Spamit is the alternate name for the Glavmed sponsorship, responsible for lots of illegal spamming of Canadian Pharmacy and US Pharmacy websites.

Following the same example as SanCash and GenBucks, this follows the pattern of having a public-facing, wide-open entity (ie: GenBucks / Glavmed) which makes no mention of email spamming, or hijacking of servers, coupled with a very secretive, underground Affiliate program (ie: SanCash / Spamit) which is invitation only, password protected, and never mentioned anywhere in public, via any means.

Spamit is known by law enforcement and several other entities to be closely related to the Russian Business Network, or “RBN”, who are behind the Storm botnet and a variety of other bogus ecard-related exploits.

Spamit and Glavmed

Spamit is the actual sponsorship and affiliate program which is more directly tied to the email spam promotion of products such as Canadian Pharmacy and Downloadable Software, and which is responsible for the propagation of emails attempting to infect users with the Storm Worm. Glavmed is the more public-facing entity which never mentions anything related to email spam whatsoever, focusing instead on website, SEO and banner advertising. This is a pattern we have noticed between Glavmed / Spamit (public / private programs) as well as Genbucks / SanCash (another competing public / private sponsorship, responsible for an array of different products.)

The spam we have all been seeing for these above-mentioned products is on behalf of Spamit as opposed to Glavmed, who tend to focus on discussions related to website, SEO or banner advertising. SPamit and Glavmed are related companies; Spamit attempts to remain far more underground and less easy to investigate.

Spamit announces closure, Oct 1 2010

In late September 2010 the front page of and contained a bilingual announcement:

Уважаемые партнеры и коллеги,

В связи с длинной чередой негативных событий последнего года и обострившимся вниманием к деятельности нашей партнерской программы, мы приняли решение свернуть свою деятельность и прекратить прием трафика с 1 октября 2010 года.

Мы считаем, что в создавшейся ситуации такое решение является наиболее правильным, т.к. оно позволяет полностью избежать рисков внезапной, незапланированной остановки, которая обязательно повлекла бы за собой коллапс всей деятельности нашей программы и, скорее всего, привела бы к невыплате заработанных вами средств. В нашем же случае, все заработанные средства будут выплачены в обычном режиме. Кидков не будет.

Пожалуйста, используйте оставшееся время для своевременного перевода трафика на другие партнерские программы.

Спасибо что работали с нами, мы очень ценим ваше доверие!

Dear partners and colleagues!

Because of the numerous negative events happened last year and the risen attention to our affiliate program we’ve decided to stop accepting the traffic from 1.10.2010. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.

In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.

Thank you for your cooperation! We appreciate your trust very much!

Wholesale Infection of Public PC’s

There is significant evidence that Spamit’s websites are always hosted using Windows PC’s whose systems have become infected by either the Storm, or Waledac, or Conficker worm. They are usually hosted on “fast flux” platforms, always supported by multiple such infected PC’s.

Hacking of Public Websites

There have been several instances of spam campaigns promoting a legitimate domain which has been hacked into to place a single html file to redirect users to the actual target URL. In many cases these hacked sites feature a file named either “1.html” or some series of random characters followed by the “.html” suffix.

Potential Facebook Hacking

There is some recent evidence (April 2009) that several legitimate Facebook accounts have been hacked into, likely using some form of social engineering, and then used to send spam to all of their Facebook friends. It is unclear what method is used to execute this particular form of spam but the timing matches up with the recent appearance of numerous Facebook phishing websites.