ED Choice

From Spamwiki

Jump to: navigation, search

1 Description
2 Samples of the spam
3 Sample 1
4 Sample 2
5 Sample 3
6 History
7 How to Report this Spam
- 7.1 Sample Removal request message
8 Domain Name Servers
9 Related Spammed sites
10 Related spam types

[edit] Description

Forget the drugs, laughter is the best medicine, and ED Choice provides it.

This is a very frequent spammer, believed to be Vincent Chan.

[edit] Samples of the spam

[edit] Sample 1

The subject line is something like: Re: VIAmubGRA

Good day,

Viav_gra $1, 80
Ciav_lis $3, 00
Leviv_tra $3, 35

http://www.progenyid!.com ( Important Remove "!" )


--
I am a faithful servant,  said Wormtail, the merest trace of sullenness
in his voice.
Wormtail, I need somebody with brains, somebody whose loyalty has never

[edit] Sample 2

SubJect: Want to be perfect lover

Feel embarrassment when joining her in bedroom?
Forget the feeling, become her best partner ever!
We know what's needed for your case.
Natural hardness and boosted drive.

Feel your life with colors of joy!!!

[edit] Sample 3

[edit] History

Ed Choice even scammed Google in June 2006 - http://www.theregister.com/2006/06/07/pharmacy_posing_as_google/ They billed themselves as GOOGLE'S ACCREDITED PHARMACY !

More hilarious still - Quote from the FAQ

Q: How safe is ordering from your site?

A: We have outsourced Credit Card processing to the world wide known processor MyPaySystems. 
When you are in the final check out mode you will be transferred to the site of the online processor 
that ensures the Fort Knott security of your all transactions.

FORT KNOTT? According to their FAQ, security is provided by Knotts Berry Farm - an amusement park in Los Angeles!

Despite the assurances, the transaction page for entering your credit card details is NOT secure - it uses non-secure http.

Read about the MyPaySystems shutdown here

RipOffReport has this report against ED Choice, and their lack of service or reliable products.

Google has a lawsuit pending against the spammers of these sites because of the false claim that Google supports them.

Note: A new fake pharmacy, ROBODoctor, contains exactly the same erratic FAQ:

Q: How safe is ordering from your site?
A: We have outsourced Credit Card processing to the world wide known processor
MyPaySystems. When you are in the final check out mode you will be transferred
to the site of the online processor that ensures the Fort Knott security of
your all transactions.

Clearly, this illiterate spammer has not learned any lessons.

[edit] How to Report this Spam

See the Complainterator Using the above spam as an example.

You can complain to the registrar who provides the domain name. You perform a "whois" lookup on the spamvertized domain name, in this case progenyid.com. There are various web sites and tools for doing a whois lookup, let's select dnsstuff.com

http://www.dnsstuff.com/tools/whois.ch?ip=progenyid.com&email=on

You get a screen headed with

Registrar:     DSTR ACQUISITION VII, LLC
Status:        clientTransferProhibited
Dates:         Created 10-jan-2007   Updated 10-jan-2007  Expires 10-jan-2008
DNS Servers:   IN.INDUSFK.COM  FK.INDUSFK.COM

So you know that DSTR provides the domain name under contract to this spamvertizer. Where do you send a complaint? Check the ICANN listing at http://www.icann.org/registrars/accreditation-qualified-list.html

Search for DSTR and you find

Contact: Chris Campbell
Tel: +1 360-253-2210
Email: support [at] registerapi.com

Now you can phone or email the registrar asking for the site to be removed.

Because of the javascript obfuscation it is unclear which is the target domain through the redirection, but here's how to unravel it:-

1. By telnetting to the spamvertised site using port 80, you should get a message saying 'connected to..(spamvertised domain) and 'Escape character is ^]'

2. Now type in 'GET / HTTP/1.0' and press Return twice.

You will see something like this.

3. Copy everything within the quotation marks into a text editor or word processor. Now Find & Replace all occurrences of '\x' with a space. This gives you hexadecimal values separated by spaces.

4. Finally, you need to convert the hex into ASCII - there are downloadable converters for this, and an online one at

http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html

Voila! You will see another domain within the resulting text - this domain is the actual target, where the website is located.

This domain should be reported as well!

You can also report the name servers, in this case in.indusfk.com and fk.indusfk.com. Look up just the domain name portion, indusfk.com, determine the registrar, and email a request that the name servers be locked out and the address records be set to 0.0.0.0

[edit] Sample Removal request message

This is a request for you to remove the domain indusfk.com
and to remove its name server Address record fk.indusfk.com and in.indusfk.com

From this link, you can see that it is used as a spammed site's name server (for progenyid.com):
> http://www.dnsstuff.com/tools/traversal.ch?domain=progenyid.com&type=a

From this link, you can see that your company is the name server's registrar
> http://www.dnsstuff.com/tools/whois.ch?ip=indusfk.com&email=on

To effectively remove the name server, please set the status of domain indusfk.com to
    clientTransferProhibited
    clientUpdateProhibited
    clientDeleteProhibited
    clientHold

Then, set the name server Address record for fk.indusfk.com and in.indusfk.com
to a nonroutable address such as 0.0.0.0 or 64.94.117.200

You can test that this has been successful, by using the above traversal link.

Thank you for your efforts to reduce spam and to keep criminals from abusing your terms of service.

================= SPAM SAMPLE =====================
Good day,

Via_grra  $1, 80
Cia_aliss  $3, 00
Levi_trra $3, 35

http://www.progenyid.*com ( Important ! Remove "*" )

--