Jump to content

"Canadian Pharmacy", new domain each spam


brycenesbitt
 Share

Recommended Posts

The "Canadian Pharmacy" people are really managing to get a huge volume of spam through all filters.

With this round, they come from all sorts of hosts, they have all sorts of subjects, and a new URL each spam. What's common is a short non-spammy subject line, and a short non-spammy body that usually says little more than "click here". They all go to the same 'Canadian Pharmacy", a relatively professional looking viagra type website. They even offer a "report spam" feature on the website.

Who are these guys?

Here's an example, with .COM changed to .XXX:

Received: from source ([72.141.208.224]) by exprod8mx231.postini.com ([64.18.7.13]) with SMTP;
	Thu, 18 Dec 2008 15:18:23 PST
Subject: Give your rocket best fuel
Date: Thu, 18 Dec 2008 15:18:22 -0800 (PST)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
</HEAD>
<BODY><table>
<tr><td><a href="http://fairprogress.XXX/">
<img src="http://fairprogress.XXX/braba7.gif" border="0" alt="Click now!"></a>
</td></tr></table></BODY></HTML>

Link to comment
Share on other sites

Who are these guys?
Not sure what sort of answer you are looking for (names & home addresses?), but this is a pretty old and popular spam racket. Here are some links for background reading.

-- rick

Link to comment
Share on other sites

Not sure what sort of answer you are looking for (names & home addresses?), but this is a pretty old and popular spam racket.

And if you had left a few more of the headers (or read them yourself) you could see why they are getting through your postini filters. They are difinitely not getting through Postini to my company when the filters are enabled. I personally have Postini filters turned off so I receive some spam to report :) but every spam message that gets through generally means a ticket in our helpdesk, and I have not had many of late.

Link to comment
Share on other sites

...Who are these guys?...
Rick's response includes links dealing with hosting and ownership, Steven's deals with the question of blocking them (should you want to). I would also point to the RobTex analysis - http://www.robtex.com/dns/fairprogress.com.html - which points to the hosting and nameservice for that particular domain via the "domain" tab (which would be consistent with the abuse address SC would propose and perhaps different to those servers formerly used by this outfit (they move around) and blacklists via the "blacklists" tab.
Link to comment
Share on other sites

I've been receiving about 10-20 of these SPAMs everyday for the past week or so.

Not sure how I can filter them as I have a shared hosting account with CPANEL and they keep slipping through since the from-email address is always my own and the email subject and domain in the body keep changing.

Link to comment
Share on other sites

<snip> SPAMs <snip>.
..."S P A M" is a trademark of Hormel Corporation, so please do not use it here to refer to unsolicited e-mail (spam). Please see "spam and the Internet," especially the third paragraph. Thanks for complying with Hormel's polite request! :) <g>
Not sure how I can filter them as I have a shared hosting account with CPANEL and they keep slipping through since the from-email address is always my own
...Do you have your own e-mail address whitelisted? If so, remove it from the whitelist.
and the email subject and domain in the body keep changing.
...Does your e-mail client software allow you to filter on Internet Header? If so, you can filter partial IP addresses. Also see SpamCop FAQ (link near top left of page) item labeled "How do I configure my mailserver to reject mail based on the blocklist?"
Link to comment
Share on other sites

  • 1 month later...

10-15 per day of this crap, for months! These guys are the most successful spammers I've ever had hit me.

http://www.spamcop.net/sc?id=z2562230027zb...95df233d84e6b4z

[edit] spam replaced by tracking url - no point in giving their 'message' extra coverage via search engine pickup from these pages, now is there?

Edited by Farelf
Link to comment
Share on other sites

... 10-15 per day of this crap, for months! These guys are the most successful spammers I've ever had hit me. ...
Yep, looks like the same bunch. The IP address is on cbl.abuseat.org and pbl.spamhaus.org blocklists, the spamvertized site is on multi.uribl.com and black.uribl.com if that helps for filtering at all. The sender is doing a fair job of 'snowshoeing' to make SCBL listing difficult - Romtelecom (or the botnet using it) has 160 addresses that SenderBase can see and looks to be rotating through all of them to keep the hits per address down.

Interesting that http://cbl.abuseat.org/lookup.cgi?ip=89.123.215.90 says "At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans. ... This is identified as the Ozdok/Mega-D spambot" which might imply the Romtelecom owners aren't entirely willing participants in all of this? Not that it makes any difference to you or I.

Yes, Canadian Pharmacy are 'successful', may their members be consumed by galloping knob-rot and let's see how their fake pharms cope with that.

Link to comment
Share on other sites

  • 2 years later...

Hi, Loaded4th,

... As far as I know, SpamCop doesn't deal in domains, it deals only in IP addresses. If I understand correctly, it uses mostly public records to identify the abuse address of those IP addresses. Did you have a specific question about domains with respect to spam?

Link to comment
Share on other sites

... As far as I know, SpamCop doesn't deal in domains, it deals only in IP addresses. If I understand correctly, it uses mostly public records to identify the abuse address of those IP addresses. Did you have a specific question about domains with respect to spam?

Only that with the Canadian Pharmacy spams, the domains change so fast, that SpamCop does not recognize them, yet http://cqcounter.com/whois/ does. I guess the hosting service will be linked to an IP, but these change as rapidly.

Link to comment
Share on other sites

Only that with the Canadian Pharmacy spams, the domains change so fast, that SpamCop does not recognize them

<snip>

...Oh, are you referring to spamvertized links? That isn't really a SpamCop priority; SpamCop is mostly concerned with sources of spam and it deals with those on an IP basis, not based on domain.
Link to comment
Share on other sites

The BLs specialising in URIs can't keep up either. Not surprising with SURBL which takes some/a little of its feed from SC reporting and, as said, those URIs are not a SC priority. But even URIBL will struggle (and that one allows direct listing requests by its registered users).

"Spamvertized" sites not a SC priority? No, the most SC does is send a courtesy report to the abuse address of the host and extending anything less than a sharp stick in the direction of "Canadian Pharmacy" hosts is at best futile and at worst counter-productive. See http://spamtrackers.eu/wiki/index.php/Yambo_Financials Dealing with dodgy domains is a specialised job and even the low-key SC approach is possibly more trouble than it is worth, considering the potential for harm to innocent bystanders (and the sundry other tricks spammers use to protect their revenue potential).

In many circumstances and in the longer-term, spamvertized sites are less volatile than the spammail sending sources - hence the general value of the SURBL and URIBL lists for blocking purposes. Many countries (even China now) have banned "robotic" domain registration and some actually try to enforce that - so every now and then the brakes come on for that particular enterprise. Now if only botnet hosting can be kept in check ... The world of spamdom is not static - must be a bit like juggling running chainsaws and meat cleavers in the air for the anti-spam professionals - but some familiar patterns come and go and come back again.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...