This is a fairly specific request for advice about a particular spam setup, not really spamcop itself, so I figured the lounge section was best - if there is somewhere more suitable for asking advice on specific spams please accept my apologies & can a mod move it if neccessary?

Been receiving many spams advertising 'premier pharmacy'. EditSorry - that's wrong. It's Pharmacy Express./edit The actual networks used to send the spam seem to be many, various and ever-changing. So I decided to try going after the spamvertised site itself. The domains change constantly but the IP seems much more 'stable' whilst the content is always identical.

I used spamcop to identify 'risinglordames.com' as being hosted by hichina.com / chinatietong.com. Previous domains used by the same spammer include:

ascendingmorsab.com
wicipasse.com
otecoureis.com
baicoscu.com
ploretocea.com
edeavilat.com and many many more

Currently they seem to be on www.degreisapo.com at the usual IP of 61.233.42.4

Eh up, we're onto www.vanteweks.com now, in the space of 5 minutes; IP... 61.233.42.4; same site content.

Spamcop reports all these as being hosted by hichina.com

After reporting several hundred spams via spamcop with no let up in the frequency, I began reporting them directly to abuse[at]hichina.com. I eventually received a reply from a personage at hichina, but they said the site had nothing to do with them:


In the past I've found a combination of spamcop & manual reporting to be very effective at stopping spam, but this particular online pharmacy spam seems to be exceptionally good at persisting. I know I could just filter the spam I get for this site & it's many variants (about 300 spams per day) but they bug me & if I can report them to the correct place that would be very satisfying. If, that is, the 'correct place' actually recognises the problem in the first place..

They send a subject line always of the format 'drug name in capitals, interspersed with a few random lower case letters', 'space', followed by 'new' or 'news':

http://img96.imageshack.us/img96/883/ffffff4yv.jpg

I've tried doing a network lookup independent of spamcop on a couple of these domains & they seem to confirm hichina / chinatietong / china railway as the host, contrary to the email I recieved. Either that or else what they're trying to say is, they don't see hosting a spam site as a problem so long as they're not actually carrying the mail itself.. I'm kinda confused here. (Maybe belinn's post is of relevance to this situation?) I know vaguely how to work a few IP tools but I'm no network expert. Maybe neither hichina.com nor chinatietong.com really have anything to do with it at all & it's some kinda case of forged headers?

Here is an example of spamcop's analysis (an expanded excerpt of the part where it investigates a spamvertised web address).. one of hundreds all ultimately reaching the same conclusion as to the origin of the sites' hosting:


Any advice welcome thanks

At the mo I've given up on these lot & am just filtering it all into the bin.

Strange. It's been rock solid for donkeys' ages, as soon as I post here about it, 61.233.42.4 and all the domains that were pointing at it go down within minutes

Does the god of the Internet read this forum?

I'm not complaining, hope it stays that way

...This looks like the right forum to me! <g>
...Don't hurt yourself -- many Chinese sites (especially including chinatietong) are a lost cause -- either they are quite happy to host spammers or they are woefully incompetent. You're better off directing your attempts to stop spam elsewhere.

Cheers turetzsr.. fair enough. The domain that's getting spammed so heavily is one that was handled by a very inexperienced webmaster several years ago. The idiot was posting email addresses out in the clear all over the shop on the site, & signing up for all manner of dodgy 'submit your site to ten million search engines, just give us your email' setups. Of course the addresses leaked out all over the place..

Guilty as charged, that was me. Learnt a bit since then, but the spam kept coming! Hard to explain to the site owner why 'these people' think he needs so much viagra

Anyway thanks to spamcop I managed to get 99% of it to stop. When others finally stop though, Pharmacy Express seems to be like the proverbial Duracell Bunny.. they just keep going & going!

For some odd reason they're still quiet. Nothing for the last half day now. Maybe it's some kind of holiday in China at the mo.

Hope they stay away from you but yes - most/all self-styled "democratic/people's republics" (plus Queensland which is fairly similar) have a "May Day", including China. http://www.earthcalendar.net/index.php
Dunno how good that is - doesn't show Ned Kelly's Birthday

Know not why, but several tries tody to hit the spamhaus site .... every time I got a video blow-up, needing a re-boot .. then a bunch of clean-up ... finally managed to get there on another system ... take a look at http://www.spamhaus.org/sbl/sbl.lasso?query=SBL41070 which then leads to http://www.spamhaus.org/rokso/listing.lass...ev%20/%20BadCow .... explanation enough on the "why" part of your original query? <g>

Of course, thene there are articles out there that talk about these bad boys being "shut down" a while back .... http://www.lindqvist.com/spam/index.php?ID=2020 .... oh well ....

Thanks guys, nice to know the enemy. Cheers for your responses. That guy looks like butter wouldn't melt

They're back again, I thought the silence was too good to be true.

Currently www.ustalovetalon.com on our old friend 61.233.42.4

Oh well.. guess I'll just keep on reporting. Or filtering. Depending upon how riled or resigned I feel at any given point

You may be upsetting some corporate types http://www.energizer.com/bunny/ But we do get your point.

I know this is an old thread, but it looks like they just hit me with their spam. I'm getting the same spam with same subject line as you did. 5-6 random characters then VIAGRA. When you go to this website it says "Pharmacy Express".

The spamadvertised link is...
http://www.wukeliapotus.com

Here is the WHOIS information...

hi from Germany,
have found this on the order and contact page:

<scri_pt>
function stati(){

var a = "http://stat2.f"; b = "google.com"; a1 = "om/img.php"; c = "news"; a2 = "etroz.c";
var url = a + a2 + a1;
document.getElementById("stat").src = url;

}
</scri_pt>

ht tp://sta t2.fet roz. com/img. php[/url]

Domain Name : fetroz.com

::Registrant::
Name : Fetroz
Email : **********@yahoo.com
Address : av 234
Zipcode : 90210
Nation : US
Tel : 14564634233
Fax :

::Administrative Contact::
Name : Fetroz
Email : **********@yahoo.com
Address : av 234
Zipcode : 90210
Nation : US
Tel : 14564634233
Fax :

::Technical Contact::
Name : Fetroz
Email : **********@yahoo.com
Address : av 234
Zipcode : 90210
Nation : US
Tel : 14564634233
Fax :

::Name Servers::
ns2.easydns.com
remote1.easydns.com
ns6.easydns.net
ns3.easydns.org
remote2.easydns.com

::Dates & Status::
Created Date 2006-04-25 07:10:41 EDT
Updated Date 2006-04-25 07:10:41 EDT
Valid Date 2007-04-25 07:10:41 EDT
Status ACTIVE

Moderator Edit: no need to advertise the crap link, so URL broken here ....

"Name : Fetroz...

Zipcode : 90210"


Riiiight.... It could happen!!!