Ron Paul spam tied to bulkerforum.biz

This story on slashdot made a couple of bells start ringing.

... someone calling themselves nenastnyj was behind it and their botnet control server has been shut down

nenastnyj is a member of bulkerforum.biz. You will probably know him as "nena" over there.
Drug spammer apparently in charge of PharmaBucks. Here is his first posting on bulkerforum in January 2007:

Posted: Tue Jan 09, 2007 7:36 am
Post subject: New big money with PharmaBucks
Dear colleagues (we hope that we will be able to call you partners of our partnership program in future),

The partnership program "PharmaBucks" is more than happy to encourage you to cooperate with us.

For the time being, there is one shop and four medical preparations, that are the most needed, available in our partnership program.

We offer you sales with commissions from 30 to 50%. According to the promotion of our program everybody who registers before February 1st, 2007 will be registered in partnership plan " Silver " that offers you 40%.

Our conditions and benefits:

- Detailed and very honest statistics! You will feel it from the very first minute of our cooperation;
- Commissions up to 55%;
- Referral system of 5%
- Our own steady bulk-servers;
- Support is always ready to answer your questions comprehensively and correctly;
- Daily change of domains, personal domains for the big adverts;
- Regular professional text refreshments;
- Salaries webmoney, fethard, wire;
- Hold – 14 days;
- % commissions according to the following tariff description:

0-10 sales per day - 30% commission
11-20 sales per day - 40% commission
20-50 sales per day - 45% commission
50+ sales per day - 55% commission


Our cooperation and your time is of a great value for us, that’s why we made all the conditions of successful and lucrative cooperation with you so much easier.

Everybody, from the beginners to the professionals, is more than welcome to join our partnership program. Respectful and sophisticated Support is always ready to help you with any kind of problem.

Our working team consists of exceptional professionals that have invested all their experience acquired throughout many years into this program.
We are always looking with a perspective concentrating our attention and experience only on reaching the highest peaks, comprehensively analyzing and improving our accomplishments.

We hope that you will value our advantages starting from today.

To register and start working you can by connecting to this ICQ number: 303-435-751.
Back to top
View user's profile Send private message
ICQ Number <------- 304927900 304-927-900

A bit later he answers neuman's question:
what are the products?

now only 4, and 1 shop, soon ill be 4more products
now only Viagra Soft tabs Cialis soft tabs, cialis, and viagra pro

A small image from pharmabucks.biz when the page was still up:

We have not been following nena/PharmaBucks around, so we don't know the story after January.


Back to the Ron Paul spam:
More details in a report from Secureworks.
A bit shorter version on ars technica

And there is something else that is a bit interesting in that report.
The Ron Paul spam has been tied to "Reactor botnet". "spamit" on bulkerforum is being mentioned, but SecureWorks doubt he is the author. It is more likely that he is a customer of the author of the bot controlling software.
Interesting points anyway.

Now, I highly doubt that the Russians are especially interested in US politics.
Which leaves the question: Which american spammers (and probably with connections to bulkerforum.biz) are behind the spam for Ron Paul?

We know that the Digital Gangstas Matt Leppala, Pete Snoufax and ytcracker are close to an orgasm if Ron Paul is being mentioned. But we have no idea if they were behind the spam. n0fx on bulkerforum is an old buddy of them.

DucksInTwoRows blog is back

Has been up back again for a few days now.
Not any new content now.
Writing a small draft on kref/spamit.
And another small one on toxicdog and his alias.

Snippets

A collection where small snippets are saved temporarily and gradually expanded towards an independent blogpost.
More like memos to myself. Read them if you like, but don't expect much.
Mainly regarding members of bulkerforum.biz who are offering services that are illegal in most countries.

AbdAllah

[Nov 16, 2007]
His second post on bulkerforum.biz:

BP servers & hosting for mailing, trojan's, exploit's, etc. in Turkey, Malaysia, HongKong, USA, Thailand, China.
Fast setup, cheap price.
Please contact ICQ: 483-384-343 (Mr.Abdulla)
or write to PM.
Thank you !

One example of the typical hard working, honest members of bulkerforum.biz.

And the moderator Crypto greets him:

He is a well known russian BP provider.
Dobro pajalovati na bulkerforum AbdAllah.

We know that hosting mule scams is one of those included in his term "etc.", but what else is possible?
Child porn, carder sites? Not unlikely.

Honored with an SBL-listing in Spamhaus in November 2007, SBL59691.

To be continued ........

ProfDDoS

Nick says it all.
His post #5 on bulkerforum.biz:

Greeting!!!!

Let me to bring to your attention professional DDoS service!
Quality is guaranteed by uniqueness of the updated and supported software. Huge, constantly growing quantity of bots worldwide online.
Destroy a site of the competitor!!!
The prices depend on duration and complexity of the project.
For information welcome in the icq.
For all questions: ICQ support 448845. skype ss_support1

Moderators Dollar and Crypto are not totally happy about that post.
A bit strange regarding Crypto when reading his greetings to AbdAllah, but who knows what's inside these guys brains.
Crypto has not been showing too much intelligence in his posts, so it is perhaps not so strange after all.

Phantom rushes to his defense:

I have to disagree here guys LOL this person has been of great service to us all without you even knowing about it ..Thanks guy

ProfDDoS is the same guy as, or in bed with .....damn I lost that part.

Maybe continued.

Sanjay / sancash

A quick note to self:
This guy is involved with Elite Herbal.
How high up he is in the food chain cannot be established accurately.
If not on top, he is very high up.

Definately to be continued.
[Ducks new posting here: sanjay aka sancash.]

Phantom

One of the moderators.
Been hanging around for some years now.
Always been very slippery, but now the smelly ex-wannabee-spammer "Nick Danger" (Marion Sidney Lynn) claims to have his identity and has "outed" him.

We have seen that info earlier, but we are not totally convinced about how real this is.
Two long and wild shots: This "outed" identity is either a middleman or a deliberate smoke screen.

Both Veru and myself are going more in the direction of "back to the roots" like WarriorForum and Bulkbarn, like Phantom himself indirectly suggests in his various postings on different forums during the last years. And like magic, some info fits. Pure magic it is.
This indicates another identity, but this does not seem very likely either.
The fact that both of us, originally independent of each other, went in that direction is a sign that there may be something here. And so is the fact that some of our findings were identical. That's magical.
It still seems unlikely though, so we are open for suggestions and speculations combined with hard facts.
Especially hard facts about the identity "outed" by the smelly chicken of an ex-wannabee-spammer.

escape

Usman Ahzaz

Snippets:

• olatesuite


• exploits


• Ucraine


• drug spammer

.

From a posting about a month ago on bulkerforum, someone asked for this:

subject: Need a persistent exe application
One that will take an exe I already have and make it 'persistent' - hidden from the filesystem, hard to remove, etc

skype: myst231 or pm me here (i dont know if the pm situation has been resolved)

And the OlateSuitemaster of exploits answers:

escape
Joined: 15 Sep 2006
Posts: 55

votes: 2 Posted: Wed Oct 17, 2007 3:30 pm Post subject: y0
i can help you out
_________________
OlateSuite - HiSpeed Mirrored BP Shared Hosting & Dedicated Servers...
Exclusive Ip Restricted Socks4

The Christmas season is approaching, so watch out for OlateSuits exploits this year too:
Happy Holiday Season, TrendLabs article from 2006 about OlateSuit exploit
Watch out for any Holiday Season Blowout Sales this year.

Yet another hard working, honest businessman on the bulkerforum.

kref/spamit (glavmed)

Probably two guys, belonging to the same gang.
Crypto hugs kref:

kref, is known in the BlackSEO biz. He is a good guy and pay on time.
Have his own design/coders team(for his rx websites), and the affilate system for mailers looks very nice
He have a lot of references, just pm him, and find out more,
I think you gonna like it.

With such good references, we don't hesitate to label those guys as criminal spammers.
Snippets:

• despmedia.com


• glavmed.com


• glavmed.org


• hzmedia.info


• spamit.com


• thecanadianmeds.com


• saintd / saintdmitry


• Michael_sun2k


• Their "designers": dadaev.com

To come

• David (from Houston, TX.)


• perka (from Romania - ZedCash)


• rxnic


• TLCmail / Stolder / leadz / empharmpartners (this is probably Impulse Marketing Group, or at least connected to them)


• toxicdog (alex0ra, alexora, goomenuk, Prague, spamilka.com, Black Network, 69.50.177.122)

The last post on spam-court.com

Below is the last post on spam-court.com.
The day after the posting, the criminals started yet another DDoS attack on the site and it went down.
For good (at least with Dreamhost as the host).

A few days later http://ducksintworows.blogspot.com/ was attacked. And is still down.

Short note ....
Posted November 16th, 2007 by DucksInTwoRows

We will leave spam-court.com as it is now for some time.
http://ducksintworows.blogspot.com/ will probably be the main area for new posts and small notes.

Maybe some posts will show up on http://veruccawatcher.blogspot.com/

Perhaps something interesting shows up at http://veruccawatcher.wordpress.com/, but that's less likely.

lhl

A Smart Condor. Known at least since the specialham days. Probably Chinese. Aka "lhyfrank".
lhl1922@yahoo.com
At first glance he specializes in adult, MySpace and yahoo bots.
Has at least one listing in Spamhaus.
Some indications that this one also is or was involved in hosting.
Latest domain is thxkilo.com. Whatever that is.
Easy to spot and trace. I will leave that to others and maybe fill in some more later.