Spamit
From Spamwiki
Contents |
[edit] Description
Spamit is the alternate name for the Glavmed sponsorship, responsible for lots of illegal spamming of Canadian Pharmacy and US Pharmacy websites.
Following the same example as SanCash and GenBucks, this follows the pattern of having a public-facing, wide-open entity (ie: GenBucks / Glavmed) which makes no mention of email spamming, or hijacking of servers, coupled with a very secretive, underground Affiliate program (ie: SanCash / Spamit) which is invitation only, password protected, and never mentioned anywhere in public, via any means.
Spamit is known by law enforcement and several other entities to be closely related to the Russian Business Network, or "RBN", who are behind the Storm botnet and a variety of other bogus ecard-related exploits.
[edit] Spamit and Glavmed
Spamit is the actual sponsorship and affiliate program which is more directly tied to the email spam promotion of products such as Canadian Pharmacy and Downloadable Software, and which is responsible for the propagation of emails attempting to infect users with the Storm Worm. Glavmed is the more public-facing entity which never mentions anything related to email spam whatsoever, focusing instead on website, SEO and banner advertising. This is a pattern we have noticed between Glavmed / Spamit (public / private programs) as well as Genbucks / SanCash (another competing public / private sponsorship, responsible for an array of different products.)
The spam we have all been seeing for these above-mentioned products is on behalf of Spamit as opposed to Glavmed, who tend to focus on discussions related to website, SEO or banner advertising. SPamit and Glavmed are related companies; Spamit attempts to remain far more underground and less easy to investigate.
[edit] Spamit announces closure, Oct 1 2010
In late September 2010 the front page of https://spamit.biz/ and https://spamit.com/ contained a bilingual announcement:
Уважаемые партнеры и коллеги,
В связи с длинной чередой негативных событий последнего года и обострившимся вниманием к деятельности нашей партнерской программы, мы приняли решение свернуть свою деятельность и прекратить прием трафика с 1 октября 2010 года.
Мы считаем, что в создавшейся ситуации такое решение является наиболее правильным, т.к. оно позволяет полностью избежать рисков внезапной, незапланированной остановки, которая обязательно повлекла бы за собой коллапс всей деятельности нашей программы и, скорее всего, привела бы к невыплате заработанных вами средств. В нашем же случае, все заработанные средства будут выплачены в обычном режиме. Кидков не будет.
Пожалуйста, используйте оставшееся время для своевременного перевода трафика на другие партнерские программы.
Спасибо что работали с нами, мы очень ценим ваше доверие!
Dear partners and colleagues!
Because of the numerous negative events happened last year and the risen attention to our affiliate program we’ve decided to stop accepting the traffic from 1.10.2010. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.
In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.
Thank you for your cooperation! We appreciate your trust very much!
[edit] Wholesale Infection of Public PC's
There is significant evidence that Spamit's websites are always hosted using Windows PC's whose systems have become infected by either the Storm, or Waledac, or Conficker worm. They are usually hosted on "fast flux" platforms, always supported by multiple such infected PC's.
[edit] Hacking of Public Websites
There have been several instances of spam campaigns promoting a legitimate domain which has been hacked into to place a single html file to redirect users to the actual target URL. In many cases these hacked sites feature a file named either "1.html" or some series of random characters followed by the ".html" suffix.
[edit] Potential Facebook Hacking
There is some recent evidence (April 2009) that several legitimate Facebook accounts have been hacked into, likely using some form of social engineering, and then used to send spam to all of their Facebook friends. It is unclear what method is used to execute this particular form of spam but the timing matches up with the recent appearance of numerous Facebook phishing websites. source
[edit] Sponsoring registrars
The registrars who persist in providing the domain name service to the world's largest illegal spamming operation are
[edit] spamit.com Network Solutions
Domain Name: SPAMIT.COM Registrar: NETWORK SOLUTIONS, LLC. Name Server: NS1.SPAMIT.COM Name Server: NS2.SPAMIT.COM Status: clientTransferProhibited Updated Date: 30-mar-2009 Creation Date: 22-jun-2004 Expiration Date: 22-jun-2015 Registrant: Smernov, Andrej ATTN: SPAMIT.COM c/o Network Solutions P.O. Box 459 Drums, PA. 18222 570-708-8780 Record expires on 22-Jun-2015. Record created on 11-Feb-2009. Database last updated on 28-Nov-2009 21:25:58 EST.
[edit] spamit.biz Enom Inc
Domain Name: SPAMIT.BIZ Domain ID: D16302005-BIZ Sponsoring Registrar: ENOM, INC. Sponsoring Registrar IANA ID: 48 Domain Status: ok Registrant ID: IMG-832490 Registrant Name: Sergey Petrenko Registrant Organization: MEDIA CAPITAL LTD Registrant Address1: Suite B, 29 Harley street Registrant City: London Registrant State/Province: NA Registrant Postal Code: W1G 9QR Registrant Country: UNITED KINGDOM Registrant Country Code: GB Registrant Phone Number: +44.225330843 Registrant Email: mediacapitalltd@gmail.com Name Server: NS1.SPAMIT.BIZ Name Server: NS2.SPAMIT.BIZ Created by Registrar: TIERRA NET INC. DBA DOMAIN DISCOVER Last Updated by Registrar: ENOM, INC. Last Transferred Date: Sun Feb 15 16:03:04 GMT 2009 Domain Registration Date: Mon Feb 05 07:08:15 GMT 2007 Domain Expiration Date: Fri Feb 04 23:59:59 GMT 2011 Domain Last Updated Date: Sun Feb 15 18:15:47 GMT 2009
where the ICANN listed contact for Tierra Net Inc is given as
Pablo Velasco Tel: +1.858.560.8120 Email: pablo@tierra.net
[edit] Sponsoring ISPs
The spamit.com domain uses two name servers
spamit.com. 60 IN A 78.24.219.53 spamit.com. 60 IN NS ns2.spamit.com. spamit.com. 60 IN NS ns1.spamit.com.
where
spamit.com has address 78.24.219.53 ns1.spamit.com has address 78.24.219.53 ns2.spamit.com has address 82.146.49.44
These addresses are the responsibility of
Peter A Svistunov ISPsystem, Raduzhny 34a Irkutsk, 664017, Russian Federation +7 3952 525789 Alexandr Brukhanov PoBox30, 664017, Irkutsk, Russia +7 495 727 38 79
[[Category:Spam Sponsoring Companies] ]
