.195.25.49) 0.587 ms 0.550 ms 0.477 ms

3 anchor-border-2-g4-0-0.router.demon.net (194.70.98.22) 1.601 ms 1.438 ms 1.482 ms

4 sl-gw10-lon-3-0-1.sprintlink.net (213.206.156.53) 1.348 ms 1.317 ms 1.231 ms

5 sl-bb21-lon-5-1-1.sprintlink.net (213.206.128.45) 1.479 ms 1.446 ms 1.486 ms

6 sl-bb21-tuk-8-0-0.sprintlink.net (144.232.9.209) 72.129 ms 72.080 ms 72.113 ms

7 sl-crs2-pen-0-8-2-0.sprintlink.net (144.232.20.138) 74.636 ms 89.062 ms 74.168 ms

8 sl-crs2-rly-0-2-2-0.sprintlink.net (144.232.19.2) 78.656 ms sl-crs1-rly-0-1-3-0.sprintlink.net (144.232.18.186) 76.428 ms sl-crs2-rly-0-2-2-0.sprintlink.net (144.232.19.2) 82.841 ms

9 sl-crs2-dc-0-6-0-3.sprintlink.net (144.232.9.214) 77.340 ms sl-crs2-dc-0-12-2-0.sprintlink.net (144.232.19.221) 79.783 ms sl-bb21-dc-5-0-0.sprintlink.net (144.232.8.164) 77.326 ms

10 sl-bb20-nsh-1-0-0.sprintlink.net (144.232.18.200) 94.462 ms sl-crs1-fw-0-11-3-0.sprintlink.net (144.232.19.202) 114.219 ms sl-bb21-nsh-1-0-0.sprintlink.net (144.232.18.184) 94.329 ms

11 sl-crs1-fw-0-15-5-0.sprintlink.net (144.232.8.64) 117.111 ms sl-crs1-ana-0-9-3-0.sprintlink.net (144.232.20.131) 141.611 ms sl-crs1-ana-0-6-2-0.sprintlink.net (144.232.19.198) 142.804 ms

12 sl-gw28-ana-0-0-0.sprintlink.net (144.232.2.171) 143.374 ms sl-gw28-ana-1-0-0.sprintlink.net (144.232.0.120) 141.577 ms sl-crs2-ana-0-9-3-0.sprintlink.net (144.232.9.64) 143.929 ms

13 sl-gw28-ana-0-0-0.sprintlink.net (144.232.2.171) 143.381 ms sl-china7-9-0.sprintlink.net (144.223.148.2) 343.151 ms 343.057 ms

14 219.158.3.141 (219.158.3.141) 342.769 ms sl-china7-9-0.sprintlink.net (144.223.148.2) 342.822 ms 219.158.3.141 (219.158.3.141) 345.761 ms

15 219.158.3.141 (219.158.3.141) 347.011 ms sl-china7-9-0.sprintlink.net (144.223.148.2) 343.074 ms 219.158.12.242 (219.158.12.242) 379.276 ms

16 61.167.2.26 (61.167.2.26) 375.959 ms 374.569 ms 375.120 ms

17 61.167.2.26 (61.167.2.26) 374.382 ms 374.266 ms 376.433 ms

18 61.138.38.50 (61.138.38.50) 372.560 ms 221.210.45.2 (221.210.45.2) 382.924 ms 61.138.38.50 (61.138.38.50) 372.657 ms

19 * * *

Each of those IP addresses (the numbers that look like "213.206.156.53") is a different computer location. Notice that you don't even see the last hop(s), because the spammer host is concealing them. All you see is the "* * *," which means demon.net tried three times to get the information and gave up.

Any site that asks for your medical information and credit card number but doesn't have a secure site (with a https:// address) is not trustworthy. Any that intentionally tries to fool you -- by using a fake padlock for its favicon -- is a criminal fraud.

 

November 14, 2009
Spamit Must Fall

If you have an email address, the spamvertised brand most likely to show up in your spam folder is a criminal outfit called "Canadian Pharmacy." They send absolutely massive amounts of spam for thousands of identical sites with different domain names.

As outlined in the Spamwiki, Canadian Pharmacy is a complete fraud, starting with the fact that it has nothing to do with Canada. Canadian Pharmacy is one of the brands of an affiliate program called Glavmed/Spamit.

In the case of fraudulent pharmacies, there's more than lost money at stake, too. Very sick people are turning to these scams because they don't have insurance. These are people whose illnesses are so severe they are willing to pay a higher price for their medications when they can't afford to pay to see a doctor. Failing to send drugs, sending fake drugs, sending drugs that are the wrong strength, or sending dangerous combinations of drugs and/or placebos can kill people. And it can cause people with infections like HIV or tuberculosis to develop drug resistant germs and spread them to other people, so it's a public health menace, too.

Then there's the fact that the Glavmed/Spamit affiliates hijack people's home computers to mail their spam and even to host their websites, or the fact that they help distribute the malware (bad software) used to hijack those computers. The illegal email you see is just the tip of the iceberg.

There is now a blog devoted specifically to that program's criminal operations, Spamit Must Fall. It's written by the independent spam researcher who uses the online handles "spamislame" and "ikillspammerz." His research into the "My Canadian Pharmacy " spamvertised brand (not the same operation as Canadian Pharmacy) was part of an article in Forbes magazine in 2007.

Scams like Canadian Pharmacy can only make money because they can deceive people into thinking they're legitimate. They fool people with a slick-looking website template. (Okay, it's a tacky-looking template, but not as tacky as a lot of legitimate websites.) They make such outrageous claims that people assume no one would let them get away with them if they weren't true.

The best way to fight back is to spread the word about Glavmed, Spamit, and Canadian Pharmacy. As long as there are people who simply haven't heard about this scam, they can continue to make money at the expense of sick people.

 

November 9, 2009
Spamming Universities

"Act only according to that maxim whereby you can at the same time will that it should become a universal law." -- Immanuel Kant

The economy is bad, and we're seeing spam advertising businesses which would not have stooped so low before now. Still, spamming is pretty undesirable behavior.

Kant's categorical imperative basically comes down to this: Don't do anything yourself unless you think it would be a good idea if every other person on the planet did exactly the same thing. Sort of, "Do unto others as you would have them do unto you," taking into account that "them" may mean five billion other people.

They teach about Kant in universities. So it's pretty disappointing to see universities so desperate for students they have stooped to spamming. It's already hard enough to sort the ham from the spam without them joining in. Maybe they should look in their spam folders some time to see how much of their good email they're missing because of false positives. Do they really will that spamming should become a universal law?

You won't see the names of these schools in the spam emails. They at least have that much shame. You have to follow the links, through multiple redirections that credit the spammer who sent you the email for drawing in the potential customer. And when you do that, the spammer will know you opened the email, because the link won't work without a long encoded number that lets him know your email address. That's going to get you a lot more spam. You don't want to do that.

So I did it for you. Here is the sequence of links that got me to the spamvertised website, with the code numbers stripped out:

myeducationadvisorcrew.com
click.dmrredir.com
dyn.bidsystem.com
click.adknowledge.com
s.straci.com
www.theonlinedegree.com/online.jsp

And which universities are advertised at theonlinedegree.com?

University of Phoenix
DeVry University
Walden University
American Intercontinental University (AIU Online)
Kaplan University
Colorado Technical University Online
Capella University
Westwood College Online
The Art Institute of Pittsburgh Online Division

The institution conferring your degree is going to be listed on your resume for the rest of your life. Should that university, in its desperation to obtain students, engage in such undesirable activity that it creates a public scandal, you're going to have that shadow on your resume every time you apply for a job. Having a degree from a disreputable institution is worse than having no degree at all, because it makes you look desperate, too. And a school with so little concern about its long term reputation that it engages in spamming is a big red flag that there could be trouble in its future.

There are plenty of great schools out there that aren't spamming. Do your own research. It's a great time to be applying, because you do have a better chance of being admitted to a high quality institution when the economy is bad.

And to the schools on the list above -- if "desperate" isn't the adjective you want used to describe you, you should rethink your marketing strategy.

 

 

Blogs:

Forums:

Reference, tools, and organizations:

Contact

How to get help if your identity was used to register a spamvertised website

About us

The InboxRevenge fallback sites

Due to frequent retaliation attacks by spammers, InboxRevenge.com keeps a list of alternate websites where members can remain in contact and continue their spam fighting efforts throughout the duration of attacks:
ikillspammers
spamitmustfall
blogspot
live.com
webs.com
twitter
wordpress.com
spamtrackers.org
tebweb
spywarehammer
cybercrimeops