Tuesday, November 27, 2007

Snippets

A collection where small snippets are saved temporarily and gradually expanded towards an independent blogpost.
More like memos to myself. Read them if you like, but don't expect much.
Mainly regarding members of bulkerforum.biz who are offering services that are illegal in most countries.

AbdAllah


[Nov 16, 2007]
His second post on bulkerforum.biz:

BP servers & hosting for mailing, trojan's, exploit's, etc. in Turkey, Malaysia, HongKong, USA, Thailand, China.
Fast setup, cheap price.
Please contact ICQ: 483-384-343 (Mr.Abdulla)
or write to PM.
Thank you !

One example of the typical hard working, honest members of bulkerforum.biz.

And the moderator Crypto greets him:

He is a well known russian BP provider.
Dobro pajalovati na bulkerforum AbdAllah.


We know that hosting mule scams is one of those included in his term "etc.", but what else is possible?
Child porn, carder sites? Not unlikely.

Honored with an SBL-listing in Spamhaus in November 2007, SBL59691.

To be continued ........

ProfDDoS


Nick says it all.
His post #5 on bulkerforum.biz:
Greeting!!!!

Let me to bring to your attention professional DDoS service!
Quality is guaranteed by uniqueness of the updated and supported software. Huge, constantly growing quantity of bots worldwide online.
Destroy a site of the competitor!!!
The prices depend on duration and complexity of the project.
For information welcome in the icq.
For all questions: ICQ support 448845. skype ss_support1

Moderators Dollar and Crypto are not totally happy about that post.
A bit strange regarding Crypto when reading his greetings to AbdAllah, but who knows what's inside these guys brains.
Crypto has not been showing too much intelligence in his posts, so it is perhaps not so strange after all.

Phantom rushes to his defense:

I have to disagree here guys LOL this person has been of great service to us all without you even knowing about it ..Thanks guy

ProfDDoS is the same guy as, or in bed with .....damn I lost that part.

Maybe continued.

Sanjay / sancash


A quick note to self:
This guy is involved with Elite Herbal.
How high up he is in the food chain cannot be established accurately.
If not on top, he is very high up.

Definately to be continued.
[Ducks new posting here: sanjay aka sancash.]

Phantom


One of the moderators.
Been hanging around for some years now.
Always been very slippery, but now the smelly ex-wannabee-spammer "Nick Danger" (Marion Sidney Lynn) claims to have his identity and has "outed" him.

We have seen that info earlier, but we are not totally convinced about how real this is.
Two long and wild shots: This "outed" identity is either a middleman or a deliberate smoke screen.

Both Veru and myself are going more in the direction of "back to the roots" like WarriorForum and Bulkbarn, like Phantom himself indirectly suggests in his various postings on different forums during the last years. And like magic, some info fits. Pure magic it is.
This indicates another identity, but this does not seem very likely either.
The fact that both of us, originally independent of each other, went in that direction is a sign that there may be something here. And so is the fact that some of our findings were identical. That's magical.
It still seems unlikely though, so we are open for suggestions and speculations combined with hard facts.
Especially hard facts about the identity "outed" by the smelly chicken of an ex-wannabee-spammer.

escape

Usman Ahzaz

Snippets:
  • olatesuite

  • exploits

  • Ucraine

  • drug spammer
.

From a posting about a month ago on bulkerforum, someone asked for this:

subject: Need a persistent exe application
One that will take an exe I already have and make it 'persistent' - hidden from the filesystem, hard to remove, etc

skype: myst231 or pm me here (i dont know if the pm situation has been resolved)


And the OlateSuitemaster of exploits answers:

escape
Joined: 15 Sep 2006
Posts: 55

votes: 2 Posted: Wed Oct 17, 2007 3:30 pm Post subject: y0
i can help you out
_________________
OlateSuite - HiSpeed Mirrored BP Shared Hosting & Dedicated Servers...
Exclusive Ip Restricted Socks4


The Christmas season is approaching, so watch out for OlateSuits exploits this year too:
Happy Holiday Season, TrendLabs article from 2006 about OlateSuit exploit
Watch out for any Holiday Season Blowout Sales this year.

Yet another hard working, honest businessman on the bulkerforum.

kref/spamit (glavmed)


Probably two guys, belonging to the same gang.
Crypto hugs kref:
kref, is known in the BlackSEO biz. He is a good guy and pay on time.
Have his own design/coders team(for his rx websites), and the affilate system for mailers looks very nice
He have a lot of references, just pm him, and find out more,
I think you gonna like it.

With such good references, we don't hesitate to label those guys as criminal spammers.
Snippets:
  • despmedia.com

  • glavmed.com

  • glavmed.org

  • hzmedia.info

  • spamit.com

  • thecanadianmeds.com

  • saintd / saintdmitry

  • Michael_sun2k

  • Their "designers": dadaev.com

To come



  • David (from Houston, TX.)

  • perka (from Romania - ZedCash)

  • rxnic

  • TLCmail / Stolder / leadz / empharmpartners (this is probably Impulse Marketing Group, or at least connected to them)

  • toxicdog (alex0ra, alexora, goomenuk, Prague, spamilka.com, Black Network, 69.50.177.122)

Posted by Ducks In Two Rows

Labels: , , , , , , , , , , , , , ,

Saturday, November 24, 2007

The last post on spam-court.com

Below is the last post on spam-court.com.
The day after the posting, the criminals started yet another DDoS attack on the site and it went down.
For good (at least with Dreamhost as the host).

A few days later http://ducksintworows.blogspot.com/ was attacked. And is still down.

Short note ....
Posted November 16th, 2007 by DucksInTwoRows

We will leave spam-court.com as it is now for some time.
http://ducksintworows.blogspot.com/ will probably be the main area for new posts and small notes.

Maybe some posts will show up on http://veruccawatcher.blogspot.com/

Perhaps something interesting shows up at http://veruccawatcher.wordpress.com/, but that's less likely.

Posted by Ducks In Two Rows

Labels:

lhl

A Smart Condor. Known at least since the specialham days. Probably Chinese. Aka "lhyfrank".
lhl1922@yahoo.com
At first glance he specializes in adult, MySpace and yahoo bots.
Has at least one listing in Spamhaus.
Some indications that this one also is or was involved in hosting.
Latest domain is thxkilo.com. Whatever that is.
Easy to spot and trace. I will leave that to others and maybe fill in some more later.

Posted by Ducks In Two Rows

Labels:

Bioshah

Let's just give this one the status of "under construction" now.

A "dropshipper".
Content from the private part of bulkerforum has been "outed" by the smelly ex-wannabe-spammer.

The most interesting part is who he really is.
We don't know. Yet.
Only a couple of clues.

Small keywords to be checked and sorted out:


  • Hitesh

  • biologicalmiracle

  • shacro

  • hitmanshah

  • London


Hmm, London.
A few years back a letter went out from the FDA to:
Biologicalmiracle.com
PO Box 726
London, England EC1 V 7QQ
United Kingdom

Time will show if this is the same guy.
Biologicalmiracle is still up, same snake oil.

Quoting from one of his posts on the former private part of bulkerforum (smelly ex-wannabe-spammers can sometimes come in handy):
Pharma Sponsor & Drop Shipping
Im posting this here as I dont want Anti Fuckers to contact me in main Forum.
We still have pharma sponsor with controlled meds. So if any of you are interested PM.
I also provide Drop Ship faciities, so you big boys who already have their own sponsors PM if your interested

Maybe FDA, FBI or others would like to contact him too?

July 2008
When doing one of our very infrequent searches for info on members of bulkerforum.biz, we came across some info that may be interesting.
A couple of forum threads:
http://gofuckbiz.com/showthread.php?t=3454
http://www.crutop.com/Vbulletin/showthread.php?t=76615

Now something called istbill/istpay shows up in connection with bioshah.
Together with a lot of names, both individuals and companies.

The main question is still open:
Whois Bioshah? Sergey, Jani, Mike, Raj, Rajesh? Or someone else?
Our bets today are for Jani, Mike or Raj.
Time is an excellent tool. We'll wait and see what shows up.

Posted by Ducks In Two Rows

Labels: ,

seedcash / cluster

Daniel Lessing
An oldtimer, listed in ROKSO (Spamhaus' Register of Known Spam Operations).
Nicks on bulkerforum.biz are seedcash and cluster.
He used "cluster" on the spammer forum specialham too, in addition to dl1227.
On other he used dl69hunt.

Into porn, mortgage spamming, hosting and trying to sell some harvested lists on bulkerforum.

Hmm, selling harvested lists? Is that legal?

Posted by Ducks In Two Rows

Labels:

Thursday, November 22, 2007

tiket.cc - AbdAllahs support site?

AbdAllah, the proud member of bulkerforum.biz with connections to the Russian Business Network has a site that avoids attention:
Some info:


Domain: tiket.cc
Status: Protected

DNS:
        ns1.dnsmanager.org
        ns2.dnsmanager.org

Created: 2007-11-04 03:15:56
Expires: 2008-11-04
Last Modified: 2007-11-03 15:15:53

Registrant Contact:
        Private person
        Ahmad Gashmi Ahmad Gashmi (mailbox@abdulla.cc)
        Rublevskoe Shosse 7
        Moskow, Moskow, RU 542009
        P: +7.4952038129         F: +7.4952038129


Hosted at leaseweb in the Netherlands, 85.17.184.21.

Compare with this one:

Domain Name: ABDULLA.CC

Registrant:
    AbdAllah net inc.
    AbdAllah El Ahmad Gashmi        (abdulla@abdulla.cc)
    Kreshatik street 32/16
    Kreshatik street 32/16
    Kyiv
    Kyïv,45434
    UA
    Tel. +38.0632687263


The last one is listed on spamhaus.org, SBL49890.

Posted by Ducks In Two Rows

Labels: , ,

AbdAllah

One "snippet" from ducksintworows.blogspot.com, which is still under DDoS.
This guy has connection to the Russian Business Network, one of the worst criminal networks in history.
And he is a proud member of bulkerforum.biz, offering his services there.
The moderator Crypto gives him a nice welcome hug:

[Nov 16, 2007]
His second post on bulkerforum.biz:

BP servers & hosting for mailing, trojan's, exploit's, etc. in Turkey, Malaysia, HongKong, USA, Thailand, China.
Fast setup, cheap price.
Please contact ICQ: 483-384-343 (Mr.Abdulla)
or write to PM.
Thank you !


One example of the typical hard working, honest members of bulkerforum.biz.

And the moderator Crypto greets him:

He is a well known russian BP provider.
Dobro pajalovati na bulkerforum AbdAllah.



We know that hosting mule scams is one of those included in his term "etc.", but what else is possible?
Child porn, carder sites? Not unlikely.

Honored with an SBL-listing in Spamhaus in November 2007, SBL59691.
And if you look closely you will find him in SBL49890 from January 2007 too.

To be continued ........

Posted by Ducks In Two Rows

Labels: , ,

Wednesday, November 21, 2007

And then they went for DDosing blogspot

First they silence spam-court.com.
Now http://ducksintworows.blogspot.com/ is DDosed.

The criminals at bulkerforum.biz do not like that their criminal activites are questioned. And pointing out who the persons behind the activities are:


---------- Forwarded message ----------


Hi there,

As you may have noticed, your blog has recently become the target of a
DDOS attack, and we've therefore had to make it temporarily unavailable.
However, we wanted to let you know that we're actively addressing this
problem, and we hope to make your blog available again as soon as possible
while still defending against such attacks. Thanks for your patience, and
we apologize for the inconvenience.

Sincerely,
The Blogger Team


Showing their real faces (or asses if you prefer).
Criminals, nothing else, but pure criminals.

Ducks will continue to write (infrequently) here.

Posted by veruccawatcher

Labels: ,

Saturday, November 17, 2007

Well, DDos again on spam-court.com

And Dreamhost support pulls the plug:

I'm going to have to permanently disable this site and
ask that you move it's hosting elsewhere


Can't blame Dreamhost, they have done more than expected during the earlier attacks.
And I thank them for that.

But it finally came to an end.

DDoS may pay off.
But not in the long run.

Now it's very close to a personal attack.

I was planning to take it easy for some time and leave the writings to Ducks.
But now I am pissed.
There are tons of stuff on those bastards who are doing their "business" (read criminal activity) on bulkerforum.
Some of them have a history several years old.

I will contribute the best I can in exposing them.
Gloves are off and I am going to publish the full names and/or whatever info I have on those criminals. Including the participants on the criminal forum.
As promised on spam-court.com, if the DDOs-ing continued.
First out was Martin Neumann, europe aka guschman.
Next out, in no particular order or timeframe, are:

  • hairdev (full name)

  • canadaguy99 (full name - will be interesting, even for the criminals themselves)

  • tylerdurden (full name - a small appetizer: ginster)

  • jpcserv (full name)

  • perka (full name)

  • xpepro (full name - one keyword in the meantime: "TRNi Inc" )

  • General / bizorigins (full name)

  • paradiseslim (full name)

  • bulkman99 (the pimp from Montreal)

  • corleonem (an innovative consultant)

  • deatos (a young blackhat from Michigan)

  • leego (pill pusher)

  • kref/spamit (glavmed / despmedia / spamit.com)


One "snippet", as Ducks calls them, from yesterday was about a member of bulkerforum.biz, "ProfDdos". And the day after he posts that, spam-court is DDosed. Coincidence?
I repeat Ducks snippet here:

[start of Ducks' posting]

ProfDDoS


Nick says it all.
His post #5 on bulkerforum.biz:
Greeting!!!!

Let me to bring to your attention professional DDoS service!
Quality is guaranteed by uniqueness of the updated and supported software. Huge, constantly growing quantity of bots worldwide online.
Destroy a site of the competitor!!!
The prices depend on duration and complexity of the project.
For information welcome in the icq.
For all questions: ICQ support 448845. skype ss_support1


Moderators Dollar and Crypto are not totally happy about that post.
A bit strange regarding Crypto when reading his greetings to AbdAllah, but who knows what's inside these guys brains.
Crypto has not been showing too much intelligence in his posts, so it is perhaps not so strange after all.

Phantom rushes to the defense of ProfDDoS:
I have to disagree here guys LOL this person has been of great service to us all without you even knowing about it ..Thanks guy


ProfDDoS is the same guy as, or in bed with .....damn I lost that part.

[end of Ducks' posting]

Note: ProfDDoS is the same guy as, or in bed with "Caesar" on bulkerforum.

Posted by veruccawatcher 0 comments

Labels: ,

europe / guschman

History:
This one was posted on May 26, 2007 by DucksInTwoRows
And edited November 17, 2007 by veruccawatcher, after the last dddos on spam-court.com. Change: Full name



Just a short one. The intention was to write some more, but today we prefer to spend most of our time on other, important things in life than following the scum of the net around.

"europe" aka "guschman" is Martin Neumann from Germany.
Tried to be careful.
But you can never trust a spammer, even not the "trusted" ones.
Just like their own spam, their info floats around.
From one spammer to the next. And so on.
Now Martin, try to hit that delete button now.
Aber ach, zu spät. Vielleicht.

We make an exception this time and try to believe that spammers don't always lie:
Born in 1981, lives in Rostock.
Was also a member of the dead and buried specialham.com and spamforum.biz.

We have been told he works with something IT-related.
Well, of course he does, he offers hosting.
Man, those spammers think they are clever when telling us stuff.

Or did we just pull that up from a hat?

Why the hell does a host offer their services to criminals?
You know Martin, you could just get rid of that spamhosting/spamsupporting part?
Your choice.

Maybe more later, we have to double- and triplecheck some stuff.
Auf Wiedersehn.

Posted by veruccawatcher

Labels:

Subscribe to: Posts (Atom)