premier pharmacy, I'm confused Options

[dannyboy]

This is a fairly specific request for advice about a particular spam setup, not really spamcop itself, so I figured the lounge section was best - if there is somewhere more suitable for asking advice on specific spams please accept my apologies & can a mod move it if neccessary?

Been receiving many spams advertising 'premier pharmacy'. EditSorry - that's wrong. It's Pharmacy Express./edit The actual networks used to send the spam seem to be many, various and ever-changing. So I decided to try going after the spamvertised site itself. The domains change constantly but the IP seems much more 'stable' whilst the content is always identical.

I used spamcop to identify 'risinglordames.com' as being hosted by hichina.com / chinatietong.com. Previous domains used by the same spammer include:

ascendingmorsab.com
wicipasse.com
otecoureis.com
baicoscu.com
ploretocea.com
edeavilat.com and many many more

Currently they seem to be on www.degreisapo.com at the usual IP of 61.233.42.4

Eh up, we're onto www.vanteweks.com now, in the space of 5 minutes; IP... 61.233.42.4; same site content.

Spamcop reports all these as being hosted by hichina.com

After reporting several hundred spams via spamcop with no let up in the frequency, I began reporting them directly to abuse[at]hichina.com. I eventually received a reply from a personage at hichina, but they said the site had nothing to do with them:

You mentioned has brought to our attention.But these illegal, the repugnant activity has nothing to do with  us.

we have received the attached unsolicited e-mail from your domain.we do not wish to receive such messages in the future, so please take the appropriate measures
to ensure that this unsolicited e-mail is not repeated.
Thank you again ! Best greetings.

In the past I've found a combination of spamcop & manual reporting to be very effective at stopping spam, but this particular online pharmacy spam seems to be exceptionally good at persisting. I know I could just filter the spam I get for this site & it's many variants (about 300 spams per day) but they bug me & if I can report them to the correct place that would be very satisfying. If, that is, the 'correct place' actually recognises the problem in the first place..

They send a subject line always of the format 'drug name in capitals, interspersed with a few random lower case letters', 'space', followed by 'new' or 'news':

http://img96.imageshack.us/img96/883/ffffff4yv.jpg

I've tried doing a network lookup independent of spamcop on a couple of these domains & they seem to confirm hichina / chinatietong / china railway as the host, contrary to the email I recieved. Either that or else what they're trying to say is, they don't see hosting a spam site as a problem so long as they're not actually carrying the mail itself.. I'm kinda confused here. (Maybe belinn's post is of relevance to this situation?) I know vaguely how to work a few IP tools but I'm no network expert. Maybe neither hichina.com nor chinatietong.com really have anything to do with it at all & it's some kinda case of forged headers?

Here is an example of spamcop's analysis (an expanded excerpt of the part where it investigates a spamvertised web address).. one of hundreds all ultimately reaching the same conclusion as to the origin of the sites' hosting:

CODE

Resolving link obfuscation

  http://www.risinglordames.com
  Host www.risinglordames.com (checking ip) = 61.233.42.4
  host 61.233.42.4 (getting name) no name

Tracking link: http://www.risinglordames.com

Resolves to 61.233.42.4

Routing details for 61.233.42.4

Reports routes for 61.233.42.4:
routeid:19140192 61.232.0.0 - 61.237.255.255 to:crnet_mgr[at]chinatietong.com
Administrator found from whois records
routeid:19140193 61.232.0.0 - 61.237.255.255 to:crnet_tec[at]chinatietong.com
Administrator found from whois records

Tracking details
"whois 61.233.42.4[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

$ whois 61.233.42.4

[spamcop mirror]

inetnum:      61.232.0.0 - 61.237.255.255
netname:      CRTC
country:      CN
descr:        CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c:      LQ112-AP
tech-c:       LM273-AP
status:       ALLOCATED PORTABLE
changed:      ipxx[at]cnxxxxxxxxxx 20030121
mnt-by:       MAINT-CNNIC-AP
source:       APNIC

person:       liu min
nic-hdl:      LM273-AP
e-mail:       crxxxxxxx[at]chxxxxxxxxxxxxxx
address:      22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone:        +86-10-51848796
fax-no:       +86-10-51842426
country:      CN
changed:      ipxx[at]cnxxxxxxxxxx 20041208
mnt-by:       MAINT-CNNIC-AP
source:       APNIC

person:       LV QIANG
nic-hdl:      LQ112-AP
e-mail:       crxxxxxxx[at]chxxxxxxxxxxxxxx
address:      22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone:        +86-10-51892106
fax-no:       +86-10-51890674
country:      CN
changed:      ipxx[at]cnxxxxxxxxxx 20050823
mnt-by:       MAINT-CNNIC-AP
source:       APNIC

lq112-ap = crnet_mgr[at]chinatietong.com
lm273-ap = crnet_tec[at]chinatietong.com
whois.apnic.net 61.233.42.4 = crnet_mgr[at]chinatietong.com, crnet_tec[at]chinatietong.com
whois: 61.232.0.0 - 61.237.255.255 = crnet_mgr[at]chinatietong.com, crnet_tec[at]chinatietong.com

Routing details for 61.233.42.4

Reports routes for 61.233.42.4:
routeid:19140215 61.232.0.0 - 61.237.255.255 to:crnet_mgr[at]chinatietong.com
Administrator found from whois records
routeid:19140216 61.232.0.0 - 61.237.255.255 to:crnet_tec[at]chinatietong.com
Administrator found from whois records

Using abuse net on crnet_mgr[at]chinatietong.com
abuse net chinatietong.com = postmaster[at]chinatietong.com, abuse[at]hichina.com
Using best contacts postmaster[at]chinatietong.com abuse[at]hichina.com

Cached whois for 61.233.42.4 : crnet_mgr[at]chinatietong.com crnet_tec[at]chinatietong.com
Using abuse net on crnet_mgr[at]chinatietong.com
abuse net chinatietong.com = postmaster[at]chinatietong.com, abuse[at]hichina.com
Using best contacts postmaster[at]chinatietong.com abuse[at]hichina.com

Any advice welcome thanks

At the mo I've given up on these lot & am just filtering it all into the bin.

[dannyboy]

Strange. It's been rock solid for donkeys' ages, as soon as I post here about it, 61.233.42.4 and all the domains that were pointing at it go down within minutes (IMG:style_emoticons/default/huh.gif)

Does the god of the Internet read this forum?

I'm not complaining, hope it stays that way (IMG:style_emoticons/default/mad.gif) (IMG:style_emoticons/default/laugh.gif)

[turetzsr]

...This looks like the right forum to me! (IMG:style_emoticons/default/smile.gif) <g>
...Don't hurt yourself -- many Chinese sites (especially including chinatietong) are a lost cause -- either they are quite happy to host spammers or they are woefully incompetent. You're better off directing your attempts to stop spam elsewhere.

[dannyboy]

Cheers turetzsr.. fair enough. The domain that's getting spammed so heavily is one that was handled by a very inexperienced webmaster several years ago. The idiot was posting email addresses out in the clear all over the shop on the site, & signing up for all manner of dodgy 'submit your site to ten million search engines, just give us your email' setups. Of course the addresses leaked out all over the place..

Guilty as charged, that was me. Learnt a bit since then, but the spam kept coming! Hard to explain to the site owner why 'these people' think he needs so much viagra (IMG:style_emoticons/default/ohmy.gif)

Anyway thanks to spamcop I managed to get 99% of it to stop. When others finally stop though, Pharmacy Express seems to be like the proverbial Duracell Bunny.. they just keep going & going!

For some odd reason they're still quiet. Nothing for the last half day now. Maybe it's some kind of holiday in China at the mo.

[Farelf]

Maybe it's some kind of holiday in China at the mo.

Hope they stay away from you but yes - most/all self-styled "democratic/people's republics" (plus Queensland which is fairly similar) have a "May Day", including China. http://www.earthcalendar.net/index.php
Dunno how good that is - doesn't show Ned Kelly's Birthday (IMG:style_emoticons/default/laugh.gif)

This post has been edited by Farelf: May 1 2006, 08:04 PM

[Wazoo]

Know not why, but several tries tody to hit the spamhaus site .... every time I got a video blow-up, needing a re-boot .. then a bunch of clean-up ... finally managed to get there on another system ... take a look at http://www.spamhaus.org/sbl/sbl.lasso?query=SBL41070 which then leads to http://www.spamhaus.org/rokso/listing.lass...ev%20/%20BadCow .... explanation enough on the "why" part of your original query? <g>

Of course, thene there are articles out there that talk about these bad boys being "shut down" a while back .... http://www.lindqvist.com/spam/index.php?ID=2020 .... oh well ....

[dannyboy]

Thanks guys, nice to know the enemy. Cheers for your responses. That guy looks like butter wouldn't melt

They're back again, I thought the silence was too good to be true.

Currently www.ustalovetalon.com on our old friend 61.233.42.4

Oh well.. guess I'll just keep on reporting. Or filtering. Depending upon how riled or resigned I feel at any given point (IMG:style_emoticons/default/rolleyes.gif)

This post has been edited by dannyboy: May 2 2006, 09:42 AM

[dbiel]

Pharmacy Express seems to be like the proverbial Duracell Bunny.. they just keep going & going!

You may be upsetting some corporate types http://www.energizer.com/bunny/ But we do get your point.

[Kojote]

I know this is an old thread, but it looks like they just hit me with their spam. I'm getting the same spam with same subject line as you did. 5-6 random characters then VIAGRA. When you go to this website it says "Pharmacy Express".

The spamadvertised link is...
http://www.wukeliapotus.com

Here is the WHOIS information...

Registrant:
wangpang ***@yahoo.com.cn +86.2176886639
wangpang
jungpnglu
shanghao,shanghai,CHINA 200098


Domain Name:wukeliapotus.com
Record last updated at 2006-08-03 07:45:21
Record created on 2006/8/3
Record expired on 2007/8/3


Domain servers in listed order:
ns0.oslanatie.com ns0.decietrea.com

Administrator:
wangpang ***@yahoo.com.cn +86.2176886639
wangpang
jungpnglu
shanghao,shanghai,CHINA 200098

Technical Contactor:
wangpang ***@yahoo.com.cn +86.2176886639
wangpang
jungpnglu
shanghao,shanghai,CHINA 200098

Billing Contactor:
wangpang ***@yahoo.com.cn +86.2176886639
wangpang
jungpnglu
shanghao,shanghai,CHINA 200098

[rulezde]

hi from Germany,
have found this on the order and contact page:

<scri_pt>
function stati(){

var a = "http://stat2.f"; b = "google.com"; a1 = "om/img.php"; c = "news"; a2 = "etroz.c";
var url = a + a2 + a1;
document.getElementById("stat").src = url;

}
</scri_pt>

ht tp://sta t2.fet roz. com/img. php[/url]

Domain Name : fetroz.com

::Registrant::
Name : Fetroz
Email : **********@yahoo.com
Address : av 234
Zipcode : 90210
Nation : US
Tel : 14564634233
Fax :

::Administrative Contact::
Name : Fetroz
Email : **********@yahoo.com
Address : av 234
Zipcode : 90210
Nation : US
Tel : 14564634233
Fax :

::Technical Contact::
Name : Fetroz
Email : **********@yahoo.com
Address : av 234
Zipcode : 90210
Nation : US
Tel : 14564634233
Fax :

::Name Servers::
ns2.easydns.com
remote1.easydns.com
ns6.easydns.net
ns3.easydns.org
remote2.easydns.com

::Dates & Status::
Created Date 2006-04-25 07:10:41 EDT
Updated Date 2006-04-25 07:10:41 EDT
Valid Date 2007-04-25 07:10:41 EDT
Status ACTIVE

Moderator Edit: no need to advertise the crap link, so URL broken here ....

[rooster]

"Name : Fetroz...

Zipcode : 90210"


Riiiight.... It could happen!!!