Thursday, October 16, 2008

FTC stops AffKing and SanCash, so is Pill Spam Gone?

In yesterday's blog, we shared information about the FTC and New Zealand police's Takedown of AffKing and SanCash. As soon as I posted, people started asking, "Have you seen a decrease in pill spam?" So, this morning we went to Starbuck's and checked out the morning spam over a few espressos.

To make sure we were using fresh spam, we looked only at spam from midnight until 6 AM for October 16, 2008. To begin, we sorted our spam into two big buckets: Pill Spam, and Everything Else. Then, we did some simple checking of what was in the Everything Else bucket, to reveal this graph:

We then opened up the "Pill Spam" data and started digging into the clusters. The emails in this category contained 12,040 URLs, of which 1,231 were unique. The most common URL was for the website which occurred 1,118 times, followed by with 960 occurrences and which was present in 570 emails.

Twenty-Eight URLs accounted for 50% of the pill spam emails.

Eighty-seven URLs accounted for 75% of the pill spam emails.

179 URLs accounted for 90% of the pill spam emails.

The graphic below shows the top Sixty-five URLs in the Pill Spam category which each contained at least .25% of the volume of emails.

In each case, all of the domains from each provider were hosted on a single ISP. The domains were:

31% -

14% -

8% -

6% -

No Image Available - Site Offline

5% -

1% -

0.3% -

We'll revisit the topic of pill spam in two weeks time to see if there has been any significant change in the field. It may be that the implications of the recent decision have not yet set in, or it may be some of the spammers are so bold that they just switched affiliates and kept right on spamming!

For now, I'll leave you with the even worse truth about these spammers. They have dozens or even thousands of other domains already registered and ready to send spam. Each of these IP addresses above also hosts a plethora of other domain names which are sitting in reserve for future spam purposes. Some of these may be valid domains, I am not claiming they are all pill sites, but every one that I have checked so far was hosting a pill site:

VDHost of Latvia -

Hanaro Telecom in Korea on

Megaplan on

CNC Group on

ChinaNet on

The Planet on

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.