n0fx - delivers bp hosting and exploits

A young oldtimer. A digital gangsta (not my words). Found traces of him dating back a few years, probably back to the spamvault.net days.
Just out of his diapers back then.

Let's start with a one of his postings from bulkerforum.biz:

n0fx
Joined: 26 Mar 2007
Posts: 50
Posted: Tue Oct 02, 2007 4:44 pm Post subject: bp servers 4 sale - can use for ANYTHING but direct mailing
$250 Dedicated BP FAST China Servers

* 110% ANONYMOUS - your name and info not tied to them at all!

* Direct Mailing not allowed but pea mailing and any other applications running is fine -- social networks, chat bots, etc.

* IF for some reason the IP gets in trouble, your server will NEVER go down -- you will just be assigned new ip.

* WINDOWS OR FREEBSD O/S. No hosting on these servers.

***************

If you need FAST hosting BP, $500 a month. no adult or child porn *anything else is fine* - 25 Domains.

Contact me and I'll get you setup ASAP!

aim - batonRouge
skype - killpolice
icq - 216.587.192

Hm, hosting *anything* except adult and child porn. So malware and phish pages are just fine, me thinks.

Ties to Matt Leppala (Link to Leppalas ROKSO listing).
Has at least one site hosted at Leppalas (webnos) space on Staminus.
And some sites on phatservers.

A nice soul sent us a picture of three guys.
The problem is that we don't know which one is n0fx. And the source is silent.

Other nicks used around: skunx, PunkRockXXX, squatterpunx, Punk Rocks

Personally, I prefer to call him Steve.
No, I changed my mind. I prefer to call him Edmond. I wondered what that e@ in several domain registrations meant.
Now I know.
Ugly piece of shit according to a photo.

sanjay aka sancash

The Elite Herbal guy.

I originally included him in the "Snippets" posting, very briefly:

A quick note to self:
This guy is involved with Elite Herbal.
How high up he is in the food chain cannot be established accurately.
If not on top, he is very high up.

Definately to be continued.

There is a lot of buzz about Elite Herbal and genbucks going on now.
That is the only reason for this posting. I don't have that much new info on sanjay.

One tiny little detail is found in an old dig for the domain sancash.com (and this is sanjay's domain):

; <<>> DiG 9.2.4 <<>> sancash.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49188
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;sancash.com.                   IN      A

;; ANSWER SECTION:
sancash.com.            130     IN      A       66.11.113.41

;; AUTHORITY SECTION:
sancash.com.            172800  IN      NS      ns2.sancash.com.
sancash.com.            172800  IN      NS      ns1.sancash.com.

;; Query time: 57 msec
;; SERVER: 
;; WHEN: Sat Sep 22 18:46:19 2007
;; MSG SIZE  rcvd: 81

Then we take a look at that IP, 66.11.113.41:

Suavemente, INC. SUAVEMENTE-SAN-DIEGO (NET-66-11-112-0-1)
                                  66.11.112.0 - 66.11.127.255
IzoWeb, Inc IZOWEB-SANDIEGO (NET-66-11-113-0-1)
                                  66.11.113.0 - 66.11.114.255

Who else has IzoWeb/WireSix as a favorite hoster?
You're right: GenBucks.
Another small piece in the Elite Herbal/Genbucks connection.

And regarding IzoWeb: By the number of hosted genbucks sites and their related sites, is this really an independent host?
Or is it GenBucks themselves?

I am wondering a bit about Suavemente too.

Let's jump back:

Post subject: Penis enlargement pills .. Big Commissions! Epassporte Pay!
We are looking for a few more affiliates who are intrested in marketing enlargement pills, great alternative to replica or RX, our pills are converting great with average order of 6 bottles!. Payments every week. fast BP hosting, private bp domains.

We have solid references for those that dont know us.. affiliates will also need references.

Thxs Sanjay

AIM: sancash44
MSN: sancash44@hotmail.com
ICQ: 654052
SKYPE: sancash1

That was back in October 2006.

And a bit earlier in October 2006:

Herbal sites, high converting penis pills and Cum pills, Hoodia... market these and get weekly epassporte payments or wire if needed.

If you dont have an epassporte account, get just 1 sale we can send you a free ATM card.. get paid and withdraw it every week!

- multiple servers
- lots of fresh domains
- private domains
- add your own domains!
- detailed stats
- lots of sites, herbal, RX, adult products
- fast servers
- high commissions

plus lots more nice features

We have been in the industry for over 4 yrs, program was made by mailiers 4 mailers!

get your account today..

ICQ - 654052
SKYPE - sancash1

We dont normally hang at boards but do have people that can vouch for us.

Thxs Sanjay

Note: program was made by mailiers 4 mailers!.
Yeah, right genbucks. We rephrase that one:
The program was made by spammers for spammers.

Ron Paul spam tied to bulkerforum.biz

This story on slashdot made a couple of bells start ringing.

... someone calling themselves nenastnyj was behind it and their botnet control server has been shut down

nenastnyj is a member of bulkerforum.biz. You will probably know him as "nena" over there.
Drug spammer apparently in charge of PharmaBucks. Here is his first posting on bulkerforum in January 2007:

Posted: Tue Jan 09, 2007 7:36 am
Post subject: New big money with PharmaBucks
Dear colleagues (we hope that we will be able to call you partners of our partnership program in future),

The partnership program "PharmaBucks" is more than happy to encourage you to cooperate with us.

For the time being, there is one shop and four medical preparations, that are the most needed, available in our partnership program.

We offer you sales with commissions from 30 to 50%. According to the promotion of our program everybody who registers before February 1st, 2007 will be registered in partnership plan " Silver " that offers you 40%.

Our conditions and benefits:

- Detailed and very honest statistics! You will feel it from the very first minute of our cooperation;
- Commissions up to 55%;
- Referral system of 5%
- Our own steady bulk-servers;
- Support is always ready to answer your questions comprehensively and correctly;
- Daily change of domains, personal domains for the big adverts;
- Regular professional text refreshments;
- Salaries webmoney, fethard, wire;
- Hold – 14 days;
- % commissions according to the following tariff description:

0-10 sales per day - 30% commission
11-20 sales per day - 40% commission
20-50 sales per day - 45% commission
50+ sales per day - 55% commission


Our cooperation and your time is of a great value for us, that’s why we made all the conditions of successful and lucrative cooperation with you so much easier.

Everybody, from the beginners to the professionals, is more than welcome to join our partnership program. Respectful and sophisticated Support is always ready to help you with any kind of problem.

Our working team consists of exceptional professionals that have invested all their experience acquired throughout many years into this program.
We are always looking with a perspective concentrating our attention and experience only on reaching the highest peaks, comprehensively analyzing and improving our accomplishments.

We hope that you will value our advantages starting from today.

To register and start working you can by connecting to this ICQ number: 303-435-751.
Back to top
View user's profile Send private message
ICQ Number <------- 304927900 304-927-900

A bit later he answers neuman's question:
what are the products?

now only 4, and 1 shop, soon ill be 4more products
now only Viagra Soft tabs Cialis soft tabs, cialis, and viagra pro

A small image from pharmabucks.biz when the page was still up:

We have not been following nena/PharmaBucks around, so we don't know the story after January.


Back to the Ron Paul spam:
More details in a report from Secureworks.
A bit shorter version on ars technica

And there is something else that is a bit interesting in that report.
The Ron Paul spam has been tied to "Reactor botnet". "spamit" on bulkerforum is being mentioned, but SecureWorks doubt he is the author. It is more likely that he is a customer of the author of the bot controlling software.
Interesting points anyway.

Now, I highly doubt that the Russians are especially interested in US politics.
Which leaves the question: Which american spammers (and probably with connections to bulkerforum.biz) are behind the spam for Ron Paul?

We know that the Digital Gangstas Matt Leppala, Pete Snoufax and ytcracker are close to an orgasm if Ron Paul is being mentioned. But we have no idea if they were behind the spam. n0fx on bulkerforum is an old buddy of them.

This blog back after DDoS

The criminals did not only attack spam-court.com, but also this blog.
I just discovered it was back, don't know when that happened.
It must be during the last two or three days.

spam-court had a short-lived reappearance too.
That was not intentional and it soon disappeared again.