November 22, 2009
Favicons and fake-icons
cheap-rx4u.com is one of
the domains for "Online Pharmacy," a spamvertised fake
pharmacy brand, full of obviously fraudulent statements. It's a
bit of a stretch to believe they will actually send you something
after they get your credit card, let alone to believe that the stuff
they send you will be real drugs. (The claim that they sell "Tamiflu
BRAND" is one pretty obvious lie -- if Roche, the company that
makes Tamiflu, can't satisfy the demand from legitimage pharmacies
paying full price, why would they sell any of that limited supply
to some outfit that sells the pills for less than what real pharmacies
One of the claims they make
is that they are "256 bit secure."
And in the address bar at the top of the page,
just in front of the "http://cheaprxru.com," you
will see the image of a little padlock.
A real secure site would have had an address beginning
with "https://," not "http://," and the padlock
would have been at the outside frame of the browser window,
not in the address bar. For instance, this is what it looks like
in Firefox, displayed in the lower right hand corner of your screen:
The little image next to
the address is called a "favicon." It's only there to
make it easy for you to bookmark websites. You can just left-click
the icon and drag it onto your desktop to create a link to the page.
It works whether a website has used a special image for its favicon
or whether your browser is just using its own image.
If you look at the top of
this page, you'll see the exact same padlock image.
We copied it from the cheaprx4u.com page. Even though spamtrackers.org
is not a secure site, there is nothing stopping us from using a
padlock for a favicon.
The real padlock appears
at the bottom of the browser window when you view sites whose address
starts with "https://" instead of "http://"
It means that the information being transmitted is encrypted --
sent in a secret code.
But why is a secure site
When you type into a form
on a website and hit "submit," it doesn't magically end
up in the computer hosting the website. Like everything else on
the internet, it is relayed from one computer to another as it travels
around the world. Unencrypted "packets" of information
can be read at every computer they pass through. In most cases,
you don't really care. But if you're sending a credit card number
or ordering medication for a personal medical problem, you don't
want strangers all over the world to be able to collect that information.
is a way of seeing which computers your packet would pass through
on its way to the site where you're submitting information. A packet
may not take exactly the same route every time, and all the entries
probably look like gobbledygook to you, but what it will show you
is how many different computers can potentially collect your
Here is a traceroute done
by demon.net's traceroute tool to cheap-rx4u.com:
Traceroute on cheap-rx4u.com
(126.96.36.199) 0.772 ms 0.620 ms 0.591 ms
(188.8.131.52) 0.587 ms 0.550 ms 0.477 ms
(184.108.40.206) 1.601 ms 1.438 ms 1.482 ms
(220.127.116.11) 1.348 ms 1.317 ms 1.231 ms
(18.104.22.168) 1.479 ms 1.446 ms 1.486 ms
(22.214.171.124) 72.129 ms 72.080 ms 72.113 ms
(126.96.36.199) 74.636 ms 89.062 ms 74.168 ms
(188.8.131.52) 78.656 ms sl-crs1-rly-0-1-3-0.sprintlink.net
(184.108.40.206) 76.428 ms sl-crs2-rly-0-2-2-0.sprintlink.net
(220.127.116.11) 82.841 ms
(18.104.22.168) 77.340 ms sl-crs2-dc-0-12-2-0.sprintlink.net
(22.214.171.124) 79.783 ms sl-bb21-dc-5-0-0.sprintlink.net
(126.96.36.199) 77.326 ms
(188.8.131.52) 94.462 ms sl-crs1-fw-0-11-3-0.sprintlink.net
(184.108.40.206) 114.219 ms sl-bb21-nsh-1-0-0.sprintlink.net
(220.127.116.11) 94.329 ms
(18.104.22.168) 117.111 ms sl-crs1-ana-0-9-3-0.sprintlink.net
(22.214.171.124) 141.611 ms sl-crs1-ana-0-6-2-0.sprintlink.net
(126.96.36.199) 142.804 ms
(188.8.131.52) 143.374 ms sl-gw28-ana-1-0-0.sprintlink.net
(184.108.40.206) 141.577 ms sl-crs2-ana-0-9-3-0.sprintlink.net
(220.127.116.11) 143.929 ms
(18.104.22.168) 143.381 ms sl-china7-9-0.sprintlink.net (22.214.171.124)
343.151 ms 343.057 ms
14 126.96.36.199 (188.8.131.52) 342.769
ms sl-china7-9-0.sprintlink.net (184.108.40.206) 342.822 ms
220.127.116.11 (18.104.22.168) 345.761 ms
15 22.214.171.124 (126.96.36.199) 347.011
ms sl-china7-9-0.sprintlink.net (188.8.131.52) 343.074 ms
184.108.40.206 (220.127.116.11) 379.276 ms
16 18.104.22.168 (22.214.171.124) 375.959
ms 374.569 ms 375.120 ms
17 126.96.36.199 (188.8.131.52) 374.382
ms 374.266 ms 376.433 ms
18 184.108.40.206 (220.127.116.11) 372.560
ms 18.104.22.168 (22.214.171.124) 382.924 ms 126.96.36.199 (188.8.131.52)
19 * * *
Each of those IP addresses
(the numbers that look like "184.108.40.206") is a different
computer location. Notice that you don't even see the last hop(s),
because the spammer host is concealing them. All you see is the
"* * *," which means demon.net tried three times to get
the information and gave up.
Any site that asks for your
medical information and credit card number but doesn't have a secure
site (with a https:// address) is not trustworthy. Any that intentionally
tries to fool you -- by using a fake padlock for its favicon --
is a criminal fraud.
November 14, 2009
Spamit Must Fall
If you have an email address,
the spamvertised brand most likely to show up in your spam folder
is a criminal outfit called "Canadian Pharmacy." They
send absolutely massive amounts of spam for thousands of identical
sites with different domain names.
As outlined in the Spamwiki,
Canadian Pharmacy is a complete fraud, starting with the fact that
it has nothing to do with Canada. Canadian Pharmacy is one of the
brands of an affiliate program called Glavmed/Spamit.
In the case of fraudulent
pharmacies, there's more than lost money at stake, too. Very sick
people are turning to these scams because they don't have insurance.
These are people whose illnesses are so severe they are willing
to pay a higher price for their medications when they can't afford
to pay to see a doctor. Failing to send drugs, sending fake drugs,
sending drugs that are the wrong strength, or sending dangerous
combinations of drugs and/or placebos can kill people. And it can
cause people with infections like HIV or tuberculosis to develop
drug resistant germs and spread them to other people, so it's a
public health menace, too.
Then there's the fact that
the Glavmed/Spamit affiliates hijack people's home computers to
mail their spam and even to host their websites, or the fact that
they help distribute the malware (bad software) used to hijack those
computers. The illegal email you see is just the tip of the iceberg.
There is now a blog devoted
specifically to that program's criminal operations, Spamit
Must Fall. It's written by the independent spam researcher who
uses the online handles "spamislame" and "ikillspammerz."
His research into the "My Canadian Pharmacy " spamvertised
brand (not the same operation as Canadian Pharmacy) was part of
an article in Forbes
magazine in 2007.
Scams like Canadian Pharmacy
can only make money because they can deceive people into thinking
they're legitimate. They fool people with a slick-looking website
template. (Okay, it's a tacky-looking template, but not as tacky
as a lot of legitimate websites.) They make such outrageous claims
that people assume no one would let them get away with them if they
The best way to fight back
is to spread the word about Glavmed, Spamit, and Canadian Pharmacy.
As long as there are people who simply haven't heard about this
scam, they can continue to make money at the expense of sick people.
November 9, 2009
"Act only according
to that maxim whereby you can at the same time will that it should
become a universal law." -- Immanuel Kant
The economy is bad, and
we're seeing spam advertising businesses which would not have stooped
so low before now. Still, spamming is pretty undesirable behavior.
Kant's categorical imperative
basically comes down to this: Don't do anything yourself unless
you think it would be a good idea if every other person on the planet
did exactly the same thing. Sort of, "Do unto others as you
would have them do unto you," taking into account that "them"
may mean five billion other people.
They teach about Kant in
universities. So it's pretty disappointing to see universities so
desperate for students they have stooped to spamming. It's already
hard enough to sort the ham from the spam without them joining in.
Maybe they should look in their spam folders some time to see how
much of their good email they're missing because of false positives.
Do they really will that spamming should become a universal law?
You won't see the names
of these schools in the spam emails. They at least have that much
shame. You have to follow the links, through multiple redirections
that credit the spammer who sent you the email for drawing in the
potential customer. And when you do that, the spammer will know
you opened the email, because the link won't work without a long
encoded number that lets him know your email address. That's going
to get you a lot more spam. You don't want to do that.
So I did it for you. Here
is the sequence of links that got me to the spamvertised website,
with the code numbers stripped out:
And which universities are
advertised at theonlinedegree.com?
University of Phoenix
American Intercontinental University (AIU Online)
Colorado Technical University Online
Westwood College Online
The Art Institute of Pittsburgh Online Division
The institution conferring
your degree is going to be listed on your resume for the rest of
your life. Should that university, in its desperation to obtain
students, engage in such undesirable activity that it creates a
public scandal, you're going to have that shadow on your resume
every time you apply for a job. Having a degree from a disreputable
institution is worse than having no degree at all, because it makes
you look desperate, too. And a school with so little concern about
its long term reputation that it engages in spamming is a big red
flag that there could be trouble in its future.
There are plenty of great
schools out there that aren't spamming. Do your own research. It's
a great time to be applying, because you do have a better chance
of being admitted to a high quality institution when the economy
And to the schools on the
list above -- if "desperate" isn't the adjective you want
used to describe you, you should rethink your marketing strategy.