Soft Eden

From Spamwiki

Contents 1 Description 1.1 Samples of the spam 1.2 History 1.3 Domain names 1.4 Observations about the website 1.4.1 False: Certificates 1.4.2 False: Payment security 1.4.3 E-mail contact information 2 How to Report this Spam 3 Related Spammed sites 4 Related spam types

[edit] Description

Soft Eden, July, 2007

Soft Eden is an illegal software piracy operation, running on a fast-flux botnet of illegally hijacked hosts. This botnet is primarily located in Hong Kong as shown in the geographical fingerprint chart (geo-print).

Leo Kuvayev is believed to be the ringleader of one of the world's biggest spam gangs. He and six business partners were fined $37 million as a result of a lawsuit brought by the Massachusetts attorney general. They were responsible for millions of unsolicited e-mails per day.

Kuvayev is also behind countless phishing and mule recruiting sites hosted on botnets.

Kuvayev is also believed to be operating under the alias "Alex Rodrigez". Under this alias, he has registered hundreds of domains through various registrars to illegally sell software, prescription drugs, and more.

Report software piracy to

• Adobe: piracy at adobe.com
• Microsoft: piracy at microsoft.com
• Corel: nopiracy at corel.com
• Borland: reportpiracy at borland.com
• Business Software Alliance: http://bsa.org

SOFT EDEN sample domains

• hultrot.com (18 July 2007)
• tyledav.com (1 Aug 2007)
• wynomare.com (18 July 2007)

[edit] Samples of the spam

Sample 1

Downloadable Software (DS) is a fast-growing company with a high quality software. You've come to the
right place if you need professionally implemented programming solutions for your usage. Thousands of
contented customers have already benefited from our products and solutions. Hundreds are joining this
community every day. Ginsburg, the report's lead author and 
We deliver superior software products and services that empower our partners and customers to
dramatically improve their development, deployment, integration and management of quality applications
all over the world.and 3-year-old 

VIEW ALL PRODUCTS with get-smart 

Most popular products : videos or older children 

Microsoft Office 2007 Enterprise of Wilmette, Ill. 
Retail Price $899.00 drive to 
Our $79.95 the report says.

Microsoft Windows Vista Business in the shuffle, 
Retail Price $299.00 she says, she 
Our $79.95 children are plopped in 
. . .

The italicized words are printed white-on-white so as to be invisible to the human eye, but not to the spam filters. They are designed to get past Bayesian keyword spam filtering.

Note the reference to Downloadable Software in the first line.

Sample 2

Q: What is OEM? Why your prices so low?
A: OEM (Original Equipment Manufacturer) means you will receive the installation distributives only
with Required Activation information without expensive retail BOX packing and without manual.
We do guarantee that all programs are the 100% full working retail versions - no demos or academic versions!

Microsoft Office 2007 Enterprise
retail price: $899.00
sale price: $79.95

Microsoft Windows Vista Business
retail price: $299.00
sale price: $79.95

Adobe Acrobat 8.0 Professional
retail price: $449.00
sale price: $79.95

Adobe Photoshop CS3 Extended
retail price: $999.00
sale price: $89.95 
. . .

[edit] History

First noticed in July 2007.

Microsoft's response to reports:

Several suspicious software operations around the globe are marketing their suspicious goods through spam email advertisements. Spam email is unsolicited commercial email otherwise known as junk mail. In an attempt to mask their location, these counterfeit organizations change their name and email sources daily. The basic contents of the email remain the same: "Microsoft Software Offered at Cheap Prices."

The advertisers use terms like "Original Equipment Manufacturer" ("OEM") software, as an attempt to explain why the offered software is so inexpensive. Spammers also include random dictionary words and paragraphs of text throughout their email to avoid anti-spam filtering technology.

Microsoft is working to educate partners and consumers about the risks of getting software from suspicious sources. We are investigating the sources of these operations and are doing everything in our power to stop this kind of activity.

Purchasing from known and trusted sources and avoiding "too-good-to-be-true deals" are the best ways to avoid suspicious software offers.

Here are some suspect signs to look for:

Beware of spam emails offering software prices that are too good to be true.
Beware of offers requesting the wiring of money to foreign banking institutions.
Beware of software shipping into the United States from overseas.

[edit] Domain names

Registration Service Provided By: CRISP NAMES, INC.

Domain Name: WYNOMARE.COM
 
Registrant:
   N/A
   Jeanne Sturtevant        (pamphlet@minister.com)
   820 Queens Park DR
   Owings Mills
   Maryland,21117
   US
   Tel. +4.4436909050
 
Creation Date: 18-Jul-2007
Expiration Date: 18-Jul-2008
 
Domain servers in listed order:
   ns0.chitionkdetunlionpsa.com
   ns0.piotiongandesunkdes.com
   ns0.gedsactunjerion.com
   ns0.fionkunjerunhedase.com

[edit] Observations about the website

[edit] False: Certificates

None of the certification logos are actual links, just images

[edit] False: Payment security

Purchase page asks for your credit card details at http://wynomare.com/purchase.php but this unsecure http page states:

*** This site supports 128-bit secure connection encryption for greater security.
*** Any information passed through 128-bit SSL connection is safe and protected.
*** All fraudulent transactions will be investigated and prosecuted in accordance 
    with applicable law.

[edit] E-mail contact information

Contact Us email address is support@oemcd.net

[edit] How to Report this Spam

The Complainterator is configured to report OEM software piracy to the registrars

Vendor addresses

piracy@apple.com, piracy@autodesk.com, reportpiracy@borland.com, nopiracy@corel.com, tip@macromedia.com, piracy@microsoft.com, piracy@symantec.com

[edit] Related Spammed sites

• hultrot.com
• shop-oem.com
• oemmegastore.net
• 3checkoutoemshop.com
• 3clicksoemshop.com
• oemshop3clicks.net
• oemcheckoutshop.com
• oemcheckoutshop.net
• oemsoftcheckout.net
• bestoemwarez.net

[edit] Related spam types

Soft Eden has been observed running on a fast-flux network. A sample snap-shot of host addresses at one time

 59.5.224.251
 82.119.108.111
 82.131.19.228
 83.222.171.16
 84.54.177.147
 84.62.185.154
 85.250.84.232
 85.70.112.174
 88.72.245.213
 89.132.49.198
 89.139.123.207
 122.26.217.134
 123.217.175.221
 218.190.213.161
 221.127.22.67

A similar snapshot of a Penis Enlarge Patch web site at the same time

 59.5.224.251
 82.119.108.111
 83.222.171.16
 84.110.151.34
 84.62.185.154
 85.250.84.232
 85.70.112.174
 89.132.49.198
 89.139.117.142
 89.139.123.207
 89.139.187.204
 122.26.217.134
 123.217.175.221
 217.132.38.222
 218.190.213.161

This same fast-flux network is shared by the Anatrim Family, Canadian Pharmacy and Pharmsite

See also: