Those who have the misfortune to have to deal with significant quantities of spam will have doubtless had many for one particular range of "pharmaceutical" products, specifically Spur-M, More-Size, Extra-Time, VigraMax, Rabbit Pearl Vibrator or Fat Blaster. These are all part of the same spam operation believed to be run by Alex Polyakov (http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alex%20Polyakov), by many estimates the Internet's worst spammer. The sites themselves use no encryption for credit card details (despite a "134-bit encryption" banner on some of them) so pose a danger to those naive enough to consider shopping at them.

A web script has now been released (which should be usable with any browser) for placing fake orders (with plausible names, addresses and credit card details) directly to the backend databases used by this spam operation, meaning that large numbers can be submitted very quickly. See the Spur-M-Enator (http://thecarpcstore.com/phpbb2/viewtopic.php?t=389) thread at the Kill Spammers for more details and download location.

If enough people run this tool, flooding his database with fake orders, it has the potential to cause real financial harm to his business (forcing him to discard real orders or risk losing credit card facilities due to excessive verification failures). Anyone wishing to see a cutdown in spam should consider using this tool to help curtail the activities of one of the worst operators.

-{ Quote: "If enough people run this tool, flooding his database with fake orders, ..." }-IMHO, retaliation - - taking revenge, returning like for like, especially evil for evil -- is an outmoded way of thinking, and puts the retaliator down in the gutter at the same level with the scumbag perpetrator.

regards,

-rich

-{ Quote: "IMHO, retaliation - - taking revenge, returning like for like, especially evil for evil -- is an outmoded way of thinking, and puts the retaliator down in the gutter at the same level with the scumbag perpetrator.

regards,

-rich" }-

"Sometimes you gotta fight when you're a man" - Kenny Rogers

-{ Quote: "IMHO, retaliation - - taking revenge, returning like for like, especially evil for evil -- is an outmoded way of thinking, and puts the retaliator down in the gutter at the same level with the scumbag perpetrator. " }-Perhaps you may wish to review the links above in more detail then before making judgements? In this case, you not only have someone who spams, who ignores complaints, uses complainers' email addresses as fake senders in future spam and sells illegal (and likely harmful) products but also one who has been involved in a host of other illegal activity ranging from identity theft and fraud to pump and dump stock scams.

What this utility does is fill the spammers database with garbage data (though plausible enough to pass their filtering) which is pretty much what this vermin is doing to everybody's email inboxes. It is an escalation of previous attempts to stop their spamming (notably Blue Security's opt-out list) but one which recent events have justified in my view.

This tactic is also effective - I used to receive regular mortgage quote spam which stopped after using one of the Kill Spammer's formfillers to deluge it with false leads. It is only by causing financial harm to a spammer that users can stop being deluged with junk and it is only when a significant portion of the Internet community uses such methods that spam will stop completely.

It would be nice if spammers stopped when asked, didn't try to hijack PCs to bypass blocklists and poison spam filters but ultimately those who wish to retain the use of email will need to escalate their countermeasures against those willing to destroy it.

I fully agree in this and I support this type of agressive defence, since it´s the most effective way of defending against spammers when they themselves are loosing money - the only thing that really hurt them...

Regards, C.

Hi.

I'm the guy who wrote this utility (based on the collaboration of numerous others to whom I remain indebted.)

To those who claim this is "stooping to their level" I say: what other options do we have? The precise reason that we're currently in a world where 91% (and rising) of incoming email to all accounts worldwide is spam: you tell me, what other retaliation do we as users of the Internet, which these malicious criminals are destroying on a daily basis, do we have?

Filters don't work. Even if they do they take lots of effort to get working properly and even then the spammers seem to think we still want to see this stuff. So I hate filters. I use them, but I hate them.

Complaining is of no use, and in the specific case of the Spur-M-Enator(TM) I discovered that their so-called "contact" form and "opt out" functionality perform absolutely no function whatsoever aside from presenting you a bogus "Thank you" page. They lie.

They claim their site is secure ("134-bit encryption" is used?! Do they think we're idiots?) They lie. They claim to ship you products which are "safe". They often claim to be "supported" by groups like the Better Business Bureau, Visa and other third party vendors. I have contacted and worked closely with all of those vendors, and many more. I can tell you unequivocally: none of them support these spammers or their operations. The spam continues to arrive.

The *only* time it has slowed was when I and others first began this type of retaliation against refinance and mortgage spammers, notably Alex Polyakov. That caused all refi spam to stop completely for a few days. I mean absolutely cold turkey: no more refi spam, to any account on my end for at least 8 days. If "stooping" is what it takes to get this to stop: sign me up. At least I'm being extremely up front about it: I hate these assholes, and I hate that they constantly stand behind their practices because they can call it "marketing".

I refuse to buy the mentality that says to ignore or "just delete" these relentless emails. I don't feel that anyone should sit down and take that as any sort of solution against these criminals.

I would also strongly recommend reading this tandem thread which describes in greater detail the fraudulent nature of all of these websites and their operations, and how the Spur-M-Enator came to be.

http://www.thescambaiter.com/forum/showthread.php?t=8761

The last two pages go into greater detail.

In my opinion: people who claim we're just stooping to their level are merely afraid that something can actually be effective. I have no scruples about doing battle with bald-faced liars or criminals. I don't think anyone would ever mistake my actions for being anywhere near as fraudulent as what they do. If they were in any way legitimate, they'd track me down to put me in court for my retaliations. They know they have no legal leg to stand on, and they should be well aware: I have tons of evidence against them. So I say bring it on. I'm not going to sit back and just let these malicious savages ruin what should be a valid, effective communications medium.

If there was a link to terrorism in any of this people would be taking the gloves off much sooner. This disappoints me greatly.

Anyway sorry for babbling but I'm sick and tired of hearing this excuse every time somebody actually has a real, valid solution for fighting against these obviously illegal activities.

SiL

Hi, downloaded the tool. Would appreciate advice on how to install and run the utility.

Browser: FF 1.5.0.8 on XP

Thanks :)

-{ Quote: "Hi, downloaded the tool. Would appreciate advice on how to install and run the utility.

Browser: FF 1.5.0.8 on XP

Thanks :)" }-

- Step 1: download [http://www.mytempdir.com/1047078]
- Step 2: unzip
- Step 3: (probably) read: "whatitdoes.html"
- Step 4: launch "kill.html"

It's javascript. Therefore you have to enable javascript. It installs nothing on your system.

It also will attempt to post the form using a new window, but once that window is launched it won't launch any others. As such you may need to "allow" it to launch popups. Since this is completely run from your desktop you are at no risk of any rogue installations unless you personally manipulate the code to do so (which I do not recommend.)

An extra note for the extra-paranoid: This utility merely generates values within your browser, then posts them to the processing servers of these miscreants. It contains zero viruses. It has no connection whatsoever to windows or any dll's or anything outside of plain, ordinary HTML and JavaScript. I wrote it that way so that it could be run anywhere, anytime.

Thanx and hope that helps.

SiL

Hi SiL,

Welcome to Wilders!
Thank you for making this real solution to spam available to us all. :thumb: :thumb:

Is the target window supposed to be blank?
The window shows a different IP than mine.
Won't their web logs show the visitor's real ip (or proxy ip) address?
Maybe users should spread its use out over time rather than 1000 all at once like one user did so that they don't block your ip.

Governments may arrest a big spammer very rarely only to pay lip service but they are basically ignoring this huge problem.
ISPs and hosts turn a blind eye as they receive big payments from spammers.
So who's left to deal with the problem except us victims?
All that's needed for evil to spread is good people who do nothing.
Spammers have boxed us into a corner, so I say it's time to fight back.
Good work SiL. :)

-{ Quote: "Is the target window supposed to be blank?" }-Yes (this question was answered in the Kill Spammers thread linked above). It connects directly to the spammers' database which does not provide any webpage confirmation - their own webpages would handle this normally.-{ Quote: "The window shows a different IP than mine." }-The spam websites normally used for placing orders include the IP address - this script sends a random one in its place.-{ Quote: "
Won't their web logs show the visitor's real ip (or proxy ip) address?" }-As with any connection, yes. However given the illegality of their operation, it is rather unlikely that they are going to be able to complain to ISPs or law enforcement.-{ Quote: "Maybe users should spread its use out over time rather than 1000 all at once like one user did so that they don't block your ip." }-It's very likely that the spam operation responsible knows about this and will take steps to block it as soon as they can (they probably have dozens of "affiliates" feeding data in making changes more difficult) so it would make sense to exploit this while it lasts.

I'd like to thank SiL as well - this type of spam (which I find highly objectionable) has, for now, stopped completely.

Download links do not work for me???

controler

-{ Quote: "Download links do not work for me???

controler" }-

It looks like mytempdir had some downtime earlier today. This was (I confirmed) NOT due to a DDOS attempt (which I thought it might be.)

http://www.mytempdir.com/1047078

That one is live as we speak. :)

In any event this means I'm also making sure that alternate locations are available as well.

Hope that helps.

SiL

Paranoid2000,

Thanks for the answers and for bringing this to our attention.

-{ Quote: "Paranoid2000,

Thanks for the answers and for bringing this to our attention." }-

I was about to say the very same thing. :)

I don't know about anyone else here but my spam count today was zero. I've received reports from several others around the globe that this is also the case on their end.

This can't be a coincidence.

The average person who runs this utility has been posting anywhere from 3000 - 7000 orders per day. Several have chosen to run it overnight. This is possibly overkill (though I would argue that spamming me 50+ times a day for a product I never asked to hear about is overkill) but it's definitely doing the trick.

I get the sense that these tantrum throwing spammers will only start spamming twice as hard in a few days. If that's true, that leaves a huuuuge amount of traffic data which the FBI (whose IC3 group I have informed of this retaliation) are more than ready to track to its source. They aggressively monitor several botnets as well so we'll see if there's any correlation there.

Thanx to anyone who continues to join in. It's definitely hitting somebody where it hurts.

SiL:thumb:

P.S. Thanks for the kind words

Thanks, SiL, for the help and the utility :thumb: Couldn't get it to fuction with FF so launched with IE6.

I have 2 Gmail accounts and the spam count today (Nov 10th) was 3 ;D usually it's around the 17 mark.

Btw, excuse the dumbass question(s) ..

How long is the life cycle of this tool - is it to be used in a similar way to the SETI and Folding@home apps which utilise 'free' CPU cycles, ie, am I required to use it indefinately for the forseeable future utilising vacant bandwidth?

Will there be a point at which I should cease, or will the tool be modified as and when the intended target(s) change or if and when they close the backdoor being used? How will I know when I can terminate this tool?

hehe, I'm running it as well, overnight too!

thank you for this its humming along nicely. a cool idea.

I got it up and running, and its going to stay that way while I am still on this computer. Suck it spammers ;D

Alphalutra1

Nice idea! I'm launching it every hour for about 10 minutes via my task scheduler. I should put it on the dialup connected PC and take advantage of its floating IP.
Too bad you can't make one that can automatically scan the spam folder of a mailbox and automatically attack whatever turns up there. My Yahoo spancatcher account gets about 50 new ones each day, more than I want to harass manually.
Rick

My Yahoo account gets hit hard also but this is one of my oldest accounts. After enough years they all get hit hard. I get about 30 a day in my bulk folder but still get about 10 or so inbox. I get about the same in my oldest hotmail account.
Is this because of using better subject box info and picture info in main rather then text?

controler

-{ Quote: "Too bad you can't make one that can automatically scan the spam folder of a mailbox and automatically attack whatever turns up there." }-That would be the ultimate retaliator - but in practice each spam operation requires a custom script and spammers are increasingly using multiple levels of redirection to hide their real sites (e.g. using a free webpage or blog with a redirect) and are all too happy to try and break such a system by including links to innocent bystanders, so some level of human verification is needed.-{ Quote: "My Yahoo account gets hit hard also but this is one of my oldest accounts. After enough years they all get hit hard. I get about 30 a day in my bulk folder but still get about 10 or so inbox. I get about the same in my oldest hotmail account.
Is this because of using better subject box info and picture info in main rather then text?" }-Spammers regard filters as an obstacle to work around, even getting Yahoo/Gmail accounts themselves to test out what gets through (images with junk text to poison Bayes filters being popular at the moment). Hence users will now need to be increasingly proactive in defending their email accounts.

I didn't really expect it to be possible. Just wishful thinking. My Yahoo mailbox is a deliberate spamcatcher I set up for sites I expected to be spammers. Nothing useful gets sent there, save a few viruses/worms I can add to my collection. Yahoo is good for harvesting viruses as their AV is easy to bypass. My "normal" mailboxes stay clean, so I haven't needed to get too serious about filtering. Looking at that Yahoo box, I'd have no clue where or how to start. The vast majority of the spam uses what looks like real names and subject lines that vary from gibberish to authentic sounding titles. The only way I would know to start filtering it would be to use a whitelist and throw out everything else.
Examples:
http://i138.photobucket.com/albums/q277/herbalist-rick/yahoospam.gif
Rick

-{ Quote: "If enough people run this tool, flooding his database with fake orders, it has the potential to cause real financial harm to his business (forcing him to discard real orders or risk losing credit card facilities due to excessive verification failures). Anyone wishing to see a cutdown in spam should consider using this tool to help curtail the activities of one of the worst operators." }-
Txs for this post, i support it 100%.

Therefore, I will put your post and "spamislame's how-to" unmodified on my Security Forums.

Keep on going with the good work!

Smokey

Just get a BIG stick and hit him over the Head with it! :wacko::wacko: LOL

Capital Idea!! And a long over due one in my book. When Gmail started giving out "invites" i took on some and for a long while experienced very little if no spam at all.

Now it is identical to Yahoo's, which i still keep several accounts but select to use the option that doesn't even allow the crappy, time-wasting junk to accumalate.

Gmail gives you an option for a one-click DELETE ALL SPAM but then they also show their endorsement of that crap on their servers with a NO SPAM HERE! message after dumping over 1,000 of them collected in the REPORT SPAM in the span of a day or two, only to return again sometimes immediately after clearing it. The next day they're right back there again.

I'll make good use of this tool while it lasts, and thanks for offering it in this battle to curtail spammers.

Orders Submitted: 569



• Refreshing in 15 seconds!!!!!!!!...................... I'll leave it on all night too, and then some.

Hey there

-{ Quote: "Thanks, SiL, for the help and the utility :thumb: Couldn't get it to fuction with FF so launched with IE6." }-

Hm. Well that's odd. :/ Only case I've heard of. Maybe you've disabled javascript on FF?

-{ Quote: "I have 2 Gmail accounts and the spam count today (Nov 10th) was 3 ;D usually it's around the 17 mark." }-

I was seeing 30+ a day to one seed account I monitor. Those were just for these products, out of a total of 50 total spams per day, with the rest being mostly for stocks. That dropped to - no joke - zero (0) since I launched this tool. Not even a single stock spam. Seeing one today though so something is in the works.

-{ Quote: "Btw, excuse the dumbass question(s) .. " }-

There is no such thing. :)

-{ Quote: "How long is the life cycle of this tool - is it to be used in a similar way to the SETI and Folding@home apps which utilise 'free' CPU cycles, ie, am I required to use it indefinately for the forseeable future utilising vacant bandwidth?" }-

Oh god no. Nothing that complex. This is purely javascript, and only exists when you run it locally on your machine. It doesn't "report back" anywhere. The order counter is only local to your machine, and resets when you close and then re-open the kill.html file. If you want another Blue Security style function, maybe contribute to or monitor the Okopipi project (search for it, it's pretty well known), though in my opinion it's not going fast enough and is becoming far too bloated to be effective in any meaningful way.

Life-cycle: until we see a "domain not found" or some other error in the window to which this utility posts. This is posting to a very specific target, in a very highly customized way based on data I gathered from a poorly-configured PHP setup which exposed this spammer's entire back-end setup.

-{ Quote: "Will there be a point at which I should cease, or will the tool be modified as and when the intended target(s) change or if and when they close the backdoor being used? How will I know when I can terminate this tool?" }-

Several people have reported that after posting 30,000+ orders (!!) they feel that that's enough. That's only a handful of people though. By and large people are just running it all day, every day.

I don't really feel there is a life cycle to this tool specifically. I'm not even certain the spammers have caught on as to what's happening. They will eventually and when they do they'll more than likely just shut these three domains down and start spamming again. At that time I will be hunting for more evidence and exposed web server setups (though it's unlikely they'll allow such a mistake to be repeated.)

As an aside: I have never seen a utility last so long (ie: the domains are still active and they definitely appear to still be accepting postings.) The average attack I've launched has lasted a matter of hours because it typically hits the front end website which the spammers monitor much more closely, so they shut those down immediately or start banning ip's once a breech is discovered. Since this targeted a back-end, non-consumer-facing set of domains: I'm not sure they're capable of switching it over so quickly. Something like 3000 domains were talking specifically to these three domains for order processing.

I'd also like to add that there are a couple of invaluable firefox extensions which I heartily recommend, and which work on the front end of several regularly-spamvertised domains:

http://fightspam.thecarpcstore.com/formfiller/

I recommend reading up on those. If you visit the forum on thecarpcstore.com/phpbb2, you'll see a targets section which reports on domains which are susceptible to these formfiller utilities. The more people install and use these tools, the less spam we'll all get eventually.

Hope that helps.

Thanx for keeping up the pressure and providing feedback.

SiL

I see a drawback to this idea, suppose I didn't the want information but only wanted the victim to become more aware of a product, so I would first make a bad product called, for exmaple, crappy cola, knowing that the victim will dismiss it as a sham but in the victim's mind remains the fact that there is a drink(a morgage, a sex inhanser, etc.) so the same campany distancing itself form bad cola then comes up with a good cola because the victim is now receptive to the idea of the product, crappy cola was worth it then since, in a nutshell, spam is advertisement to boast product awareness, it does not need to make money directly, it only needs to remind you that a product exsists, but if there are fools that fall for crappy cola, good, but it is not the goal here I believe, if you see the amount of money spent on advertisement at a loss this is really peanuts, selective and in one face too, great for the spammers today, their products though dismissed are still known by us

conclusion, if we send back the spam, they are not going to mind since I believe that after a while their intention is to revamp as a good product in due course, by then we will know all about cola's.

-{ Quote: "conclusion, if we send back the spam, they are not going to mind since I believe that after a while their intention is to revamp as a good product in due course, by then we will know all about cola's." }-This isn't about sending back spam - it is about filling a spammers' system with fake orders. This does mean they incur a cost since if they have too many bad credit-card numbers going through, they could lose their account.

Not too sure where the idea of this being a marketing test comes from either - this spam has been going on for at least a year and a half (according to news.admin.net-abuse.sightings (http://groups.google.com/groups/search?q=spur-m+group%3Anews.admin.net-abuse.sightings&start=290&sa=N&scoring=d)) and while one can certainly say that only an idiot would go for it, there are apparently enough out there to make it profitable.

Ultimately, spam is about trying to sell products that cannot be marketed in any other fashion, due to them being illegal, hazardous to health or outright frauds. The only prospect of anything better from a spammer that I have seen was, quoting literally from their email "dun beleave me.. well.. will check and I will make myself harakiri :)" - if that spammer put a video of himself committing hara-kiri on YouTube it would likely be a number one download.

-{ Quote: "if that spammer put a video of himself committing hara-kiri on YouTube it would likely be a number one download." }-

Where can I find this video?:o;D

-{ Quote: "conclusion, if we send back the spam, they are not going to mind since I believe that after a while their intention is to revamp as a good product in due course, by then we will know all about cola's." }-

I flatly disagree with what you're saying here. Pardon the length but this is not a cut-and-dried operation by any means.

a) These sites, all of them, for all of these products, have been relentlessly spammed with absolutely no means of opting out.
b) There are several people in law enforcement who feel that these sites do not even exist to sell a product, but in fact are there to steal and re-sell credit card information on the black market. I don't think I buy that since a lot of effort is made to tie a specific price, including conversion into Rubels, plus shipping cost, to each product. There also appears to be a pretty rigorous affiliate system in place. These people definitely do intend to profit from their spamming.
c) Spur-M has been verified by real pharmacists as a dangerous product which they would never recommend any patient ingest. It's ingredients are a mixture of several diuretics and hormonal enhancers which have very serious side effects if not properly monitored or prescribed by a licensed pharmacist.
d) If all these spammers wanted to do was get the Spur-M "brand" out there in the hopes of prepping for a secondary "real" brand, that would take, at most, six or seven spam runs to the average 35 million people assumed to have been spammed with these specific emails. At the time I wrote this utility, Spur-M (as only one example) had been spammed to several of my inboxes, over the course of five and a half (5.5) years! Exactly how long did they need to keep that going before suddenly unleashing this amazing "brand x" replacement?! Keep in mind that Spur-M is only one of six (or probably more) products that they routinely blast out to everyone's email address whether they want it or not.
e) Spur-M's exact chemical makeup is also present in at least three other products which these spammers blast out to the public: Vigramax, More-Size and Extra-Time. They make spurrious medicinal claims in the advertising for all of these products, none of which (verifiably) are true.

I refuse to associate wholesale spamming in the amounts these malicious individuals participate with the actual, legitimate marketing attempts put behind real, verifiable products. Nobody accuses Pfizer of spamming, because they spend billions (with a "b") of dollars every single year on TV ads, radio ads, print ads, bus placards, counter talkers, probably hundreds of other legitimate advertising methods. They stand behind their product because they put several years and billions (with a "b") of dollars into the research and development of their products. They can't be held accountable for spamming because they have a real product, backed up with real research. They aren't trying to sully the market by putting an alternative brand out there (and in fact they don't allow any infringement of their patents, so there can be no "generic" viagra. Their patent has several years to go before that's even possible.) They're a real company. You can go to their offices and find out about their products, advertising, etc.

Further: Pfizer does a lot of research into how best to refine which market sees their ads. They want to hit an older demographic so they tend to advertise on TV during shows that people over the age of 40 have an affinity with. (Gilmore Girls and 60 Minutes are only two examples.) They only want those who really want to know about their product to get in touch with their pharmacists and possibly purchase it. They do not want just anybody using it given the potential health risks involved.

These spammers: they never show any real identity to anyone. They register their domains using fake identities, usually via stolen credit cards. They "advertise" fake products with either no medicinal ingredient whatsoever, or with a very dangerous mix of them as is the case here. They lie. They lie consistently. They lie about everything from the "134 bit" security their websites claim to have (they feature absolutely no security of any sort) to the testimonials for their "products" (all fake) to their claims that you can contact them about any of the products they advertise (no opt out, no contact address, and their contact forms process absolutely no incoming data and end up sending no messages to anybody.)

They "advertise" to a majority who absolutely have zero interest in their products. They don't care who gets it as long as it turns into money in their pockets (or credit card data, which they can sell.)

Also: We are not "sending back the spam." We are instead giving them a taste of slightly different medicine. They don't care who gets their ads, so we don't care that we fill their database with 100% fake information, right down to the credit card number. (Which, while of valid format, is completely unusable.) We're not sending them spam. We're sending them precisely what they asked for: orders. If we were spamming them I would merely have created a function that posted encoded data to all fields, possibly choking their databases or causing system outages. I'd have it refresh at a much faster rate so I could get as much of the encoded large-size data into their db's as possible. That's essentially what these spammers do by sending me 50 messages a day for a product I don't want. Those 50 are the attempts that make it through the filters so the number is usually quite a bit higher.

I don't buy this hypothesis. These spammers are criminals, not marketeers. There are known task forces in place to hunt them down. They care as much about marketing a real product (cola or otherwise) as I do about animal husbandry.

Sorry to run off at the mouth here, but it appears you're not familiar with the extensive criminal nature of these miscreants.

SiL

A new, updated version to reflect the spammer's modifications:

http://www.mytempdir.com/1059710

New affiliate id's.
Now also targets the ManXL product line.
Dynamically selects an icon to show you which product is being "ordered".
Randomly selected 6 second refresh.
Updated "what does it do?" page.
New logo thanx to Veka.

I recommend running this version as it reflects the newest id's this spammer is using. I'm writing a breakdown of this operation to be as detailed as possible and expose the affiliate company for the spammers they are. That's taking some time but this should tide you over in the meanwhile. :)

Thanx again for your support.

SiL

SiL, thanks for your very detailed answers, very appreciated. :thumb:

What I meant by the SETI / Folding question was is the tool to be used indefinately for the forseeable future, which you answered.

So far my count's upto c. 7,800 ;D

-{ Quote: "SiL, thanks for your very detailed answers, very appreciated. :thumb:

What I meant by the SETI / Folding question was is the tool to be used indefinately for the forseeable future, which you answered." }-

Ah. Yes. :) Glad I could assist.

-{ Quote: "So far my count's upto c. 7,800 ;D" }-

Several people are now into the tens of thousands of orders per day. I noticed my spam intake this morning was exactly two (2), and both seemed to be quite amateur. (Missing links, broken images or other broken data that would actually deliver what they were hoping to promote.)

This is the quietest it's been in ages. I'm sure it won't last of course...

Also: I have several requests in with the company GenBucks - who I believe to be behind this spam run - asking why they allow spamming when their alleged terms of service claims to have a zero-tolerance policy against it?

A thorough synopsis (as much as I could come up with based on the evidence) is available on thecarpcstore.comat the following url:

http://thecarpcstore.com/phpbb2/viewtopic.php?t=395

I fully expect them to shrug off any accusations of spamming. GenBucks has been notoriously linked to large-scale spamming for many years.

SiL

I'm not sure how effective this version will be but... it couldn't hurt! :)

http://www.mytempdir.com/1065131

Adds the latest affiliate id, "gall3". Only while I was attempting to ensure it's carry-over across all products, the domain stopped responding! :) Which may mean that the site which was hijacked finally got my eighth (8th) message.

Either way: they appear to still want these orders. Let's not let them down.

Thanx!

SiL

I dunno about anyone else but... I haven't seen *any* spam lately for Spur-M! :)

I'd like to thank everyone for running this, and voting for it on Digg.

It's probably not over yet (and indeed I continue to see the occasional new site trickle in from folks out there) but I'd have to say this has been an extremely effective campaign against these spammers, and their affiliate program: GenBucks.

As an addendum: GenBucks remain 100% mute about all of this. Not one single response about their spamming activities, or the mass orders. I haven't seen any further complaints on their affiliate forum either, but I'm sure some fairly big questions have been raised.

As we speak a total of at LEAST 429 copies of the Spur-M-Enator(TM) are being run in the wild. (That's based solely on downloads, the actual number is probably quite a bit higher.) That must be resulting in some rather hefty daily (or hell: hourly) order numbers on the GenBucks system. :)

Thanx again, and let's not give up. GenBucks has yet to say anything about this and they owe it to us. Until they do I don't care if another 400+ people download and use this utility against them: they're spammers, plain and simple, and they don't seem to care.

SiL

-{ Quote: "Thanx again, and let's not give up." }-
SiL,

we have to thank you!:thumb:

And you know: i never give up the battle against spammers and other cyber-criminals;)

-{ Quote: "SiL,

we have to thank you!:thumb:" }-Seconded - it's good to see a stop to this particular type of spam (I have received just a couple during the last week). May GenBucks and their affiliates choke on their own merchandise...

-{ Quote: "Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/gborders/public_html/onse/process.php on line 95" }-

This is what all of the servers are showing today. :)

SiL

spamislame,
If you could come up with a more modular version of that tool, one where the core ordering/credit card component is basically constant but new address or site modules could be easily added, it could also be used to attack phising sites.
Rick

-{ Quote: "...it could also be used to attack phising sites." }-There are some tools already for this - see the Barclays Phishing (http://thecarpcstore.com/phpbb2/viewtopic.php?t=289) thread for an example.

I'd like to see it turned into a Mozilla/Firefox extension. Park it on a phising site and let it run.
Rick

-{ Quote: "spamislame,
If you could come up with a more modular version of that tool, one where the core ordering/credit card component is basically constant but new address or site modules could be easily added, it could also be used to attack phising sites.
Rick" }-

Believe me that was the goal. However spammers do nice tricks like randomizing the parameter names or completely changing the order of several variables within the form. They'll do it daily. So no standardized approach is possible.

I've written several phisherators(tm) which have been extreeeemely effective against phishers. I've noticed that several others have taken them and modified them for new phishing attacks, which is good. :) The more the merrier.

Even the formfillers we have made, which are FireFox extensions, require nearly daily updates just to account for all the various modifications the spammers keep making to counter this retaliation.

Why they fail to realize that STOPPING the spamming would make all of this irrelevant is beyond me. :)

SiL

-{ Quote: "
Even the formfillers we have made, which are FireFox extensions..... " }-
:D ;D
Will they work with the Mozilla suite?
Rick

I am unsure what you mean. They work on FireFox, all versions past 1.4

http://www.thecarpcstore.com/fightspam/formfiller/

:)

For urls to test it on, that site has a "targets" section which defines several offending spamvertised URL's and the effectiveness of these formfillers against them. An example:

formstrue.com

SiL

When I launch the kill.html I get one window that looks like it is generating the random form, as expected. However, I also get a blank window that has the following:
-{ Quote: "Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/gborders/public_html/onse/process.php on line 95 " }-

Is this normal?

Is it working like it is supposed to work?

Why the invalid MySQL error?

Also, I like your work spamislame. My concern is that you are going to go the way of Blue Security. Are you concerned that your efforts will either result in making yourself a target, or worse, making everyone that chooses to utilize your scripts a target?

-{ Quote: "My concern is that you are going to go the way of Blue Security. Are you concerned that your efforts will either result in making yourself a target, or worse, making everyone that chooses to utilize your scripts a target?" }-
It's a completely different setup than Blue Frog was. While he could well make himself a target, there's no separate application like Blue Frog or central server being used for the spammer to attack. The users e-mail accounts/addresses aren't identified here. The spammer could possibly add malicious content to the site being attacked, effectively making it strike back, but they'd be striking actual customers as well. Other than adding malware or using some exploit on the order pages, about the worst they could do would be a DDOS attack, which is more probable for the author than the users.

-{ Quote: "I am unsure what you mean. They work on FireFox, all versions past 1.4" }-
Not using Firefox. I'm still running the Mozilla suite, 1.7.12. Some FF extensions don't work with it. Eventually I'll get around to trialling Sea Monkey, which is based on the Mozilla suite.
Rick

-{ Quote: "When I launch the kill.html I get one window that looks like it is generating the random form, as expected. However, I also get a blank window that has the following:

Is this normal?

Is it working like it is supposed to work?

Why the invalid MySQL error?" }-

Their site apparently underwent some modification in the past couple days. I believe that means they are no longer processing orders the same way. It used to be completely blank (since no consumer-facing site was ever hitting it previously.)

As far as I'm concerned this probably means that they've modified in such a way as to render this type of attack useless. That's not stopping people from continuing to run the Spur-M-Enator(TM) however. :)

-{ Quote: "Also, I like your work spamislame. My concern is that you are going to go the way of Blue Security. Are you concerned that your efforts will either result in making yourself a target, or worse, making everyone that chooses to utilize your scripts a target?" }-

I was DDOS'd long before Blue Security ever was, just not to the same extent (since I'm obviously not an internationally renowned corporate entity. :) At least not yet.)

Sure I'm somewhat worried - these guys DDOS whoever they feel is an annoyance or a threat. It's sort of like a 4 year old throwing a tantrum. Lately the only retaliation I've faced is the banning of any IP address I use to snoop around.

Having said that: I can't stress enough that if you feel at all uncertain or insecure running any of the utilities I create, I recommend possibly *not* running them. There is the very real risk of being DDOS'd yourself (which is not quite as bad if you're merely a consumer-level user of the internet, just turn your pc off.) Especially in the case of the career spammers: these are genuine criminals we're talking about here, often located in eastern europe, Romania, Russia, Ukraine, etc. They absolutely do not care about causing genuine harm to people. That's worth remembering.

I appreciate your thoughts. :)

SiL

-{ Quote: "Not using Firefox. I'm still running the Mozilla suite, 1.7.12. Some FF extensions don't work with it. Eventually I'll get around to trialling Sea Monkey, which is based on the Mozilla suite.
Rick" }-

Ah. Well to answer that then: the formfillers are only built and tested with FireFox in mind. It's a decent standardized browser and it operates identically on Unix, MacOS and Windows. Once you start straying from that, you get into longer development cycles and the goal here is to strike quickly and efficiently. Can't necessarily do that on all browsers.

The individual retaliators (e.g.: Spur-M-Enator(TM), etc.) are written in strict JavaScript so that - again - any browser worth their salt should be able to run it with no problems. So far IE is the one problem browser (surprise.) That depends on the retaliation. IE has issues with sites that use the term "action" as a parameter (e.g.: http://[domain]/index.php?action=order) As such I have to specify to use a non-IE browser. FinestRX, Pharmacy Express and HealthSuite all use that type of setup, so it's an issue.

SiL

Spurmenator ran good for me. Figured I'd ask about the extensions before installing one. Many FF extensions work good in Mozilla but not all. After using the Mozilla suite, FF just doesn't feel right. I might just try one of the extensions anyway. The worst that can happen is spending 20 minutes doing a system restore.

Regarding the spammers and a potential DDOS attack, is there any reason a user couldn't just use an anonymous proxy and avoid the risk completely?
Rick

-{ Quote: "Regarding the spammers and a potential DDOS attack, is there any reason a user couldn't just use an anonymous proxy and avoid the risk completely?" }-Using an anonymiser like Tor is pretty much necessary since many of the sites will ban IP addresses. This does prevent the spammer from seeing your real IP address - but pay attention to the URLs you use! There are a couple (the very long ones - typically used by the ED Pharmacy/OEM Software sites) which are likely unique and possibly linked to email addresses. For these you should alter the prefixes (just change a few letters at random) to avoid any possibility of having your email Joe-Jobbed but as there is no retaliator for them, this is probably academic to most users.

If you are going to make major use of Tor though (and risk having someone else taking retaliation on your behalf), please do consider contributing back and running an exit node server (http://tor.eff.org/docs/tor-doc-server.html.en) (installing Vidalia (http://vidalia-project.net/) will make server configuration easier also). The more exit nodes Tor has, the harder it will be for a spammer (or anyone else) to completely block it.

Hi, been running Spur-menator with Opera 9 without any problem. I did get the page referred to above though. [invalid sql etc]. Forgot to turn it off though so they [hopefully] got 530 orders. How remiss of me.
G

A new version again.

I'm seeing the exact same form setups represented in a few new sites for ManXL, and featuring the following two new affiliate ids:

okok
victory

As such: into the Spur-M-Enator they go.

http://www.mytempdir.com/1079074

That mysql error does not mean the orders aren't being inserted, it means they're improperly using the php command for "mysql_free_result" (an insert very often has no result to free.)

Enjoy, and spread the word.

SiL

Your new version works with Sea Monkey.
Had a thought on this. Might be a sensible precaution to post an MD5 signature for the zip file here, just in case the spammers ever try to compromise the archive. Might not be likely but wouldn't hurt to be careful.

Just got a phishing e-mail for Sears card data. First I've seen in a while. Original link goes to China, then redirects to Russia. I'm getting worn out on adding fake data manually to their site. Besides the usual submission sites, anywhere I can send this to have the site attacked? This is just the kind of site I was looking for tools to go after.
original addy: hxxp://218.26.1.147/.index.html
redirects to:
hxxp://217.12.241.9/~upload/www.sears.com/index.jsp.htm

-{ Quote: "Just got a phishing e-mail for Sears card data. First I've seen in a while. Original link goes to China, then redirects to Russia. I'm getting worn out on adding fake data manually to their site. Besides the usual submission sites, anywhere I can send this to have the site attacked? This is just the kind of site I was looking for tools to go after.
original addy: hxxp://218.26.1.147/.index.html
redirects to:
hxxp://217.12.241.9/~upload/www.sears.com/index.jsp.htm" }-

Holy crap they're phishing for frikkin' SEARS?!?!

I've never seen that one before. Yikes.

I'll build out something give me a few minutes to investigate. Yikes these criminals are idiots.

SiL

-{ Quote: "I'll build out something give me a few minutes to investigate. Yikes these criminals are idiots.
" }-
In future you should name yourself: Spaminator;D

(Like you know, i already gave you this name as "AKA");)

Okay so as it happens: it's not possible to remotely attack this site. :( They can tell when a third-party script is attempting it.

But you could use the spur-m-enator(TM) to generate fake cc data and then fill in whatever you like for a username and password.

I'd report it to castlecops if I were you:

http://www.castlecops.com/pirt

That and call Sears 800 # (which the phisher site conveniently supplies)

1-800-815-7701

I can't call it cuz I'm not in the US. Their site offers no means of contacting them if you don't already have an account. The spammers chose a pretty good target. They don't appear to care about phishing at Sears. >:( Weird.

That's what I got.

I hate Phishers.

SiL

Oh!

I stand corrected. :)

http://rapidshare.com/files/4691958/20061124_SearsPhisherator.zip

(Looks like MyTempDir is experiencing difficulties today.)

This will post the first form (login) then wait three seconds and post a second form (cc details) then refresh after three seconds. Should be enough time to do both. The refresh settings are at the end of the scripting due to it being multi-part.

Send them phishing leads! The more they have, the more actual man-hours it takes to sift through them and verify them, and that raises the alarm at Visa, Mastercard, etc.

Thanx for this lead. Law Enforcement will be interested to see that one. Yikes.

SiL:thumb:

This is kinda puzzling also.

Whoever created it didn't hide the file index, and it exposed a couple of confusing files:

http://217.12.241.9/~upload/www.sears.com/locations.txt
http://217.12.241.9/~upload/www.sears.com/edu.txt

It's pretty clear that the function of this phishing attempt is to send an email to someone, as opposed to writing the captured data to a file.

As an aside: the site is apparently Romanian in origin. It's actual domain is:

http://modny.spb.ru

The phishing site can just as easily be presented using the domain:

http://modny.spb.ru/~upload/www.sears.com/index.jsp.htm

Anyway I think it's weird that they have an interest in educational sites located in the US. :)

SiL

That phish was definitely a bit different. I did call Sears. They asked me to forward the phish to spoof@citicorp.com. Submitted it to PIRT as well.
Your script runs quite nicely on Sea Monkey. Just in time too. I was running out of fake names to enter manually. I should copy it over to the dialup connected PC as well and make use of its floating IP.
Still getting all the plug-ins and extensions re-installed and getting used to Sea Monkey's little quirks. As much as I know I should use it (or something else that's new) in place of the old Mozilla suite, nothing I've tried runs or feels as good.
If anyone can use it, heres a plain text copy of the phish with full headers (minus my e-mail addy) (http://www.freewebs.com/herbalist1001/searsphish.txt)
-{ Quote: "Thanx for this lead. Law Enforcement will be interested to see that one." }-
Where/how would you send something like this in regards to law enforcement?
Rick

PIRT#102528 (http://www.castlecops.com/t172826-PIRT_102528_eBay_Sears_on_AS4837_25511.html)
According to them, there's a virus there. I don't see where this is part of that phish site? Am I just missing where it is?
-{ Quote: "VIRUS WARNING: beware virus at hxxp://217.12.241.9/~upload/poze.exe" }-
VirusTotal scan of file. (http://i138.photobucket.com/albums/q277/herbalist-rick/phishing/pozescan.gif)
On mine, F-Prot says the archive is infected but an F-Prot scan of its contents come up clean. Is this a FP issue with Rar archives?
Rick

The exe file is merely a zipped archive of photos. If you run winRar you can just right-click on it and "extract here." It appears to be a variety of images from July of this year of a group of 20 somethings on vacation. (the girl is cute! :) )

Of slightly more interest is this:

hxxp://217.12.241.9/~upload/ws.tgz

Which is the entire php code archive for the eBay phishing attempt also located on that server in the /ws directory.

hxxp://217.12.241.9/~upload/ws/

It sends all the phished data to:

nyck@2d.com

As for where to tell law enforcement about it, if you report the phishing attack to PIRT, they automatically let law enforcement know. So does the anti-phishing work group.

If you want to submit a more detailed report you could do so directly to the FBI's ic3 group.

http://www.ic3.gov/complaint/

That's a bit more laborious but it does get the data directly to an investigator who can do something about it.

These phishers are sloppy. But so are the owners of that server, apparently.

SiL

Sears phish site is down.
Rick

-{ Quote: "Sears phish site is down.
Rick" }-

Hm.

But in its place:

hxxp://217.12.241.9/~upload/ws/data/www.mutualcu.org/

Mutual credit union. ::)

I hate phishers.

Has anybody contacted this website specifically? They don't appear to have any clue what they're doing. This appears to be an ftp hack.

SiL

Lots of people reporting on the recent "update" to the processing sites the Spur-M-Enator(TM) is posting to.

They now attempt to do two things to anyone posting to the site directly:

1) loop through 1000 alerts claiming "ALERT: Thanks we have downloaded your harddrive successfully" (right. Well! Thanks for that!! :D)
2) In some cases: attempt to pop 1000 new windows with yahoo.com (that part fails for me but is apparently working in some browsers.)

I did some preliminary testing and discovered that this will NOT stop the orders from going through. :) It just makes life slightly harder for the user attempting to use this utility.

With that in mind I'd like to suggest that ONLY non-IE browsers be used, since these criminals could obviously se activex to install some malicious virus on a victim's pc (firefox will usually flatly disallow such activity.)

Thanx again for helping with this retaliation. It's clearly had an effect. And I should mention: I haven't seen a single spam for Spur-M in weeks. That's gotta be hurting a spammer hard. Which is as it should be. :)

Thanx again

SiL

They aren't exactly trying to hide what they're doing. This one is a bit pickier about numbers as well. Not accepting random credit card numbers. What's the format for this type of card?

-{ Quote: "They aren't exactly trying to hide what they're doing. This one is a bit pickier about numbers as well. Not accepting random credit card numbers. What's the format for this type of card?" }-

You're talking about that phishing attempt?

I have no idea. Credit unions are pretty obscure in the first place.

The owner of that web server has extremely negligent security practices. :(

SiL

-{ Quote: "The owner of that web server has extremely negligent security practices." }-
I'd question if that servers owner might be more of a willing accomplice. Might be actually allowing them to use it as long as they make it appear that they hacked in. Keeps him off the hook that way.
As for the phish itself, I'll keep plugging numbers and see what I can get them to accept.
Rick

-{ Quote: "Lots of people reporting on the recent "update" to the processing sites the Spur-M-Enator(TM) is posting to.

They now attempt to do two things to anyone posting to the site directly:

1) loop through 1000 alerts claiming "ALERT: Thanks we have downloaded your harddrive successfully" (right. Well! Thanks for that!! :D)
2) In some cases: attempt to pop 1000 new windows with yahoo.com (that part fails for me but is apparently working in some browsers.)

I did some preliminary testing and discovered that this will NOT stop the orders from going through. :) It just makes life slightly harder for the user attempting to use this utility.

With that in mind I'd like to suggest that ONLY non-IE browsers be used, since these criminals could obviously se activex to install some malicious virus on a victim's pc (firefox will usually flatly disallow such activity.)

Thanx again for helping with this retaliation. It's clearly had an effect. And I should mention: I haven't seen a single spam for Spur-M in weeks. That's gotta be hurting a spammer hard. Which is as it should be. :)

Thanx again

SiL" }-
Is there a way to block the fact that this alert is triggered?

-{ Quote: "Is there a way to block the fact that this alert is triggered?" }-

Unfortunately: not completely, no. Not without having access to their servers so I could edit that page. (HIGHLY unlikely.)

However: I've attempted a quick GreaseMonkey addition to see if I wrote a competing function of the same name that it would negate it. So far no go. Their page has to load completely before GreaseMonkey takes over. By that time: the alert is popped.

I did try something though, which for me appears to be working.

You can install the AdBlock plugin and just cancel any active content from running on those domains. :)

http://adblock.mozdev.org/

It kinda works!! You still have to kill the alert, which if you do it fast enough (once per order, not thousands of times) makes sure your cpu is unaffected. That's obviously more work than just letting it run in the background.

- Make sure firefox is blocking popups for that domain
- Using adblock, add the entry:
http://gborders.com/onse/*
- Run the spurmenator and watch the address bar of the target window. If the address changes: it is indeed posting.

I see the bar across the top saying "FireFox prevented this site from opening a window", and I still get the alert. My CPU is fine though. :) (I do notice the initial load is heavy on it, but after that it returns to normal.)

You only have to close one alert per order. :)

Anyway I am assuming that that means it's working. I'm keeping at it. I was still doing a few dozen per day just to see what else changed.

Hope this helps. (Somewhat)

SiL:thumb:

Would some kind of Proxomitron filter work?
This would limit the size of the pool of volunteers, but it might be useful to isolate the script that calls the alerts.

Does Proxomitron allow the filtering of specific lines of javascript? :o

SiL

Yes, I think it does.
There are a lot of excellent filters available that permit very granular control.
New custom filters can also be created. It is capable of rewriting the entire HTML page on the fly.

I don't know very much about the details, but I think it may be worth looking into for this purpose.
I know member (and Security Expert) Kye-U has created an excellent set of Proxomitron filters.
It is a powerful local web filtering proxy.

Paranoid2000,

Do you think Proxomitron would be useful for this purpose?
If not one of the premade filters by Kye-U or others, then perhaps a custom filter?

If you run it, try these (I can't install it where I work. Not allowed.)

A filter for:

window.onload = f**kup ;

(That keeps getting modified by profanity filters on this site. Replace the asterisks. I think you know what it says :))

And another for:

alert("ALERT: Thanks we have downloaded your harddrive successfully")

Let me know if that works. :)

SiL

-{ Quote: "Do you think Proxomitron would be useful for this purpose?
If not one of the premade filters by Kye-U or others, then perhaps a custom filter?" }-Proxomitron can certainly prevent this (the Disable Scripts filter being the specific one which kills Javascript except for exempted sites) as can any other filter tackling Javascript (Firefox's NoScript extension should be able to manage it as should any personal firewall offering web filtering).

Really, anyone seeing these popups should take this as a wake-up call. Allowing Javascript by default is dangerous nowadays - block it except for sites you trust.

BTW, I'm still running this though not as much as previously. I've been receiving so many "pre-approved finance offers" that I'm now busy filling in all the forms with the intention of collecting enough finance to buy out the Federal Reserve... ;D

-{ Quote: "Proxomitron can certainly prevent this (the Disable Scripts filter being the specific one which kills Javascript except for exempted sites) as can any other filter tackling Javascript (Firefox's NoScript extension should be able to manage it as should any personal firewall offering web filtering).

Really, anyone seeing these popups should take this as a wake-up call. Allowing Javascript by default is dangerous nowadays - block it except for sites you trust." }-
Thanks Paranoid2000.

So for this purpose (Spur-M-Enator), one would not even need Proxomitron?
Just set Firefox NoScript extension to allow scripts from localhost (so Spur-M-Enator works) and block from everywhere else?
It will still work?

That should work - as should just disabling scripts for gborders.com only for those preferring convenience over security.

-{ Quote: "That should work - as should just disabling scripts for gborders.com only for those preferring convenience over security." }-
Excellent, then we can all continue. Thank you.

-{ Quote: "BTW, I'm still running this though not as much as previously. I've been receiving so many "pre-approved finance offers" that I'm now busy filling in all the forms with the intention of collecting enough finance to buy out the Federal Reserve... ;D" }-
LOL, well hurry up, it's running out fast! ;D

Well, I'm now on GenBucks' 403 Forbidden - We're Not Sending You a Card This Christmas list. :) Their threshold is pretty high since I must have sent over 20,000 orders in total - but now I'm running Spur-M-Enator through Tor (had to slow it down to one order every 25-35 seconds though).

Hello Again Herb and Devinco et al:

I am back from eye surgery cataract lens works very well! Now must do other eye since looking through it alone shows me a world as if you are looking through a bucket of p..s, whoops I mean apple juice!

Now to questions on this new exciting spam retaliation tool (sorry to be a johnny come lately)


Why do this at all? Aren't we becoming a spammer ourselves?
It seems a commercial opportunity for someone to do what you guys are doing individually?
Aren't you putting your own PC's at risk by doing it?
Why not just have strong spam filters and forget it?
If I wanted to join your crusade what do I need?
I understand it would be best to use Firefox I have 2.0?
What ad ons and filters do i need to guard my PC?
Can I run all night or do I have to sit and respond to messages?
How do I know what I have achieved if I join in?

-{ Quote: "Why do this at all? Aren't we becoming a spammer ourselves?" }-Spam = Unsolicited. Response to spam = Solicited. Aside from that, please read the beginning of this thread for a list of reasons.-{ Quote: "It seems a commercial opportunity for someone to do what you guys are doing individually?" }-Only for a company prepared to withstand massive DDoS attacks - read up on Blue Security (http://en.wikipedia.org/wiki/Blue_security).-{ Quote: "Aren't you putting your own PC's at risk by doing it?" }-Potentially yes - hence the need to use a non-IE browser and web filtering.-{ Quote: "Why not just have strong spam filters and forget it?" }-Filters don't discourage spam - spammers just try to devise means to work around them (misspelling, using images instead of text, garbage text to poison Bayesian filters, etc). Since spam is ever increasing, at some point you will end up with 1,000 or more spam for every legitimate email and very few filters are then going to be able to cope satisfactorily with that.-{ Quote: "If I wanted to join your crusade what do I need?" }-A browser, a mouse, some patience and determination to start with. Then the ability to change IP addresses (easily done with dialup but otherwise you should consider installing and using Tor - see above). Basic Javascript knowledge comes in handy if you wish to customise some of the retaliators (e.g. to specify different sites or change the submission rate).-{ Quote: "I understand it would be best to use Firefox I have 2.0?" }-The version used isn't going to make a great deal of difference.-{ Quote: "What ad ons and filters do i need to guard my PC?" }-Discussed above.-{ Quote: "Can I run all night or do I have to sit and respond to messages?" }-Depends on the retaliator - the FormFillers can often be left on automatic as can this Spur-M-Enator. Most of the other order submission tools require some copy-paste work (though this can be automated with the right tools).-{ Quote: "How do I know what I have achieved if I join in?" }-Symptoms of success: The spam site starts blocking your IP address (you either get a "Forbidden" or "Not Found" message as seems to be the case with this site - in other cases a fake error message like "Bank reports: Your card cannot be authorized." may be given); The site changes to try to make things harder like the 1,000 popups this site tries to launch. Other examples have included the addition of CAPTCHA images to make orders harder (Pharmacy Express - this didn't last long presumably since their "real" customers were probably having more difficulties with them than the retaliators were); The most important - a reduction in spam for the site concerned.

Does this tool work against these scum (who doubtless are not qualified to work as Pharmacists in the UK):

185636

Hey there

-{ Quote: "Why do this at all? Aren't we becoming a spammer ourselves?" }-

It is precisely this kind of attitude that I have become so sick of hearing.

I for one am all for "stooping to their level" if it actually means they'll finally stop sending me this crap. Literally nothing else works. And I flatly reject any response to that statement that says either "Just delete it" or "spam filters are pretty good these days." Those are not stopping the spam.

My first retaliation of this type began almost two years ago, and it worked. Not just for me, for several dozen people. At the time it was refi spammers with servers located in Brazil. I was receiving 200 per day to my main account. It was ridiculous. I retaliated using a custom javascript form posting tool and sent them several hundred thousand leads. The spam stopped immediately.

This works. I am sick of people saying that we're "as bad as" the spammers. I'm nowhere near as bad as the spammers we're going after. I don't attempt to profit by this abuse. (which they do.) I don't deal in side gigs like child porn while building these tools (which they do). I also don't run this against servers I don't believe have asked me to come to them to place these orders (they spam anyone whether they want it or not.)

I also care that these products are part of a rampant illegal operation and represent a genuine health risk to the public. They clearly do not.

Most importantly: I never lie about any facet of my retaliation tools. I tell everyone up front precisely what it does, and I don't hide my code (though that last part will likely change.) I also describe in detail what the desired effect of these tools would be (costing spammers money.) I outline the risks involved and that the choice to run these tools is entirely up to the user.

In stark contrast: spammers lie constantly!! They claim they're "supported by the BBB", or that they offer secure credit card processing, or even that the drugs they are selling you are legal even though no prescription is required. They lie with every word they put on their servers and they know it. Then when you complain to them, they lie and say that "we don't spam."

I'm nowhere near the depths of these criminals. I'm merely fighting back in a few very simple ways in the hopes that spamming costs them money. It appears to be working.

-{ Quote: "It seems a commercial opportunity for someone to do what you guys are doing individually?" }-

I completely disagree. Anytime anyone has attempted to monetize this kind of product, it ends up with massive bad publicity and a lot of naysaying from the press in general. ("We're stooping to their level, that is wrong, don't waste your money on this antisocial endeavour", etc....) Witness the make love not spam program from Lycos. And, sadly, Blue Security. Believe me if I could make this my fulltime job and actually make a living from it: I'd do it. Not one single company out there would ever support this. (I've asked, trust me.)

-{ Quote: "Aren't you putting your own PC's at risk by doing it?" }-

Yes, and in my case: gladly. This is partly why I recommend TOR and the like. I've had my home pc DDOS'd in retaliation to these retaliations. Beyond that I have never suffered any kind of trojan, backdoor or infection. I think for that to remain the case, we all need to be educated about how to secure our systems.

-{ Quote: "Why not just have strong spam filters and forget it?" }-

(There's that phrase again, "just use filters"... :) )

I already do. And I don't buy that as a response to spammers. I read an article recently about different approaches to fighting spam and the author made the statement that using filters is a bit like trying to put your arm over your face when a bully is continually punching you there. It stops your face from getting hit occasionally, but it doesn't stop the punching. My servers get "punched in the face" some 2000 times per hour, every day, for months. It's not stopping. The only thing that slows the punching down is punching back. Why everyone is so afraid to face that reality is beyond me. I've noticed over the last few years that it doesn't even take very many people to launch an effective retaliation, but more certainly makes it effective more quickly.

Also: everyone seems to blatantly ignore that the people behind these messages are outright criminals. In many cases they already have international summary judgements against them and have avoided capture and arrest for at least the past three years. I dunno about you but when it's a known, proven fact that 92% of the email coming to me every single day, filtered or otherwise, is from a gang of criminals, I tend to really dislike that.

-{ Quote: "If I wanted to join your crusade what do I need?" }-

It's not merely my crusade. In the case of my retaliatory tools: you need FireFox, TOR, and a deep hatred of these spammers.

-{ Quote: "I understand it would be best to use Firefox I have 2.0?" }-

2.0 is awesome. :) Any version will do. But again: that's only for my tools. There are dozens of others out there. It depends how nerdy you want to get about the fight against these miscreants.

-{ Quote: "What ad ons and filters do i need to guard my PC?" }-

If you're not already running a decent firewall and antivirus: do so. And I mean something decent like AVG, not something that merely claims to be like McAfee or Symantec. I've seen both of those completely ignore well-known viruses, or better yet: identify them but claim they can't do anything about it. AVG and ClamAV are both much, much better products in my opinion.

It's worth looking into some of the extensions available for FireFox also. Greasemonkey is awesome. So is Adblock. There are thousands. Worth digging into.

-{ Quote: "Can I run all night or do I have to sit and respond to messages?" }-

In the case of the stuff I write, I attempt to automate it as much as possible. It's not always possible to automate every step (notice this in the Pharmacy Expressorator.) As to how long to run it: I leave that up to you. In fact I leave the *choice* of running these things up to you. I merely wrote them because I was fed up. Once I sent them out into the world it became clear that I was certainly not the only one. I'm certainly not demanding that anyone run them. It's an option. In my opinion it's a much better option than merely filtering these messages.

-{ Quote: "How do I know what I have achieved if I join in?" }-

The proof I tend to see that it's been effective has varied. Generally I tend to see:

- Either a slowing or a complete stop of the spam in question. In the case of the Spur-M spam: since I launched this tool I haven't seen one single message promoting Spur-M in the past two or more weeks. That's definitely a sign.
- Editing or manipulation of the forms in question. This indicates that they want things to go back to normal. I've seen everything from static renaming of fields, to the inclusion of new extra fields, to dynamic, randomized naming of first and last name fields (almost all of the refi spam websites use that one.) Sometimes they add a captcha, which is usually pathetically easy to get around. That's usually a sign that these are definitely costing them extra time and money.
- Lastly, if you're as nerdy about this as I am, I investigate spammer forums. bulkerforum.biz is pretty stringent about signing up now because of infiltrations by people like me. They don't want anyone monitoring their conversations and they move that site around on an almost weekly basis. It's always hosted on a hijacked server, never on one they own. I've seen complaints about the mass ordering I participate in. They refer to us as "antis" like that's some kind of brand name. An annoyance. In all cases where I've written a specific, customized retaliation, its effects have been talked about on that and other forums. It definitely is hitting them where it hurts (their idiot wallets.)

Sorry to babble. You raised questions I keep seeing over and over again. I think the time for sticking our head in the sand and relying on either filters or (pathetically) the delete key is past me. I'm sick of these assholes and I am not going to take it anymore. I don't think anybody else should either, but I can only take responsibility for my own actions.

Thanx (and again apologies for length.)

SiL:thumb:

P.S. I hope your eyes are alright.

-{ Quote: "Does this tool work against these scum (who doubtless are not qualified to work as Pharmacists in the UK):

http://ossian.myby.co.uk/scum.png" }-

No but I am working on one. That's the Discount Pharmacy outfit, another one believed to be related to Leo Kuvayev.

You'll notice that they don't even want you to know the real location of that site. It presents framesets using heavily obfuscated javascript.

I have a semi-working GreaseMonkey script which is not complte yet. Believe me I'll let you know when it's working.

Interesting side note: you tend to see one of those for every 8-10 stock spams featuring attached gifs. Same group is sending both, without fail.

Additionally: I've received several 419 or date scam emails with reply addresses based at their Discount Pharmacy or Pharma Shop domains. So they're diverse criminals. :)

SiL

Isn't Discount Pharmacy covered here (http://thecarpcstore.com/phpbb2/viewtopic.php?t=119&start=15)?

-{ Quote: "That should work - as should just disabling scripts for gborders.com only for those preferring convenience over security." }-

I would just like to report back that NoScript DOES indeed work with this utility.

Also: I no longer see that mysql_free_result error, which means that the javascript they put in place may have inhibited posting.

https://addons.mozilla.org/firefox/722/

By default it is inhibited. But you will have to enable the local file to run javascript.

Nice! :D

Thanx Para

SiL

-{ Quote: "Thanx Para" }-Glad to help out a little - keep up the good work. :thumb:

I very much appreciate what you are doing.

The Pharmacy Express spammers are using my domain name as the From
address in their spams. I get thousands of bounces a day. I run a business and cannot have these criminals filling my mailbox space, and making it look like my company is spamming.

I and my company will support you in any way you need.

-{ Quote: "
. . .
It's not merely my crusade. In the case of my retaliatory tools: you need FireFox, TOR, and a deep hatred of these spammers.
. . .
P.S. I hope your eyes are alright." }-

-{ Quote: "The Pharmacy Express spammers are using my domain name as the From address in their spams." }-The CastleCops thread So, how are we going to deal with these joe-jobs? (http://castlecops.com/t155627-So_how_are_we_going_to_deal_with_these_joe_jobs.html) has some useful tips for this. The best advice is to forward all such misdirected bounces to SpamCop (http://www.spamcop.net/) - I include the following note:

Spam (with forged sender address) bounced to third party (see http://spamlinks.net/prevent-secure-backscatter-fake.htm http://www.spamcop.net/fom-serve/cache/329.html#bounces and http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#109 ) - actual source was xxx

If you are receiving a lot of these, you won't obviously have time to identify the real source (it requires manual analysis) so just miss the last part. However by reporting to SpamCop, you increase the likelihood of the mail servers being added to their blocklist - and it seems that that is the only thing which gets many mailserver administrators to actually fix the problem.

New Spur-M-Enator(TM)

Newest version with several modifications. Before downloading and running I would recommend reading this first:

1: They definitely don't want us running this despite spamming us on a daily basis for these products, so they continue to use a javascript retaliation on their page output.
2: To get around this, I recommend running this ONLY in Firefox, and ONLY while also running the NoScript extension:

https://addons.mozilla.org/firefox/722/

Install that while in FireFox, restart FireFox, then load the kill.html file. You'll notice that it says it's prohibiting JavaScript. Click on the "Options..." button and select the "Allow file:\\" item. Then reload.

The window that pops will also be prohibiting JavaScript. We want that. :)

If you ever see anything but a blank screen on the popped / ordering window, that means they've modified something else. Please report that here if so.

Here are all the mirror download links:

http://www.mytempdir.com/1098424
http://www.mytempdir.com/1098430
http://www.mytempdir.com/1098432
http://www.mytempdir.com/1098433
http://www.mytempdir.com/1098438
http://www.mytempdir.com/1098440
http://www.mytempdir.com/1098443
http://www.mytempdir.com/1098447
http://www.mytempdir.com/1098448

I also noticed something else that's interesting:

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/database/public_html/onse/process.php on line 341

That's what appears when we attempt to order a product while using an incorrect product name. That never used to happen before. This tells us two things. 1) They are definitely tied directly to GenBucks, because there are several forum postings all over the internet (many in Russian specifically) recommending the use of that "redalgo" script for session tracking. 2) They now are being very specific about order id's, something they weren't doing previously.

This current version is targeting the affiliate id "theman" which started being used immediately after the first Spur-M retaliation. Same spammer. New ID. Same products.

Enjoy, and spread the word.

SiL:thumb:

spamislame,
I like what you are doing, but I had stopped using your tool because I could not get it to work properly. However, since your most recent post outlining the proper instructions, I have started running it again. Keep up the good work!!!

One word of caution that I'm sure you're well aware of. The "bad guys" usually tend to stay a step ahead of the "good guys." That is evident in the fact that you’ve entered the sort of cat and mouse game of defeating their countermeasures. It seams usual war has begun.

My concern is that they are going to find an effective way of filtering the bogus orders that your tool generates from the legitimate ones and do it in a way that keeps you from realizing that it is being done. For example, couldn’t they simply accept orders from clients that allow scripting? (Keep in mind that I’m not as educated on this stuff as you are, so my specific question should be interpreted more broadly to include other possible means of filtering)

First: thanx for your kind words. :) I love this stuff.

I am well aware that they attempt to counter this and as if I needed proof, today I suddenly saw two email messages arrive in my gmails spam folder with three urls, one each for HerbalKing, Vigramax and Wonderspurm (formerly Wondercum.)

Obviously they're seeing the new orders come in. Which is fine. That's the desired effect.

The fact that I discovered this particular exploit of their db servers means that they will be very careful in their future site setups. The only reason I was even able to discover the gborders.com domain (etc.) was due to them abusing a hijacked public server (they don't own any of the servers these are hosted on) which had not yet had PHP configured. It exposed all their script code which showed me where the orders actually get posted. That is unlikely to happen again anytime soon.

In the meantime I have built numerous other retaliators which I maintain over time. So has a guy named Karlston on thecarpcstore site. He's gone as far as creating actual firefox extensions which work like a hot-damn.

Fact is: I fully expect them to attempt to stop accepting based on referring url (all the My Canadian Pharmacy sites do that now. They sure didn't used to. :) ) But the good news is that in the meantime: every order we send them is costing them money. So I say: send as many as possible. The whole reason spammers continue to do this is that it allegedly "costs them nothing." I want that part to change. They don't.

Babbling again.

Thanx

SiL

Just wanted to let you know that since you've developed and released your tools here on Wilders, I've done around 50,000 orders (approximately). I am posting a screenshot of my count since last reboot (I'm going to update the image occassionally to reflect the current status). I want to see how many order I can rack up if I let it run for a few days.

-{ Quote: "Just wanted to let you know that since you've developed and released your tools here on Wilders, I've done around 50,000 orders (approximately)." }-Looks like your postman is going to be kept pretty busy with all those packages. ;D

However for security reasons, I would recommend that those using retaliators like this don't provide any personal details or any information that could link back to an email address (including personal domains or websites). It is quite possible for the spammers to view this thread and do research to find targets of their own.

As long as retaliators remain "one in a crowd" though, there should be little to fear.

Thank you Paranoid2000. You have earned your name and I have changed my ways.:thumb:

http://img206.imageshack.us/img206/2240/countbu0.jpg

Want another target? How about one for Fifth Third Bank?
"Fifth Third Bank reminder: account secure confirmation procedure"
hxxp://www.53.com.bankingportal.id63783784580.aslosinsite.jp/sbcbconfirm

-{ Quote: "Looks like your postman is going to be kept pretty busy with all those packages. ;D" }-

Hey: they wanted us to shop even more for the Xmas season. We're just giving them EXACTLY what they asked for. :)

Nice work!

SiL:thumb:

I am also running through TOR now. I like TOR, but I do not think it is fast enough to use for every day surfing. However, it is perfect for this application.

Latest edition, mirrored:

http://www.mytempdir.com/1103967
http://www.mytempdir.com/1103969
http://www.mytempdir.com/1103971
http://www.mytempdir.com/1103972
http://www.mytempdir.com/1103973

There ya go.

New affiliate id "bb" is reflected on all products (not giving up on "theman" though.)
New order id types for the manxl product type.

I am noticing that gborders now disallows me from loading that page. I'm wondering if that is their most recent modification. :)

If so this may be the end of the line for this specific retaliation. Lemme know.

I hate this asshole so much! I'm sure all of you do too.

Thanx again people.

SiL

Your newest ones run fine on Sea Monkey with Proxomitron. Most of them reply with the download hard drive popup now.

Using version D:
At hxxp://4yz.com/

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/database/public_html/onse/process.php on line 341

At hxxp://database3.com/
Half the time, window is empty. Half the time contains:

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/database/public_html/onse/process.php on line 341

At hxxp://gborders.com/
Windows usually empty. Occasionally:

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/gborders/public_html/onse/process.php on line 345

Rick

Using Version B and C, the opened windows is usually empty. Occasionally it contains the same text as above but far less often. Version A contains the same messages, more often than with B or C.

To anyone using these scripts and running SSM. The window filter module of SSM can be used to close those "we've downloaded your hard drive" popups. Just open to modules, then window filters. When the popup is visible on your desk, select it from the window list and add it to the filter list. At present, there are 2 different ones, only the site name on the title bar changes.
Rick

-{ Quote: "To anyone using these scripts and running SSM. The window filter module of SSM can be used to close those "we've downloaded your hard drive" popups. Just open to modules, then window filters. When the popup is visible on your desk, select it from the window list and add it to the filter list. At present, there are 2 different ones, only the site name on the title bar changes.
Rick" }-

I'm another one of those. Glad for the Window Filter. I usually don't bother to enable that feature but in this case comes in handy. Thanks.

-{ Quote: "Using Version B and C, the opened windows is usually empty. Occasionally it contains the same text as above but far less often. Version A contains the same messages, more often than with B or C." }-

I guess I was not clear: all versions listed are identical. There is no difference between them. I only named them differently so I could have multiple downloads from mytempdir (since they are suddenly a lot more flaky lately.)

It won't matter which one you download: they're identical. Any randomly different results probably has to do with which server you're hitting, which is randomly selected.

Thought that was certainly worth mentioning.

They've begun banning ip's :) If you use TOR, you'll notice that once in a while you get a permission denied page. Just switch identities. It should alleviate this issue.

I'm seeing a few new sites being spamvertised but they last so short a time I haven't been able to investigate so I could add them to this tool. Life must be getting more difficult for these idiot spammers. One can only hope.

Thanx

SiL

All the same? Interesting that when running "D", I got those messages far more often than with the others, on several runs with each.
So far, my regular unit is not blocked, and the dialup unit definitely isn't. Packaged the way they are, your scripts work well in my task scheduler.
I haven't had any success with TOR. Not sure if the problem is TOR or Vidalia, but when I use Vidalia to start TOR, my system resources get depleted to nothing in a matter of seconds, even with everything but the essentials shut off.
Rick

-{ Quote: "...but when I use Vidalia to start TOR, my system resources get depleted to nothing in a matter of seconds, even with everything but the essentials shut off." }-I see very high CPU utilisation by Tor when started with Vidalia - possibly due to Vidalia collecting the router information it needs for its network map.

However there is a new FormFiller retaliator available now for one of the longest-running spammers, MyCanadianPharmacy/InternationalLegalRX, which runs as a FormFiller extension in Firefox (GreaseMonkey required, NoScript and User Agent Switcher extensions strongly recommended along with Tor - this won't work with Proxomitron's filters). See the Pharma KS FormFiller (http://thecarpcstore.com/phpbb2/viewtopic.php?t=459) thread for more details and instructions. It does require more attention (you may need to reload a page if you receive a 404/503 error) but otherwise provides an easy method for dealing with one of the worst spammers.

I get a high CPU usage initially, but it levells off after a bit. Ends up at 75% unused after a while. It's the available system resources that get pounded on mine. I just tried it again, shutting down everything else except SSM and the firewall. Started at 80% free resources. After about 90 seconds, I was down to 12% and had to shut TOR down. I didn't try to actually use TOR. Just started it up Vidalia. My 98 box doesn't make it easy to see which one is using it up. I'm pretty much resigned to not being able to use TOR.
Rick

I just realized that I made a mistake in post #96 of this thread. Since I started hosting the images with Image Shack, I just realized that I do not have the same control over the file name that I'm used to. If a moderator would be so kind as to remove that post of mine that would help clean up my mistake.

At any rate, this is what I wanted to show:

http://img482.imageshack.us/img482/2985/countsk6.jpg

This is the last update, I promise. I think the point is made that I am doing my part to combat the evil spammers.

http://img137.imageshack.us/img137/3320/countwo9.jpg

Well they certainly aren't stopping anytime soon are they? They just switch affiliate id's. Today's is "xproject" (oooo... mysteeeeeerious. Bunch of idiots.)

So here ya go:

http://www.mytempdir.com/1113475
http://www.mytempdir.com/1113477
http://www.mytempdir.com/1113480
http://www.mytempdir.com/1113481
http://www.mytempdir.com/1113484
http://www.mytempdir.com/1113487
http://www.mytempdir.com/1113488
http://www.mytempdir.com/1113489
http://www.mytempdir.com/1113492

All are identical, I just post it several times due to the on again / off again nature of mytempdir.

Again: use FireFox, and make sure you have the NoScript extension. (Read the "whatitdoes.html" file.)

Thanx

SiL:thumb:

Works good on Sea Monkey with Proxomitron again. Haven't seen any of the previous error messages with this version. Does that "we've downloaded your hard drive" message pop up for real customers too? SSM still closes that popup nicely.
What is the justincaserator.html file for?
Rick

-{ Quote: "What is the justincaserator.html file for?" }-

It's a verification piece I wrote. One affiliate = one product = one site. Had to verify because they change affiliates every so often and I wanted to make sure I had the right number of each item.

Thanx

SiL

hello Guys a great site and topic, i am totally fed up over 100+ spam email now for viagra, fake watches and africans asking for there head kicking in.

I have tried and used your spurminator, but my question is this, i use osk and mail. when i get a spam email , ~Unnecessary comment removed - Ron~ how do i can the spurminator to attck them back?

how do i find out the information i need?
and how do i alter the sperminator to get back at these bastards?

cheers.

Andy "balls as big as buckets" san.

Newest versions of the hands-off fully automated retaliators for 2007

US Drugs or American Pharmacy
AutoAP (http://www.mytempdir.com/1144741) . . . . . http://www.mytempdir.com/1144741

My Canadian Pharmacy
AutoCAN (http://www.mytempdir.com/1144745) . . . . http://www.mytempdir.com/1144745

International Legal RX
AutoIRX (http://www.mytempdir.com/1144751) . . . . http://www.mytempdir.com/1144751

If you have KS retaliator installed as well, ( http://thecarpcstore.com/phpbb2/viewtopic.php?t=459 ) deactivate it by clicking on the smiling grease-monkey icon. Only one automated form-filler at once shoud be active, or else they will conflict.

Be sure to read the documentation file before use.

Download, unzip, browse the unzipped directory, and launch the application. It will have a grey circular icon with a triangle within it.

Treat these like screen-savers, you can run any one of them overnight.

Environment - Windows and Mozilla Firefox browser

Anyone want to work this site over a little before it's taken down? Bank phish. Already reported it to Bank of America and Pirt.
hxxp://www.bankofamerica.com.onlinebankingid59489489.sanshi.biz/session.cgi/
I've given them accounts for Elmer Fudd, Bugs Bunny, and a few other "customers".

Rick

-{ Quote: "Anyone want to work this site over a little before it's taken down? Bank phish. Already reported it to Bank of America and Pirt.
hxxp://www.bankofamerica.com.onlinebankingid59489489.sanshi.biz/session.cgi/
I've given them accounts for Elmer Fudd, Bugs Bunny, and a few other "customers".

Rick" }-

I don't understand this answer :-\

Gerard

-{ Quote: "I don't understand this answer :-\

Gerard" }-

It's a phishing site. So that user sent them fake information. :)

I've written retaliation scripts for phishing sites which automate that process. The idea is: get lots of people to send as many fakes as possible so that the criminals behind the site have to weed through (literally) hundreds of thousands of fake entries before finding anything that's actually real. It's quite effective and I know for a fact that it pisses these spammers off. They make drastic but very rough modifications to their forms in an attempt to stop this from occuring.

This site is already down, btw.

SiL

-{ Quote: "It's a phishing site. So that user sent them fake information. :)

I've written retaliation scripts for phishing sites which automate that process. The idea is: get lots of people to send as many fakes as possible so that the criminals behind the site have to weed through (literally) hundreds of thousands of fake entries before finding anything that's actually real. It's quite effective and I know for a fact that it pisses these spammers off. They make drastic but very rough modifications to their forms in an attempt to stop this from occuring.

This site is already down, btw.

SiL" }-

Hi SiL,

I know what's up, I ordered a lot so far ;), I just didn't understand the post made by Herbalist regarding this.

Gerard

That one came down quick. Just got the e-mail late last nite.
Gerard,
I get these phish e-mails quite regularly. Sil put together a nice script earlier that made a Sears phish I received easier to attack. I realize that this isn't related to the pharmacy spam many of us get in abundance, but these phishers are as criminal as any spammer and deserve the same treatment. Besides, this phish came as spam e-mail too. Sure, we can report them to all the usual places and wait for them to get taken down, but these scum know that's going to happen. By the time they're taken down, they've already made money deceiving the unwary. But if it's targeted by enough people, it takes some of the profit out of it for them. I just post targets when I get them for anyone else who enjoys hitting them. Judging by this thread, several of us enjoy it.
Rick

-{ Quote: "I just post targets when I get them for anyone else who enjoys hitting them. Judging by this thread, several of us enjoy it.
Rick" }-

I'm always busy doing something screen-front so i definitely enjoy crowding out those ridiculous and annoying spammer-brains. Sort of like performing multi-tasking duties and checking every so often during the day/night how many fammy whammers went into their orders forms.

-{ Quote: "Newest versions of the hands-off fully automated retaliators for 2007

International Legal RX
AutoIRX (http://www.mytempdir.com/1156732) . . . . http://www.mytempdir.com/1156732

Environment - Windows and Mozilla Firefox browser" }-

Updated Jan 8th version has fixed a small bug that caused the automater to stop running occasionally. We can't have that :o

Hello to everyone and thanks for the info that i have gotten here. I was getting a lot of spam so i searched for a place for help. This is were i wound up. I down loaded the Spur M Enator and sent over 5000 orders, I hoped this choked them a little bit, I know it cut back on my mail. Now it is coming in where you have to click on an address and I dont think I am hurting these people. I will Keep searching ways to Kick these guys in the pants so Thanks for all the help. I have a question about Firefox and Tor, I go to a sight that you have to sign in but they always say (welcome back your last visit was). How do they know that it is my computer signing in if the ip is changing when i use Firefox and Tor? Just curious because if the spammers know my ip everytime also then they are probably banning my orders. Thanks again.

tried to download it but no links work

but thanks

Not sure which link you referred to.

Spam retaliation tools with latest links are at http://thecarpcstore.com/phpbb2
See http://thecarpcstore.com/phpbb2/viewtopic.php?t=141
and http://thecarpcstore.com/phpbb2/viewforum.php?f=4

The European Spam Wiki is putting to gether a great amount of background information on spammed sites, who runs them, and how to shut them down.
http://www.spamtrackers.eu

Information specific to Pharmacy scams is at
http://spamhater.zoomshare.com

Complainterator Version 8

Version 8 of the automated complaint generator is now available

When you get a spamvertized site name, like c987fhj4rf8r.example.com/?oijoiufq
you can use the Complainterator to request the registrar who provides the name servers to remove them.
That takes down the spamvertized site, as well as any others registered under the same name servers.
Just fire up the Complainterator, key in the example.com and watch it do its thing. *puppy*

You can find it at this location (http://thecarpcstore.com/phpbb2/viewtopic.php?t=575)
and also at the download section of the European Spam Wiki (http://www.spamtrackers.eu/)

This tool and its method has been in use since August 2006 and has resulted in the removal of 250 name sesrvers from 12 different registrars, shutting down over 3,000 spammed sites.

To SPAMisLAME: Whilst looking for some way to stop receiving SPAM from Herbalking and My Canadian Pharmacy, I ran across this site. After reading your post, I registered so I could contact you. I would absolutely LOVE to retaliate against those disgusting "companies". I receive 20-30 SPAM a day from Herbalking -- always disguised with some person's name but always the same link to a geocities site then to Herbalking. I have tried unsubscribing (yeah, right), sending nasty messages about how I don't even need/want their product (I am a woman! lol), and filing complaints with the FTC. Nothing works. I am not all that savvy with the computer, but I CAN follow directions. Please help me to give some SPAM back to them or at least make them stop! Thanks! PS. What is TOR?

Complainterator Version 10 is now available from the same links as above.

The latest version has more in-built checking and more Registrar contacts.

This tool has been responsible for making life a misery for many of the major spamming operations, getting their sites shut down in the midst of a spamming run.

There have been recent examples where one spam complaint for one spam has resulted in the removal of over 200 spammed sites.

It runs under Windows, with Mozilla / Firefox / Internet Explorer / SeaMonkey as supported browsers.

Thanks, Herbalist, for giving that Bank of America site a good runaround! :thumb: I was going to post about that one tonight -- very authentic looking -- they need to be wiped out!

Love this site and all the info/help y'all contribute

Squeeky down South

hi all

is there any automated tool to retaliate against forum spammers ?? see i volunteer over at the spyblocker forum as a mod and lately we have been getting spammed and its becoming rather tedious continually cleaning up after these idiots every time i log in that's not what i signed on for

i'm simply there trying to do my bit to help where i can but lately all i been doing is removing spam and as the owner of the site paul kurtland seems to be unable to do anything to stop these idiots i figured turn about is fair play and id like to ram there garbage virus porn link back down there throat

so is there anything i can do or am i just going to have to suffer till paul eventually does something about this

Hit them where it hurts, they have to pay search engines, for inquiries for every spam email, search them through google or yahoo and connect through these engines.

Version 11 of the Complainterator tool is now available - April 11, 2007

See the EU Spam Wiki Downloads page at
http://www.spamtrackers.eu/wiki/index.php?title=Complainterator

See the support forums at
http://thecarpcstore.com/phpbb2/viewforum.php?f=4

New in version 11 -
A new complaint message is prepared for the registrar of the spammed domain name. Previous versions prepared complaints to the regisrtrars of the name servers only.

Now the Complainterator fully complements the Spamcop tool.

With Spamcop, one spam can generate complaint messages to

* the ISP where it originated,
* to the ISP where the spammed site is hosted

In addition, with Complainterator,

* to the registrar where the spammed site domain name is hosted, and
* to the registrars who supply the registration of the name servers that sponsor the access to the spammed site

Now that is going the full nine yards.

what if a company purposefully begins to spam a competitor's site in order to have that site be retaliated against by this utility? is there potential for abuse in such a way at all? because that would be rather bad.. just a thought..

Complainterator simply automates a process that anyone can do manually. It looks up the registrar of a spammed site chosen by the victim of a spam. It also looks up the registrar of its name servers. It prepares messages to the registrars asking them to take action. Then it lets the user decide whether to send the messages it has prepared.

That is very similar to how Spamcop works. The only difference is that Complainterator addresses complaints to the registrar, instead of the Internet Service Provider (ISP) who owns the IP address where the web site runs. In both cases, the decision to send is in the hands of the user.

If a web site is the victim of a "joe-job" style of attack, there will always be situations where complaints go in to the various providers, whether submitted manually or via a semi-automated tool. In the end, the decision to send the complaint is made by the user.