A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

� April 2005 | Main | June 2005 �

May 26, 2005

Order against "cheating wives" spammers

< from Senderbase) are already well aware of the issue.

For a variety of business (and perhaps philosophical) reasons, these ISPs aren't being real aggressive about dealing with zombies on their networks. Getting a letter from the FTC isn't going to change their priorities.

If the Feds want to help make some headway, they need to shine the spotlight on the biggest offenders. A little public humiliation has a way of getting corporations motivated.

How about "Zombie Hall of Shame" list at FTC.gov?

So far, none of the media coverage of this campaign has even mentioned the names of the biggest offenders.

Posted by Brian at 7:28 PM

Master of his domains

leo from his webcamA press release Monday from the Massachusetts Attorney General suggests the recent legal action against Russian spammer Leo Kuvayev is producing results.

The AG claims more than 250 domains belonging to the "Internet Spam Gang" have been shut down. (I don't know why the AG's office calls them that; Kuvayev's operation is known as the Russian Spam Gang or RSG for short.)

But other evidence suggests the Russian Spam Gang is still quite alive, if not well.

Darren Brothers, the anti-spammer who created the controversial Spam Vampire, has found a site selling blackmarket software that's a carbon copy of one of Kuvayev's sites -- and it's even located at an IP address associated with the RSG. (There are 48 live domains at that IP, all offering cracked software or "super Viagra.")

A while back, Brothers compiled a list of 1,054 RSG domains. Most of them are throw-away domains with names like JBLDJHC.INFO. For whatever reason, most on the list currently appear to be offline.

Shutting down a spammer's domains definitely inconveniences the operation. But it's all just a cost of doing business for hard core spammers like Kuvayev and the RSG.

Posted by Brian at 1:34 PM

May 20, 2005

One billion spams

Chris SmithWhile Christopher Smith is dealing with charges of drug fraud in Minnesota, he's also facing a big lawsuit from America Online.

AOL's suit, filed March 29 in a Virginia federal court, alleges that Smith and his company Advistech sent more than 1,130,000,000 (1.13 billion) spams to AOL members over a six-month period at the start of 2003.

The 211-page complaint also provides some interesting details on a nasty spammer tactic: hijacking Internet Protocol netblocks assigned to others. AOL claims that in early 2003, Smith hijacked eight "/16" netblocks (each with 65,536 IP addresses) by tricking ARIN, the non-profit that allocates Internet resources.

AOL says Smith then used the network addresses to send more than a billion spams for drugs, cable descramblers, penis pills, and college diplomas from January through July 2003.

Smith and his associates are also suspected of hijacking dozens of other netblocks for spamming purposes.

AOL is suing for $1.7 million in statutory damages under Virginia's computer crime law, as well as compensatory, punitive, and other damages to be determined at trial. Smith's Advistech is incorporated in Costa Rica.

[Update: The Minneapolis StarTribune has two articles about the crackdown on Smith (free registration required):

Burnsville online pharmacy assets seized

Owner was known as Rizler, the spammer]

Posted by Brian at 3:34 PM | Comments (3)

May 19, 2005

Update on US vs Chris "Rizler" Smith

U.S. prosecutors are expected to seek a preliminary injunction Friday against Christopher William Smith and other defendants in the Minnesota Internet drug bust.

The government claims that Smith made over $20 million selling drugs at a collection of web sites, including www.xpress-rx.com; rxorderfill.com; supremeproductsltd.com; yourrxnetwork.com; digihealthcorp.com; digihealthcorp.net; 4receiverx.com; receiverx.com; licensedrx.com; mypillrefills.com; samedaypayday.com; and netmeds.com.

Although he allegedly built the business from spam-related profits, it doesn't appear that Smith actually sent spam to advertise the pharmacy sites. Witnesses told investigators that he bought ads in magazines and had sales reps field calls at the Burnsville, MN offices of Online Payment Solutions.

Most of the drugs were sold at higher-than-market prices, a surefire indication the sales were fraudulent, according to the feds.

A doctor in New Jersey, Philip Mach, allegedly was paid $7 for every prescription he wrote on behalf of Smith's operation. The FBI said Mach wrote over 20,000 prescriptions, most of which were filled by a pharmacy in California and one in Oregon. (Mach isn't named in the lawsuit, but he's apparently facing separate criminal charges in New Jersey.)

Investigators estimate that Smith's pharmacy business was grossing around $2 million per month before it was shut down last week.

The preliminary injunction would prevent Smith from unloading some $18 million in assets, which include several bank accounts, two houses, and a collection of vehicles. (2006 Mercedes Benz S65, 2001 BMW M5 Sedan, 2001 Ferrari, 2003 Chevrolet Tahoe, 2005 Mercedes Benz C55A, 2001 Hummer H1, 2004 Mercedes Maybach, 2005 Jeep Wrangler, etc.)

While the U.S. action in Minnesota is over alleged fraud, turns out Smith and his company AdvisTech SA are also facing a $1.7M spamming lawsuit filed under CAN-SPAM by America Online in late March 2005.

Posted by Brian at 4:27 PM | Comments (33)

May 18, 2005

Another drug spammer raided

vicodinChristopher William Smith, a longtime spam king based in Minnesota, has been busted by the U.S. government.

Federal agents raided the suburban-Minneapolis offices of one of Smith's companies, Online Payment Systems, on May 10. The Burnsville office had nearly 100 computers and an equal number of employees. It apparently was the administrative headquarters of Smith's online pharmacy, Xpress Pharmacy Direct, formerly located at xpress-rx.com.

An affidavit by a special agent with the Food and Drug Administration said agents left with "thousands of business records."

The agent described the case as a "multi-agency investigation involving a large-scale Internet-based operation that has been defrauding consumers and distributing prescription drugs, including controlled substances, without appropriate prescriptions in violation of a host of criminal statutes."

It's not clear whether Smith, who's 32, was in at the time of the raid. According to court records, he hasn't yet returned the summons and complaint.

The bust didn't get much media attention, aside from this item. But make no mistake; this is potentially another major spammer smackdown. Smith has been on the Spamhaus Rokso list for years, and xpress-rx.com was practically synonymous with illegal Vicodin sales.

The case has several other defendants, including Alton Scott Poe, Advanced Financial Svcs Inc., Ultimate Limousine, Same Day Pay Day, Vigrex DS LLC, Rizler, Advistech. Also named is Smith's father, Scott, and his company, Diaper Deck

Last month, the feds busted up another major online pharmacy operating out of India. I wouldn't want to be in the Rx spam business right about now.

Posted by Brian at 10:56 PM | Comments (5)

Spammer domains up for auction

A federal bankruptcy court in south Florida is in the process of selling off assets of a spam operation bankrupted by lawsuits.

Rockin Time Holdings (RTH) of Aventura, FL was sued by both Microsoft and Amazon.com in August 2003 and filed for bankruptcy the following December.

Next week, an assortment of over 150 domain names held by the company is on the auction block.

I can't imagine they'll get much for some of them. For example, ViagraPhysician.com will quickly be lost to domain arbitration. Maybe the "adult" domains will be worth more. (They're not listed, "due to their content.")

Sorry, but Ultrameds.com, the main domain formerly used by RTH, isn't among those up for auction. (It apparently changed hands shortly after the 2003 lawsuit.) Nor is MaxGirth.com among those listed.

According to the court docket for bankruptcy case 03-43455, besides the domains, other items were also listed on eBay, and some assets (real estate perhaps?) are being auctioned by Tranzon, LLC.

RTH was also was known as Docdrugs or Pinnacle Meds.

Posted by Brian at 11:30 AM

May 17, 2005


The various news reports on Sober-Q have fixated on the propagandistic, neo-Nazi messages it generates . But I think there's a funny aspect of the worm that's escaped the media's attention -- maybe because it's too much of an inside joke.

Both Kaspersky and Sophos (and maybe other anti-virus firms) have noted that Sober-Q places a small text file, spammer.readme.txt, on the hard drive of infected hosts. It contains the following text:

http://i-newswire.com/pr19707.html http://www.ebcvg.com/press.php?id=965
Ich bin immer noch kein Spammer! Aber sollte vielleicht einer werden :)
In diesem Sinne

The two hyperlinks are to separate copies of a May 2005 press release from FrontBridge Technologies, a California e-mail management firm. The FrontBrige PR warned that computers infected by a precursor, Sober-S, were "being transformed into spambots."

The stuff in German, apparently from the worm's author, translates to, "I am still not a spammer! But perhaps I should become one. In this sense."

I'm not quite sure how to interpret the file's contents. It could be Sober-Q's author telling commercial spammers that his collection of infected PCs is not available for rent as spam proxies.

Then again, he could just be taking a swipe at FrontBridge for trying to create FUD (fear, uncertainty, and doubt). After all, I'm not aware of any evidence that computers infected with Sober-S (or any of the earlier variants of Sober) have been used as spam proxies. To my knowledge, the only "spam" (and I'm using the term loosely) that's emanated from them is the neo-Nazi stuff of the past few days.

Either way, Spammer.Readme.txt seems to fly in the face of all the worries that mercenary virus writers are collaborating with spammers and frenetically releasing worms designed to generate revenue as spam proxies.

Posted by Brian at 10:44 PM | Comments (2)

May 16, 2005

Acne spammers get AOL blacklisted

ideaproduct.jpgAn operation set up to spam a cure for acne has landed America Online on the Spamhaus Block List (SBL).

An IP address belonging to AOL ( was placed on the SBL over the weekend after it was discovered that the address had apparently been hijacked and was hosting coldbiz.com, a site run by a spamming operation called Idea Product.

Idea Product is currently running banner ads at the SpamForum.biz site recruiting spammers to send junk email touting Oratin, a dietary supplement containing glucomannan, an herbal compound also marketed as a laxative. A 30-day supply of Oratin sells for $49.95.

The ads direct visitors to a sign-up page at coldbiz.com, which claims Idea Product is "the official resellers of ORATIN." Affiliates are promised 50 to 65% commissions on any sales of Oratin they create.

It's not clear how the spammers hijacked AOL's IP, which is one of the ISP's dynamically assigned dial-up IP addresses.

Source code of the sign-up page showed it was actually hosted on the Yahoo Geocities service. (The site's image directory was still viewable here.)

The Oratin site claims Oratin Inc. is headquartered in New York. But the New York Secretary of State's site contains no listings for the company.

Oratin.com, which is hosted by theplanet.com, also landed on the SBL this weekend.

No answer this morning at Idea Product's tollfree phone number, which seems to be a mailbox at Ureach.com.

Posted by Brian at 10:57 AM | Comments (7)

May 11, 2005

Lawsuit against Russian Spam Gang

Leo KuvayevLeo Kuvayev isn't in Spam Kings. But check out this photo of Leo, apparently taken in 2001 while on a visit to Zurich. I can't think of a better way to portray the 32-year-old head of the so-called Russian Spam Gang.

If Massachusetts can make today's civil lawsuit stick, it will be a major takedown. But I'm not optimistic, since Leo is probably back in Russia, and I can't see Russian authorities cooperating in a civil prosecution.

Hard to believe that in the '90s Leo was a promising computer science grad student at the University of Massachusetts, where his focus was on artificial intelligence and machine learning. (His articles include "Intelligent Methods for File System Optimization" and "Learning to Play Hearts.")

Leo apparently became a US citizen in 2000 and was running some kind of online casino and Internet payment business out of Montreal. Last year, he launched a spam affiliate network called BadCow with a partner, Vladislav Khokholkov, who is also named in the lawsuit along with a handful of other people. The AP apparently reached Vlad by phone in Russia today, and he coyly said "I don't send e-mails."

BadCow's operators posted banner ads like this one seeking affiliates at the SpecialHam.com site (which currently seems to be offline, as is BadCow.biz). The affiliates sold everything from pills to porn and pirated software at an assortment of web sites.

Strangely, Leo wasn't especially secretive. He operated a detailed personal site (now offline, archived here), replete with photos like the ones above, and even a live webcam.

Kuvayev was sued by Massachusetts authorities because he used to run his operation out of Boston. He may even have relatives there still, but word is that Leo bolted to Russia not too long ago.

Leo was signed on to ICQ all day today, but he didn't respond to my interview request.

Posted by Brian at 10:50 PM | Comments (2)

FTC goes easy on broke spammers

fuelmax logoThe Federal Trade Commission gave a slap on the wrist yesterday to two spam firms that had been sending fraudulent junk emails for auto fuel boosters.

The FTC waived a $300,000 total judgment against Mark C. Ayoub (Diverse Marketing Group) and Floyd and Marcia Tassin (Net Marketing Group) -- apparently because the two companies' coffers were empty.

Last November, the FTC had sued both spam firms for sending fraudulent spams that touted "FuelMAX" and "Super FuelMAX"-- magnetic devices the defendants claimed would boost auto fuel efficiency by 27%.

The FTC said in a press release yesterday that it has settled the lawsuits. In a nutshell, the defendants are prohibited from sending fraudulent spam in the future. But they got off without having to pay the stipulated damages award.

"Based on financial information provided by the defendants, a $292,000 payment by Ayoub and his companies and a $9,000 payment by the Tassin defendants have been suspended. Should the agency find that the financial information was falsified, the full amounts will be immediately due," said the FTC.

Posted by Brian at 10:44 AM

May 10, 2005

More on the Telewest blacklisting

The mainstream media, led by the BBC, have taken interest in the Spews blacklisting of Telewest's Blueyonder broadband service.

Unfortunately, these reports universally fail to note that Blueyonder's mail servers are NOT among the nearly one million IP addresses on the Spews blacklist. As a result, there should be little practical impact on Blueyonder users' ability to send and receive email using the service.

In other words, the only collateral damage from this blockade is the negative PR for Telewest's zombie problem.

The IPs listed by Spews are assigned to client systems and would only be affected if the machines attempted to send out email through mailservers outside Blueyonder that were using the Spews blacklist. (Typical zombie behavior.)

If Blueyonder wanted to take control of the situation (and get itself off Spews), it could simply begin blocking outbound port 25.

We mentioned this fact in our own report on the issue last week. But it's a point worth repeating, since many people tend to get hysterical about blacklists and Spews in particular.

Posted by Brian at 10:18 AM | Comments (3)

May 9, 2005

Send-Safe is back under a new name

Revolution MailerAfter being booted around the Internet for weeks, the makers of the once popular Send-Safe spamware have apparently decided to turn over a new leaf.

No, Ruslan Ibragimov and his colleagues aren't getting out of the spam business. Quite the contrary. Since the name "Send-Safe" has recently earned so much bad publicity, Ruslan has simply decided to rebrand his product -- in apparent hopes of flying under the radar of anti-spammers.

The new incarnation of Send-Safe is now called Revolution Mailer. Version 2.20b (build 734) of the program was officially announced in spammer forums a few days ago. Copies of the rebranded software were available at RevolutionMailer.com and RevolutionMailer.info. (Both sites are currently hosted on the same server in China, at an IP address under the control of Levon Gillespie.)

I haven't tried sending any messages with the new program yet, but it hardly appears revolutionary. In fact, the rebranding of Send-Safe seems to have been a hasty affair. The program interface looks exactly like the latest version of Send-Safe, aside from the name in the title bar. Some of the files installed reveal their lineage: send-safe.dll, for example. The system tray icon also still displays the Send-Safe name.

After a big scare about the software was created a while back, Send-Safe repeatedly lost the hosting for its former web sites. But anti-spammers didn't stop there. Soon, they managed to get dozens of unsuspecting shareware site operators to purge their copies of Send-Safe.

My guess is that this Revolution will be similarly defeated.

Posted by Brian at 10:19 AM | Comments (5)

May 6, 2005

Phishers target GoDaddy.com

GoDaddy logoDomain registrar GoDaddy.com earned itself a lot of buzz with its captivating Super Bowl ad and its recent announcement that it has become the world's largest domain-name registrar.

But it now looks like GoDaddy's rise has also gained it the attention of phishing scammers.

According to a posting on the Nanae newsgroup, some clever scam artist recently registered the domain Gadoddy.com and has been using it in an attempt to trick people into giving up their GoDaddy.com account information.

The phishing spam claims the sender incorrectly transferred a domain into the email recipient's GoDaddy account, and asks the recipient to click a link in the message to log in at GoDaddy.com and to decline the transfer.

Of course, the link is actually to a copycat site at Gadoddy.com, and the scammer's goal is to snatch peoples' GoDaddy passwords and usersnames.

The fraudulent site is currently down. But we may not have seen the last of it -- or of scams designed to steal domains.

Posted by Brian at 2:47 PM

May 4, 2005

Blueyonder: "Spam ignorant"

by.jpgSometime last month, nearly a million Internet protocol (IP) addresses owned by the Blueyonder Internet service were added to the spam blacklist maintained by Spews.org.

Fifty six "/18" netblocks owned by Blueyonder, a service of UK broadband provider Telewest, are currently on the "Level 1" blacklist maintained by Spews. Do the CIDR math (56 * 16,384) and that's one heck of a lot (917,504) of IP addresses.

In its characteristically laconic fashion, Spews explained the Blueyonder (BY) embargo this way: "Spam ignorant. Poorly run broadband network company when it comes to dealing with abuse."

What seems to be the problem here is a large concentration of spam zombies among BY's broadband customer base. None of the ISP's SMTP servers (smtp-out1.blueyonder.co.uk, etc.) appear to be on the Spews list; only IPs doled out to subscriber machines are blacklisted.

Some participants on the Nanae newsgroup are decrying Spews' move as yet another example of the controversial blacklist hurting innocent ISPs.

But the move should cause little collateral damage. BY subscribers can still send and receive email via the ISP's mail servers to the rest of the Internet, including Spews users. But zombied PCs on BY connections will effectively be off the air to Spews users.

On the other hand, it's interesting that Spews considers BY worthy of Level 1 status. According to the Spews FAQ, Level 1 entries consist of "netblocks owned by the spammers or spam support operations themselves, with few or no other legitimate customers detected."

For those of you keeping score, Spews currently lists approximately 24 million (23,962,247) IP addresses on its Level 1 list.

The summer 2001 rise of Spews, and the violent reaction to it by spammers, are covered in Spam Kings.

Posted by Brian at 8:05 PM | Comments (3)

May 3, 2005

Spam Arrest tries to erase the past

Brian CartmellLike a lot of CEOs, the head of Spam Arrest, Brian Cartmell, wants his company to make a good impression on Google. But Cartmell, who himself has quite a colorful past, seems to want to erase history in the process.

Cartmell has apparently been contacting operators of web sites that published negative comments about SpamArrest. According to Declan McCullagh of the Politech list, Cartmell asked him to remove two archived Politiech postings (for now, available online here and here) about SpamArrest from 2003 because the information is "really out of date."

The posts discuss an incident in which Spam Arrest sent unsolicited email advertising its service.

I say leave the postings there for Internet history buffs like myself. Otherwise, what's next ... cleaning out all the unsavory Usenet postings about Spam Arrest?

Some sites have already complied with Cartmell's request. A page at SamSpade.org discussing the Spam Arrest spamming incident is now 404 . (At least Archive.org still has the old SpamArrest is Spamming page.)

Even if the Politech posts remain, the search-engine savvy Cartmell has already made progress toward his goal. Politech's archives now include a new posting about Spam Arrest's objection to the old postings.

Posted by Brian at 12:12 AM | Comments (1)

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: