Jump to content

Increase in "All products for your health" pharma spam


epinniger
 Share

Recommended Posts

Since yesterday I have been bombarded with dozens of identical pharmacy spams, all from different addresses (presumably forged return addresses) but with identical message bodies.

I have reported some of them to SpamCop, and the URL reported is different for each e-mail, presumably they are all zombies.

Today (so far) I've received almost 40 of these spams, yesterday it was about 35 in total.

The message body starts with the following paragraph:

All products for your health

Tortured with health problems? You're one click away from healthy life!

An amazing variety of licensed meds at one big store! Click the link and make your first step to constant relief!

followed by a long list of drugs, - though the usual suspects (V1AGRA, C1AL1S etc.) are misspelt, most of them are not.

Anyone else getting these? With their identical message bodies and long list of extremely spammy words (including most of the drug names) these spams don't seem to make much attempt to avoid filters.

EDIT: Just got another 10+ of these spams. I've tried filtering in MailWasher, searching for the string "with health problems" in the message body, but it doesn't appear to work.

Before yesterday I rarely received more than 25-30 spams per day in total, let alone from the same spammer.

Link to comment
Share on other sites

This is a list of URLS ("broken" to avoid boosting their Google rating) spamvertised by these e-mails, in approximate order of frequency:

http:// lettersmate .com

http:// maxxtests .com

http:// cationyamer .com

http:// pbouvet .com

The images on some of these sites are hosted by http:// dionler .net

Whilst I've received hundreds of these spams so far, each one from a different IP (botnet?) there are only a handful of different URLS spamvertised by them. This is definitely the "weak link" - any way someone with more technical skill could find out which ISP is hosting these sites?

Link to comment
Share on other sites

Whilst I've received hundreds of these spams so far, each one from a different IP (botnet?) there are only a handful of different URLS spamvertised by them. This is definitely the "weak link" - any way someone with more technical skill could find out which ISP is hosting these sites?

My spam has jumped by 200% to 300% in the past 3 days or so. I classify the spam into two main types, "high" junk and "new" spam. The filtering is done through spamcop/spamhaus/baysian etc filters. The "new" spam doesn't get enough of a score (or no score). (I've also got key word filters - after the high junk filter - so some "new" spam gets deleted before getting through.)

Most spam goes to two email accounts only (a very small amount to another account). In the past week or two these are the stats for spam:

High junk: 40 42 51 55 45 56 46 69 79 59 126 (today 107, with about 4 hours to go)

New spam: 27 22 17 11 21 33 20 28 22 8 20 (today 15, with about 4 hours to go)

The "new spam" hasn't changed significantly in numbers. The "high junk" has gone through the roof in the past couple of days. Most of it is multiple copies of the same sort of spam. No logic to the frequency of sending it out. Could be multiple spammers or an overenthusiastic spammer :(

I just went through today's 107 "high junk" spam and 57 out of 107 were of the type you've described, with the first line in the body text reading "All products for your health". So this would account for almost all of the increase in my spam.

I saw in another post that spamcop said that there has been a 30% to 50% global increase in spam since a couple of days ago. Hope someone catches and stops the rat soon.

Edited by MrT
Link to comment
Share on other sites

This is a list of URLS ("broken" to avoid boosting their Google rating) spamvertised by these e-mails, in approximate order of frequency:

http:// lettersmate .com

http:// maxxtests .com

http:// cationyamer .com

http:// pbouvet .com

The images on some of these sites are hosted by http:// dionler .net

Whilst I've received hundreds of these spams so far, each one from a different IP (botnet?) there are only a handful of different URLS spamvertised by them. This is definitely the "weak link" - any way someone with more technical skill could find out which ISP is hosting these sites?

Not me, I'm afraid. Just to note the four URL seem - using www.dnsreport.com - to have a common set of (currently unresponsive) parent nameservers:

our NS records at the parent servers are:

ns1.fantastish.info. [200.89.16.109 (NO GLUE)] [PE]

ns1.trashbream.com. [200.89.16.109] [TTL=172800] [PE]

ns2.concessiondog.info. [194.150.100.242 (NO GLUE)] [PL]

ns2.fastundslow.com. [218.184.154.186] [TTL=172800] [TW]

[These were obtained from l.gtld-servers.net]

The images site is hosted by yahoo.com as far as I can tell.

The whole internet is slow at the moment - pretty hard to do much of anything.

Link to comment
Share on other sites

The flood of these spams seem to have finally stopped, either they were shut down or they've just finished the spam run (the spamvertised sites are still up). They've been replaced with "pump & dump" stock spam with subject titles like Stocks.com, Investment.com, Quotes.com etc., but I only get only 5-10 or so of these a day.

I've also received a lot of "OEM" pirate software spam lately (over several weeks) which all link to "http:// oemkon .com" - Is there anywhere where you can report spamvertised URLs?

Edited by epinniger
Link to comment
Share on other sites

<snip>

I've also received a lot of "OEM" pirate software spam lately (over several weeks) which all link to "http:// oemkon .com" - Is there anywhere where you can report spamvertised URLs?

...Sure! See SpamCop glossary entry "Manual Report;" the link labeled "spam Reporting Addresses" will take you to a web page that includes various software vendor and industry association contacts (listed under "Software piracy").
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...