Jump to content

My "Canadian" Pharmacy


Paranoid2000

Recommended Posts

Been getting "My Canadian Pharmacy" spams for a while but for the past week or so, the domain lookup has always failed with SpamCop (example 1, 2, 3, 4). Other domain lookup services work so it would appear that this hard-core spammer (who breaks into other servers to use them for image hosting) has been able to block queries from SpamCop.

This doesn't prevent manual lookup and reporting of course, but ISPs that choose to host this site deserve to be flooded out of existence with complaints.

Link to comment
Share on other sites

  • Replies 67
  • Created
  • Last Reply

08/16/06 01:08:42 dns ecolwont.com

Canonical name: ecolwont.com

Addresses:

63.218.103.8

08/16/06 01:09:03 Slow traceroute ecolwont.com

Trace ecolwont.com (63.218.103.8) ...

http://www.dnsreport.com/tools/dnsreport.c...in=ecolwont.com

Note all the Failures and Warnings .....

08/16/06 01:13:26 Browsing http://ecolwont.com/

Fetching http://ecolwont.com/ ...

GET / HTTP/1.1

Host: ecolwont.com

Connection: close

absolutely nothing returned

08/16/06 01:15:30 Browsing http://bjpskl.ecolwont.com

Fetching http://bjpskl.ecolwont.com/ ...

GET / HTTP/1.1

Host: bjpskl.ecolwont.com

Connection: close

Socket Error

wants to play dead, assumedly as the "unique key" wasn't also passed in the browser request ....

Link to comment
Share on other sites

  • 2 weeks later...
Been getting "My Canadian Pharmacy" spams for a while but for the past week or so, the domain lookup has always failed with SpamCop (example 1, 2, 3, 4). Other domain lookup services work so it would appear that this hard-core spammer (who breaks into other servers to use them for image hosting) has been able to block queries from SpamCop.

This doesn't prevent manual lookup and reporting of course, but ISPs that choose to host this site deserve to be flooded out of existence with complaints.

They aren't blocking SpamCop queries. Check out the blog http://www.spamhater.zoomshare.com/

Link to comment
Share on other sites

They aren't blocking SpamCop queries. Check out the blog http://www.spamhater.zoomshare.com/

When the domains can't be resolved by SpamCop but can be by other sites like DNSStuff, NWTools, etc and the sites themselves are accessible, it is safe to presume that the block is specific to SpamCop. When the DNS server domains are disabled (as mentioned in the blog), it results in all subsequent lookups failing.
Link to comment
Share on other sites

When the domains can't be resolved by SpamCop but can be by other sites like DNSStuff, NWTools, etc and the sites themselves are accessible, it is safe to presume that the block is specific to SpamCop.

Possible .. but the more likely issue is the time allowed for a return from a DNS lookup ... the SpamCop.net parsing engine doesn't wait around for two or three minutes for a response .....

Link to comment
Share on other sites

Possible .. but the more likely issue is the time allowed for a return from a DNS lookup ... the SpamCop.net parsing engine doesn't wait around for two or three minutes for a response .....

I would be willing to allow SpamCop to use my computer to do the lookup and wait until a result was returned. I wonder if that would be possible ...

Link to comment
Share on other sites

Part of the issue is that DNS is asynchronous. This means that computer A sends a request to a DNS server for resolution of an address, and then goes on about its business. Most programs will actually wait a specified amount of time for this result to return, but the problem here is that while it is waiting, it is not doing other things. The DNS could send the response back to computer A immediately, or several minutes later (worst case). Once the response has been received, it is added to an internal list of resolved addresses on Computer A (in this case the spamcop computer that is processing spam) and is available to subsequent calls until it is considered "stale" at which time it will be requeried. The problem here is that there is now set time as to how long a DNS server might take to send the resolution information. Its not really a matter of processing power, its a matter of processing efficiency.

The other option I see is to have the parser resubmit DNS failed messages to the end of the queue, and by the time they make it to the front for processing again, the resolution should be in. The problem here, is you would have to make sure the parser knew to give up on a message after a couple tries, or the queue would end up filled with messages with unresolvable DNS that just kept getting resubmitted. Again, this means that some messages would have to be parsed more than once, which eats of CPU cycles on an already somewhat overwhelmed parsing system.

Another solution would be to use a multi-threaded approach, so that multiple emails are being parsed simultaneously. That way, if one thread has to wait a little longer for DNS resolution, it will not significantly impact the performance of the server overall as the other threads will continue processing their separate emails.

Link to comment
Share on other sites

I would be willing to allow SpamCop to use my computer to do the lookup and wait until a result was returned. I wonder if that would be possible ...

Your waiting would delay all the other processing going on (spamcop's computer would be waiting for your machine to get the answer and return the value to them. Please remember that the spamcop parser is spitting out lots of reports/second.

Your offer has been made in the past. The whole way spamcop does it's business would need to be modified to use a distributed computing type of approach. Likely too much work for one programmer.

Link to comment
Share on other sites

There are lots of possible solutions. I outlined a couple above. However, any solution is going to require some major changes to how the parse code works, so is unlikely to happen unless SC suddenly gets some huge funding source and can hire a programming team. If you are really hot on getting the spamvertised sites shut down, then your best bet might simply be to fire off a manual report when SC is unable to get DNS resolution within its timeout period.

Link to comment
Share on other sites

So what is the solution? These spamvertized sites need to be shut down. Could SC try an alternate name server when the first one fails to get a result. The new OpenDNS servers seem quite fast...

???? it's not the "requests" that are the issue .. it's the "response" times that are at odds with how "the net" is supposed to work. There are a number of entries existing within the SpamCop FAQ here already dealing with the "resolving of web-site" issues ... primarily dealing with that a SpamCop.net 'notification' is at best just a courtesy. As the majority of these "problem" sites are hosted on known "don't give a damn" China-based hosts ... even that courtesy is a waste of time for the most part. Yet again, "the net" was developed in the mindset that "all users would be trustworthy" .. back when it was a U.S.Government tool to connect U.S. Government resources ..... this is the area that the spammers continue to work around, taking/using those "trusted" aspects and abusing the hell out of those concepts, tools, and data.

In the other hand, resolving them and user-reporting them does offer the opportunity for them to be picked up by the SURBL, but again .... one of those so-what scenarios .... with some spammers buring through 50 sites a day, so what if one or two of them get placed on a BL somewhere ... it was only intended to last a week anyway ....

And, as often repeated, repeated, repeated .. there is nothing that stops "you" from making your own complaints..... do the research, find the addresses, fire it off ....

Link to comment
Share on other sites

???? it's not the "requests" that are the issue .. it's the "response" times that are at odds with how "the net" is supposed to work.

This isn't a response time issue - the sites in question resolve quickly when checked using other tools (e.g. DNSStuff, NWTools) or accessed directly.
As the majority of these "problem" sites are hosted on known "don't give a damn" China-based hosts ... even that courtesy is a waste of time for the most part.
My Canadian Pharmacy uses compromised servers (probably via a dictionary attack on the root password) with images held on another compromised server, so informing the admins in this case is more likely to yield results.
And, as often repeated, repeated, repeated .. there is nothing that stops "you" from making your own complaints..... do the research, find the addresses, fire it off ....

Agreed - but then far fewer people will take the time to do this, meaning that those ISPs that prioritise on the number of reports received will give this less attention than it deserves. The spammer is clearly finding SpamCop reports a hindrance to take this measure.
Link to comment
Share on other sites

This isn't a response time issue - the sites in question resolve quickly when checked using other tools (e.g. DNSStuff, NWTools) or accessed directly.

I disagree with this. I only got results about half the time on my test below. 500ms is not "quickly", especially when dealing with the numbers spamcop is pushing through. I agree there COULD be another process that waits a longer time or retries for those so inclined, but I don't think there are enough people complaining about this to be worth the time.

Once again, spamvertized websites is NOT SpamCop's primary focus.

DNSStuff lookups with 4 successive refreshes of the page http://www.dnsstuff.com/tools/lookup.ch?na...057&type=A: from your first sample.

How I am searching:

Searching for mmpggj.vesseliss.com A record at h.root-servers.net [128.63.2.53]: Got referral to j.gtld-servers.net. (zone: com.) [took 14 ms]

Searching for mmpggj.vesseliss.com A record at j.gtld-servers.net. [192.48.79.30]: Got referral to ns2.molefancy.info. (zone: vesseliss.com.) [took 254 ms]

Searching for mmpggj.vesseliss.com A record at ns2.molefancy.info. [unknown IP]: Error: Couldn't resolve DNS server name/IP [ns2.molefancy.info][11004].

Answer:

An error occurred: Couldn't resolve DNS server name/IP [ns2.molefancy.info][11004].

Details:

I could not get to the nameserver authoritative for mmpggj.vesseliss.com. Sorry!

How I am searching:

Searching for mmpggj.vesseliss.com A record at f.root-servers.net [192.5.5.241]: Got referral to C.GTLD-SERVERS.NET. (zone: com.) [took 62 ms]

Searching for mmpggj.vesseliss.com A record at C.GTLD-SERVERS.NET. [192.26.92.30]: Got referral to ns2.grainpleat.info. (zone: vesseliss.com.) [took 6 ms]

Searching for mmpggj.vesseliss.com A record at ns2.grainpleat.info. [200.51.90.94]: Reports mmpggj.vesseliss.com. [took 449 ms]

517ms total

How I am searching:

Searching for mmpggj.vesseliss.com A record at f.root-servers.net [192.5.5.241]: Got referral to J.GTLD-SERVERS.NET. (zone: com.) [took 61 ms]

Searching for mmpggj.vesseliss.com A record at J.GTLD-SERVERS.NET. [192.48.79.30]: Got referral to ns1.morevig.info. (zone: vesseliss.com.) [took 222 ms]

Searching for mmpggj.vesseliss.com A record at ns1.morevig.info. [132.248.107.131]: Reports mmpggj.vesseliss.com. [took 274 ms]

557ms total

How I am searching:

Searching for mmpggj.vesseliss.com A record at d.root-servers.net [128.8.10.90]: Got referral to G.GTLD-SERVERS.NET. (zone: com.) [took 7 ms]

Searching for mmpggj.vesseliss.com A record at G.GTLD-SERVERS.NET. [192.42.93.30]: Got referral to ns2.molefancy.info. (zone: vesseliss.com.) [took 90 ms]

Searching for mmpggj.vesseliss.com A record at ns2.molefancy.info. [unknown IP]: Error: Couldn't resolve DNS server name/IP [ns2.molefancy.info][11004].

Answer:

An error occurred: Couldn't resolve DNS server name/IP [ns2.molefancy.info][11004].

Details:

I could not get to the nameserver authoritative for mmpggj.vesseliss.com. Sorry!

DNS Traversal foy your first sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A

Looking up at the 4 vesseliss.com. parent servers:

Server Response Time

ns1.morevig.info [132.248.107.131] 59.120.122.76 356ms

ns2.grainpleat.info [200.51.90.94] 59.120.122.76 502ms

ns1.dartnet.info [0.0.0.0] Timeout

ns2.molefancy.info [0.0.0.0] Timeout

Status: Records DO NOT all match: Results from ns2.molefancy.info (0 answers) do not match results from ns2.grainpleat.info (1 answers).

DNS Traversal for your second sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A

Looking up at the 4 ecolwont.com. parent servers:

Server Response Time

ns2.lofhick.info [194.29.49.1] 59.120.122.76 356ms

ns2.molefancy.info [161.246.61.208] 59.120.122.76 681ms

ns1.dartnet.info [201.6.155.6] 59.120.122.76 1559ms

ns1.wizardup.info [0.0.0.0] Timeout

Status: Records DO NOT all match: Results from ns1.wizardup.info (0 answers) do not match results from ns1.dartnet.info (1 answers).

DNS Traversal for your thrid sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A

Looking up at the 4 greatacope.com. parent servers:

Server Response Time

ns1.morevig.info [132.248.107.131] 59.120.122.76 295ms

ns2.grainpleat.info [200.51.90.94] 59.120.122.76 453ms

ns2.molefancy.info [161.246.61.208] 59.120.122.76 652ms

ns1.dartnet.info [201.6.155.6] 59.120.122.76 1604ms

Status: Records all match.

DNS Traversal for your fourth sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A

Looking up at the 4 pressret.com. parent servers:

Server Response Time

ns2.lofhick.info [194.29.49.1] 59.120.122.76 387ms

ns2.molefancy.info [161.246.61.208] 59.120.122.76 710ms

ns1.dartnet.info [201.6.155.6] 59.120.122.76 124ms

ns1.wizardup.info [0.0.0.0] Timeout

Status: Records DO NOT all match: Results from ns1.wizardup.info (0 answers) do not match results from ns1.dartnet.info (1 answers).

Link to comment
Share on other sites

  • 2 weeks later...

Hello.

I have been very active on a few other spam-related message forums and only today discovered this one.

I have a huge amount of information I've been compiling on the My Canadian Pharmacy umbrella of websites if anyone is interested:

http://www.mytempdir.com/917959

This covers a great deal of background research I have been doing including data collated from several pharmaceutical authorities and law enforcement personnel.

I have sent copies of this report to the FBI's IC3 group, Interpol, numerous pharmaceutical regulators, Pfizer, Microsoft and several media outlets. None of them have commented on it (thought I know that IC3 is actively investigating this group of spammers.)

A coleague of mine who alternately goes by the names "Red Dwarf" and "Blue Turkey" has been extremely effective lately in reporting fraudulent DNS usage. The spammers set up DNS which they know registrars will disallow, but they also know that that won't stop it from resolving. A nice loophole. They similarly engage in a practice known as "domain kiting", where they register several hundred domains with a registrar, wait for the five-day "grace period" to nearly complete (within which they will not be charged for the registration of the domain) and cancel all of them, moving them all to a new registrar.

They also abuse several dozen public servers at a time. They do so via the following means:

- Run a root password guesser, attempting to login as root to a set of known IP addresses using 400 passwords. (Note: In most cases they get in with some retardedly simple passwords like "root" or "password." A surprising number of home linux boxes have their root passwords set up this way.)

- Once in as root: they wget and install a series of processes, depending on how they wish to use the server in question:

* tswapd (more recently renamed to "tirqd") - a traffic-forwarding proxy

* uirqd (an undetectable dns server)

* S-root (the root password scanner)

The most common is tswapd / tirqd. That handles all of the traffic for a My Canadian Pharmacy domain, and all requests are proxied through one server, to be delivered via a secondary or even tertiary server.

But as we can see: they abuse all kinds of servers, using them for traffic proxies (and monitoring), or web hosts, or DNS servers, all costing them nothing.

These spammers are alleged to have ties to child porn and credit card theft. In fact not one single pharmacy oversite organization (including Pharmacy Checker or CIPA) has ever heard of anyone actually receiving a single product after placing an order via these sites.

I'm babbling but I wanted to contribute this information to a group that might find it useful. This goes beyond "some server in China". They use that as a cover. They really take over any server, anywhere in the world. We've uncovered more on them but this is plenty to get started with.

Thanx for listening.

SiL

Link to comment
Share on other sites

I disagree with this. I only got results about half the time on my test below. 500ms is not "quickly", especially when dealing with the numbers spamcop is pushing through. I agree there COULD be another process that waits a longer time or retries for those so inclined, but I don't think there are enough people complaining about this to be worth the time.

Apologies for the delayed response (I've been offline for a while) and thanks for the analysis. If this is a simple timing issue then it should be easy to address but it does seem that SpamCop is making things harder for itself by not caching previously successful results.
Once again, spamvertized websites is NOT SpamCop's primary focus.
Websites do need to be a focus (since it is only by shutting them down that spamming is ever likely to stop), even if not the primary one. Though this could really be a topic for another thread, spam reports could be used to build a domain (or even ISP) based blocklist though there are others out there doing this.
I have a huge amount of information I've been compiling on the My Canadian Pharmacy umbrella of websites if anyone is interested:
Thanks for the information - lots of good detective work there. This makes it more important for the server owners to be contacted (though someone careless enough to use a weak password isn't likely too bothered about the consequences).
Link to comment
Share on other sites

Though this could really be a topic for another thread, spam reports could be used to build a domain (or even ISP) based blocklist though there are others out there doing this.

I'll beat Wazoo to the punch: :)

There are a number of other threads dealing with the web site resolving, reporting prority, etc., issues. But, here's the main FAQ link where most opinions have been summarized.: FAQ: SpamCop reporting of spamvertized sites - some philosophy

Also, there is a SURBL, which I believe does pull from the SC reported lists:SURBL.org website

Link to comment
Share on other sites

I'll beat Wazoo to the punch: :)

Now now - no need to spoil his fun. :)

There are a number of other threads dealing with the web site resolving....

Also, there is a SURBL, which I believe does pull from the SC reported lists...

The sc.surbl.org Data page seems the most relevant as it mentions the data pulled in from SpamCop's Spamvertised Sites page. However since this page only lists sites with a known abuse address, it would also seem that domains "evading" resolution by SpamCop would also avoid the sc.surbl.
Link to comment
Share on other sites

However since this page only lists sites with a known abuse address, it would also seem that domains "evading" resolution by SpamCop would also avoid the sc.surbl.

And that would be a flaw in that system. They are using spamcop provides for reference and using it to determine listing. Many thoings could go wrong with that system. Most importantly, spamcop could decide to stop publishing that information.

I will make the same offer to you that I have made to others, provide a service that focuses on reporting spamvertized web sites and I will use it. I'm sure many others here would use it. I even think you might get spamcop to off load those requests onto your service. Spamcop's resources are devoted to finding and listing the source of the spam.

Link to comment
Share on other sites

  • 3 months later...

Since there is now a new wave of this spam (plus the related operation "LegalRX"), now would seem a good time to point out that a retaliator is available which can place fake orders (including a CC number that passes the site's verification). This is effective enough that the spamgang behind these sites soon block IP addresses (use Tor to get around this), so enough people using it should encourage them to stop spamming altogether.

This retaliator requires the Firefox browser with the Greasemonkey extension (with NoScript and User Agent Switcher extensions strongly recommended). See the Pharma KS FormFiller thread for more details and download location.

Link to comment
Share on other sites

Since there is now a new wave of this spam (plus the related operation "LegalRX"), now would seem a good time to point out that a retaliator is available which can place fake orders (including a CC number that passes the site's verification). This is effective enough that the spamgang behind these sites soon block IP addresses (use Tor to get around this), so enough people using it should encourage them to stop spamming altogether.

And this has nothng to do with the SpamCop.net Parsing & Reporting system. There are dozens of exising Topics/Discussions on various retaliation tools, modes, functions, etc. in the Lounge area.

Link to comment
Share on other sites

Since there is now a new wave of this spam (plus the related operation "LegalRX"), now would seem a good time to point out that a retaliator is available which can place fake orders (including a CC number that passes the site's verification). This is effective enough that the spamgang behind these sites soon block IP addresses (use Tor to get around this), so enough people using it should encourage them to stop spamming altogether.

This retaliator requires the Firefox browser with the Greasemonkey extension (with NoScript and User Agent Switcher extensions strongly recommended). See the Pharma KS FormFiller thread for more details and download location.

That just seems like a potentially bad idea and might even be construed as CC fraud. I'm not a lawyer, so I don't know anything about it, but although I realize the concept is to stop a rogue company, this just seems like a bad way of going about it. You would be putting yourself at something that is risky legally and even technically if you were to get a website wrong. I think reporting it to the FTC/FDA is the best idea for end users, and SpamCop obviously allows for reporting to ISPs and the correct abuse depts.

Link to comment
Share on other sites

From what I've seen, the sites that MCP and USRX are using require specific referal/key codes to access the specific page. When one drops off those codes, you'll often get a blank page or a 'cannot be found' error.

They do a lot of HTML trickery, to ensure that the entire link isn't picked up in the reporting process, too.. that is most likely why the parsers aren't catching the links.

Link to comment
Share on other sites

That just seems like a potentially bad idea...

Rather than continue this debate here, I would simply suggest people review the Wilders New spam Retaliation Tool which discusses the ethics/morality/legality of this.

As for the parsing, I'm not too sure about the need for the referer codes since entering the domain on its own without them always works. It could be that it is resolving (deliberately) too slowly for SpamCop or that they are able to identify SpamCop domain lookups by other means.

Link to comment
Share on other sites

Rather than continue this debate here, I would simply suggest people review the Wilders New spam Retaliation Tool which discusses the ethics/morality/legality of this.
And for those who prefer not to revert to "symmetrical justice" and the whole retaliation/revenge thing, a reminder that spamislame has offered considerable other resources, earlier in this topic (though the mytempdir URL has expired, no doubt he can be contacted through Wilders).
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...