admin - bulker.biz

Coming!
The admin of bulkerforum.biz, where the criminals gather.
He is running bulker.biz, some may know him as e-bulker too.
mybulker.biz is his too.

From one of his "newsletter" postings on bulkerforum:

================ TOP Products ==============

- Viagra
- Cialis Soft
- Cialis + Viagra
- Viagra Soft
- Cialis
- Ambien
- Soma
- HGH

================ TOP Domains ============

- yahoo.com
- aol.com
- hotmail.com
- comcast.net
- sbcglobal.net
- cox.net
- earthlink.net
- bellsouth.net
- msn.com
- gmail.com

Best Regards, Bulker.Biz Team

Mailto: support@bulker.biz
ICQ: 333192431
Skype: BulkerSupport

So there you have the admin's "products" and to what domains they are mailing. Good luck in catching him.

He kind of revealed himself in a posting lately on bulkerforum.
I cannot remember seeing a post from admin where he gets directly involved (I am most likely wrong), but when someone complained about not getting payment from "bulker", "admin" could not shut up:

bulker never pay frauders. die looser

And Crypto licks the admins ass:

agree

More coming later. (A pain in the ass to get something done when the site is under attack)

ddos on spam-court.com again

Scribbler is back to care of things and that is good.
He just posted this on spam-court:

Not so strong this one and Dreamhost obviously has a few tricks up their sleeves this time.
The attackers said "Hello" from 216.32.84.92 this time, which is Layered.
The browser looked like this:
"Opera/9.02 (Windows NT 5.1; U; ru)" .
Hm, "ru" again. I am not surprised.

The forum at thecarpcstore.com is under attack too, and is down.

None of us will be surprised if this increases.

This calls for more work, more publishing.
Yesterday I wrote a little piece about "lhl".
I guess I have to ask Ducks nicely if his writings about ebulker is ready.

I am not quite ready, could post a few small things maybe. We'll see.

This is hardly a ddos btw, not so far.

Bits and Pieces about This and That

Those DDoS attacks on spam-court.com kind of pisses me off. Not that spam-court is that important. In the big picture, this site is hardly worth mentioning at all. You have probably never seen a site with so few hits, except when it's DDoS time.
Search engines and robots like spam-court.com though. That could explain why the spammers at bulkerforum.biz dislike the site. So much that they have initiated 4 attacks on the site (or is it 5, I have lost count).
The pure fact that this is criminal activity pisses me off.

I would like to see some of the members of bulkerforum go down. Hard.
Especially the moderators. Swank, Phantom and Crypto.

Rumors are going around that Swank is a bit more active than we at spam-court.com thought a few months ago.
He is an american and it should be possible to take him down. The authorities are a bit more interested in guys like him now than only a few years back. His identity is known. The rest should be relatively easy.

Phantom is from Australia. He is slippery and there are different opinions about who he is. His own bragging is what probably has led to his identification. By us. But we quite can't believe it ourselves, it seems a bit unlikely. Little pieces and fractions of info from here and there, coupled together gives a preliminary picture of a small corner of the puzzle. Others disagree and have their own opinion.
Time will show. He is being watched and we think that in the long run the only way to avoid identification is going out of business. But he is not "ezy" to find and he "magically" disappears when you think you got him. And we don't know how concerned the authorities in Australia are regarding this kind of criminal activity.

Crypto, the expert on copyright and hacking will probably live peacefully. I don't think the local authorities go after him.

Bulkerforum.biz also has an admin. In the beginning we thought it could be Crypto, but their writing styles are different.
Their mistreatment of the english language is different too. We have an idea about who he is. Or more correctly, in what branch of the spamming business he operates in. He is probably a Russian, living in Russia. Usually that means he can do what he wants.

A few of the other members of the forum are a bit interesting too. But the forum has turned into a comedy lately. Scamming each other, paranoia is spreading, there is talk about starting another forum etc. Social engineering is out of the question, they are seeing ghosts in broad daylight. Our sources dried out too.

We never thought the spammers would resort to DDoS-ing spam-court.com. That was very naive and stupid. The site is hosted in a shared environment, which is not a good idea when you are the victim of an attack. A DDoS can affect other users on Dreamhosts servers. That is our main concern. Not spam-court going down, we can live with that. Dreamhost support has been fantastic during the attacks and we are wondering if there is any host like that out there at all. But in the long run we don't think it can be hosted on a shared server. And a dedicated server is out of the question. So we are going somewhere in the middle that means that spam-court may go down, but it will not effect the other users. Hopefully.

New content is possible from the middle of September.
If the site is still up.
If not, some of the old content and new stuff will be up at http://ducksintworows.blogspot.com/ , http://veruccawatcher.blogspot.com/ and a couple of other places.

spam-court up, but ddosed again

spam-court.com went live again on August 14.
Sat there quietly, almost no hits.

Then another ddos started again a couple of hours ago (according to the log: 18/Aug/2007:11:16:11 -0700).

As I said, almost no hits.
Just a few minutes before the attack started, there was a hit from this IP: 83.174.246.78:

inetnum:        83.174.240.0 - 83.174.255.255
netname:        DSL-POOL
descr:          Bashinformsvyaz Company, RUMS, DSL POOL
country:        RU
admin-c:        IHK1-RIPE
tech-c:         AAR21-RIPE
status:         ASSIGNED PA
mnt-by:         RUMS-MNT
source:         RIPE # Filtered

person:       Ilgiz H Kalmetev
address:      Lenin street, 30, RUMS
address:      RUSSIA, 450000, Ufa city
phone:        +7 3472 001331
nic-hdl:      IHK1-RIPE
e-mail:       ilgiz@bashtelecom.ru
source:       RIPE # Filtered

person:       Alexei A. Roumyantsev
address:      JSC Bashinformsvyaz
address:      Lenin street, 30, RUMS
address:      RUSSIA, 450000, Ufa city
phone:        +7 3472 001198
nic-hdl:      AAR21-RIPE
e-mail:       lesha@ufamts.ru
source:       RIPE # Filtered

% Information related to '83.174.240.0/20AS28812'

route:          83.174.240.0/20
descr:          RU, Ufa, JSC Bashinformsvyaz, RUMS
origin:         AS28812
mnt-by:         RUMS-MNT
source:         RIPE # Filtered

Looked like this, only the first part of the line in the log, filehits and UA omitted:

83.174.246.78 - - [18/Aug/2007:11:10:18 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:22 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:25 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:28 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:30 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:29 -0700] 
83.174.246.78 - - [18/Aug/2007:11:14:03 -0700] 
83.174.246.78 - - [18/Aug/2007:11:15:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:15:28 -0700] 
83.174.246.78 - - [18/Aug/2007:11:16:06 -0700] 
88.236.16.74 - - [18/Aug/2007:11:16:11 -0700] 

For those interested in details, the User Agent was:
""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070531 Firefox/1.5.0.12 Flock/0.7.14""

So, he comes in at around 11:10, peeps a little a few minutes later, and then the attacks starts.
Coincidense?
Project HoneyPot has seen that ip before.
It is a "DSL-POOL", but I don't know if that is IP dynamic or static.

The last IP (88.236.16.74) is the first one in the attack.
Some of the others:
58.78.157.109
58.111.188.199
59.9.153.115
59.95.166.183
61.0.121.94
61.229.138.30
62.77.65.2
62.101.165.191
62.135.70.64
66.177.151.223
74.100.191.232
76.26.232.8
78.56.52.95
80.82.38.78
80.188.34.243
80.252.53.154
81.2.60.220
81.30.51.157
81.33.104.24
81.38.63.203
81.95.236.97
82.166.224.133
82.208.72.175
83.5.28.120
83.13.202.187
83.21.7.219
83.69.111.228
84.18.110.56
84.77.149.114
86.120.46.119
87.219.247.200
87.251.96.42
88.232.98.119
88.234.161.5
88.236.16.74
88.236.18.51
88.245.19.159
88.251.110.145
89.102.230.220
124.121.182.246
125.27.158.26
125.232.112.28
165.21.154.8
165.21.154.9
165.21.154.10
165.21.154.12
165.21.154.15
165.21.154.68
165.21.154.69
165.21.154.70
165.21.154.71
165.21.154.72
165.21.154.73
165.21.154.74
165.21.154.76
165.21.154.77
165.21.154.108
165.21.154.109
165.21.154.110
165.21.154.111
165.21.154.112
165.21.154.113
165.21.154.114
165.21.154.115
165.21.154.117
165.21.155.8
165.21.155.10
165.21.155.13
165.21.155.15
165.21.155.108
165.21.155.109
165.21.155.110
165.21.155.111
165.21.155.112
165.21.155.113
165.21.155.114
165.21.155.115
165.21.155.116
165.21.155.117
189.144.99.205
189.194.67.64
190.42.41.108
195.58.241.26
195.72.251.176
195.161.213.203
200.43.232.136
200.85.47.250
201.21.121.53
201.69.117.170
201.103.68.111
201.132.156.183
201.132.210.118
201.141.195.172
201.160.116.162
201.160.168.202
203.113.40.73
203.118.97.248
203.172.60.252
207.248.45.11
211.26.23.1
212.116.219.20
217.185.5.41
219.78.136.59
222.127.223.71
222.254.28.5

Another small detail:
Only a few seconds after the attack started, there were a few hits from alertra.com.
The IPs are partially consistent with those listed at their site.
One of their services: "Get Notified When Your Site Goes Down!".
They have a free 30 day trial.
I don't think anyone at spam.court has signed up for that trial.
It is likely that the ddoser himself or the guy(s) that hired him has signed up for a trial (I doubt they have a paid service).

It is not over yet, but they have succeeded in taking the server down.
spam-court.com is not reachable, but noone else is suffering on the server.

After about 4 hours after the attack started , the site was up for a few minutes and then went down again.

72.199.153.138

Nice area, San Diego. Ramona is nice too.
Here is a little snippet from the spam-court logs only three days before the first ddos.
I am wondering if they first tried to hack the site and when that did not succeed, they resorted to the ddos?
I am also wondering who this was. Veru says he has some kind of idea, but have to wait until he is back.
But I am told to take some pics, if possible.

A quick google for 72.199.153.138 gets one hit, where the IP is tied to a harvester?
Who on bulkerforum.biz is selling harvested lists?

[Thu Jun 14 18:14:46 2007] [error] [client 72.199.153.138] File does not exist: /4dm1n/
[Thu Jun 14 18:14:45 2007] [error] [client 72.199.153.138] File does not exist: /Files/
[Thu Jun 14 18:14:45 2007] [error] [client 72.199.153.138] File does not exist: /file/
[Thu Jun 14 18:14:47 2007] [error] [client 72.199.153.138] File does not exist: /File/
[Thu Jun 14 18:14:47 2007] [error] [client 72.199.153.138] File does not exist: /Forums/
[Thu Jun 14 18:14:46 2007] [error] [client 72.199.153.138] File does not exist: /forum/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /Forum/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /Forumz/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /forums/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /Forums/
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET .txt/ HTTP/1.1
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET .txt/ HTTP/1.1
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET txt/ HTTP/1.1
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET txt/ HTTP/1.1
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /txt/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /_private/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /_vti_bin/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /_vti_cnf/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /_vti_pvt/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /admin/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /admin/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /asp/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /audio/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /bin/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /binary/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cfg/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /cgi-bin/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /conf/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /config/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /cgi-local/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cgi-bin/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /cpanel/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cpp/
[Thu Jun 14 18:14:53 2007] [error] [client 72.199.153.138] File does not exist: /cutenews/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cute/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /data/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /database/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /db/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /forum/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /home/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /iissamples/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /image/
[Thu Jun 14 18:14:53 2007] [error] [client 72.199.153.138] File does not exist: /images/
[Thu Jun 14 18:14:55 2007] [error] [client 72.199.153.138] File does not exist: /Image/
[Thu Jun 14 18:14:55 2007] [error] [client 72.199.153.138] File does not exist: /Images/
[Thu Jun 14 18:14:55 2007] [error] [client 72.199.153.138] File does not exist: /include/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /log/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /logs/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /mp3s/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /msadc/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /news/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /perl/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /php-bin/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /php/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /private/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /public/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /pvt/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /phpBB/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /pwd/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /software/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /forbidden.html
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /sound/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /src/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /tar/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /warez/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /topics/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /txt/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /cmps/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /programsandscripts/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /programs/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /jffk1.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /ohiockk.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /ohioguy.txt/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /plcap.txt/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /ravvz1.txt/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /ravvz2.txt/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /spppc2.txt/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /wazt1.txt/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /xx2.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /xxt23.txt/
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] File does not exist: /xxtt23.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /peas.txt/
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] File does not exist: /Proxies.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /txt/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /sample/
[Thu Jun 14 18:15:04 2007] [error] [client 72.199.153.138] File does not exist: /s/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /c/
[Thu Jun 14 18:15:04 2007] [error] [client 72.199.153.138] File does not exist: /b/
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] Invalid URI in request GET t// HTTP/1.1
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] Invalid URI in request GET t// HTTP/1.1

The Poe-try of a snitching spammer

Chris Smith (Chris Rizler) sentenced to 30 years.
Interesting readings.

Alton Scott Poe, Smith's second-in-command at the pharmacy, came next. Engisch told Davis that Poe had been "one of the most significant and important cooperators in this matter." Poe pleaded guilty in February 2006 to conspiracy and unlawful distribution of a controlled substance. Davis sentenced him to 6 months in prison and 6 months of home detention, plus 3 years of supervised release.

Full story:
http://www.startribune.com/467/story/1337623.html

I am wondering where Poe is hanging around nowadays?

8/4/07:
I think I have a pretty good idea about that.
More later. Maybe.

I don't know exactly where he is hanging around, but bulkerforum.biz used to be one of the places.

Some big ducks in San Diego

Some big ducks went down in San Diego.

WASHINGTON – A federal grand jury in San Diego has indicted 18 individuals on racketeering and related charges for allegedly operating an Internet business that generated more than $126 million in gross revenues from the illegal sale of prescription pharmaceuticals, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney Karen P. Hewitt for the Southern District of California announced today.

I have a little clue about Affpower, but not enough.

However, the area around San Diego is nice and there are some interesting guys living there.
Vacation time soon, I think I will take a couple of days in CA.

Ramona is especially nice someone told me.
I recently bought a new camera, could come in handy.
I love pictures of small ducks.