Last week the anti-spam community was abuzz with the news that Igor Gusev, the CEO of DespMedia, and the man behind GlavMed and SpamItDotBiz had been charged in absentia for running an unregulated internet company. The New York Times had an excellent story on the potential impact on spam.
At the end of this Russia Today article the author suggests "Glavmed partners are preparing to join a new pharmaceutical partnership program if the current one is shut down. Then it will be business as usual."
Where might they be going? Based on what we are seeing in the spam there are a few obvious choices. Most of the spam we have been receiving at the end of last week and through the weekend - more than 20% of our total spam volume - points us to domains that look like this:
Although "US Drugs" has had many look and feels, the thing that ties together this affiliate program is the phone number (800) 998-7978
This phone number is on many different pharma websites, some of which have harder narcotics, such as Vicodin, Percocet, and Hydrocodone such as "buy--viagra.net". These websites are often hosted on a Russian ASN belonging to Galant Ltd, but one of the spam campaigns is currently on Moldovan site AS49544, Complife, which we have seen hosting 1,783 distinct spammed pharmaceutical domains since October 19th on the IP 22.214.171.124 (click for list).
Another of the pharm sites that also uses the telephone (800) 998-7978 looks like this:
This group is currently hosted in Romania, on the IP address 126.96.36.199 (click for list) which has hosted 641 pharma domains since October 26th! prior to that, 2,271 times these domain names were hosted on 188.8.131.52 (click for list).
That leading group is followed by a close second, also almost 20% of our spam volume - for Pharmacy Express:
One of the main locations of this spam campaign's websites has been 184.108.40.206 (click for list) which has hosted 1,060 pharma domains since September 21st! Going back further, there were OEM Software sites and Casino spam sites hosted on the same IP.
Those two prominent spam affiliate programs are followed by a host of also-rans, including: