Spooky spam

I've been getting huge quantities of almost identical pharmacy spams from numerous servers (Verizon, telefonica.es, home.nl, pppool.de... clearly a botnet at work, again) over the last couple of days.

The text of every one of them seems to be:

We want to present you a pharmacy bulletin dedicated to Christmas holidays!!!

We have researched different on-line pharmacy stores, which are based in United States and
sell men's health drugs such as Viagra, Cialis, Levitra, Propecia etc.

They get "excellent" rating grade and we strongly advise to use their service.

Viagra Professional - ($3.25 with Christmas discount)
Viagra Soft Tabs - ($3.28 with Christmas discount)
Cialis Soft Tabs - ($4.62 with Christmas discount)
Cialis - ($4.53 with Christmas discount)
Levitra - ($9.576 with Christmas discount)

Also we have such winners:

1. "Best Canadian on-line pharmacy store".
2. "Excellent" rating grade - "MyCanadianPharmacy" store.
3. "Best International on-line pharmacy store".
4. "Excellent" rating grade - "LegalRxMedications" store.

Sincerely yours,
American Consumer Association

So far, so unremarkable.

But every single one of these spams (well, all five that I just randomly checked) seems to be promoting a different URL for the exact same pharmacy.

There's ieeppt.rudver.net, ctbmgh.puriol.com, chfrmu.sviolnet.net, bfkang.histrayd.net and chnclm.aulferi.info in the five I checked, all of them tagged with affiliate-ish stuff like "http://ctbmgh.puriol.com/?88255812&men". They all currently lead to, I presume, the same physical server. But every one of them gets an "IP not found" error from SpamCop, so it discards them as fake URLs and doesn't even try to find who's responsible for them.

The plain non-subdomained versions of the URLs (www.rudver.net, www.puriol.com...) give you the same pharmacy site. SpamCop can't find an IP for them, either.

The domains all seem to be registered at Gandi.net, which seems to be a perfectly valid registrar that's presumably about to suspend them all. I hope Gandi didn't get paid with stolen credit cards.

I don't know what's going on with the un-look-uppable domains, though. This is a disturbing sign of competence from the botnet spammers, although they have once again hindered their message by repeating it far too many times.

Anyone got a clue about this?

Posted in Scams, Spam. 3 Comments »

3 Responses to “Spooky spam”

  1. Dan Todd Says:

    I have no idea why SpamCop can't find these servers, but I just ran a dig on http://www.rudver.net ( and http://www.puriol.net ( I'm not an expert in reading the results of Dig, so I really couldn't coment. The subdomains appear to have the same IP as the 'www'.

    Hope it helps a little...

  2. mspencer Says:

    I've noticed this for the past few months.

    Sometimes if you cancel the spam report and then submit the same spam again, the names will resolve correctly. Try that.

    This other suggestion is strictly against SpamCop's rules: do your own nslookup on that hostname, then cancel the spam report and submit the spam again with the goofy hostname replaced with the IP address you found.

    It seems to me SpamCop could avoid this problem by doing multiple nameserver lookups against different public ISP's nameservers -- but he may need an explicit agreement with the owners of those nameservers before he can do that.

  3. StrikeBack Says:

    This has been discussed at the SpamCop Forums and is due to a slow nameserver. Also note that these sites are normally hosted on hijacked Linux machines (via a dictionary attack on poorly chosen root passwords -images are hosted on a separate hijacked machine and the nameserver on a third).

    There is however an extension for Firefox that allows people to flood these sites with fake orders - see the Pharma KS FormFiller thread for more details.

Leave a Reply