Spam Alert
 
 Full Report: /VPXL_spam212153.html
 
 Consumed following related reports:

[212154] http://knj.cashfade.com/?lixbkz
Changed status to confirmed spam.

This is one of many, many websites of VPXL, also known as Elite Herbal, Express Herbals, Megadik, Megadick, Manster, Spur-M, MaxGain, MaxHerbal, HerbalKing, LNHSolutions, A-Plus Herbals, etc., which advertise products to cause penile enlargement. It is associated with the Sancash affiliate operation, which also operates Canadian Healthcare, King Replica, and others.

Sites continue to be registered and spammed despite police raids and seizure of the computers of someone believed to be highly placed in the Sancash operation. In any case, people purchasing these products should consider the possibility their purchase information will become publicly available during court proceedings in the near future.

Sancash has many affiliates, all spamming for the same brands and in essence competing with one another to refer orders to Sancash. This has resulted in their brands constituting an extremely high percentage of all the spam clogging inboxes.

The cashfade.com site claims:

>What you can expect
>60 Pills Of VPXL = 1 Months Supply
>
>First month you will notice an increase in
>penis size of up to 1/2 inch, you will also
>notice an increase in sexual desire, stronger
>erections and more enjoyable sex.
>
>Second month you will notice an increase in
>penis size of up to 1 inches, plus an
>increase in Girth (Width) of 5%, plus all
>the benefits of the first month.
>Third/Forth month you will notice an increase
>in penis size of up to 3 inches, plus an
>increase in Girth (Width) of 10%, plus all
>the benefits of the first month.
>Fifth/Sixth month you will notice an increase
>in penis size of up to 4 inches, plus a
>increase in Girth (Width) of 20%, plus all
>the benefits of the first month.

Those are pretty specific health claims for an herbal product. That would put them under the jurisdiction of the Food and Drug Adminstration in the U.S., requiring them to prove the safety of their product, to conduct well-designed studies to substantiate claims of efficacy, and to prove that all the ingredients and their quantities listed on the label are accurate. The site claims the pills are manufactured in an FDA-approved laboratory; obviously they aren't referring to the US FDA. Their site mentions research but does not cite any publications.

Simon Cox of the BBC investigated these brands and ended up speaking on the phone with someone who identified the company as Tulip Lab Pvt., India. The product they purchased during that investigation for $70 contained no active ingredients, and the bottle he received didn't even claim to effect penile enlargement.
http://news.bbc.co.uk/1/hi/magazine/7140449.stm

The author of the blog spaminmyinbox.com also traced Elite Herbal spammed sites to Tulip Lab via their ordering process. Tulip Lab is attempting to silence him via a court proceeding in India, although how that court has jurisdiction where he is located, in Denmark, is unclear.
http://www.spaminmyinbox.com/
http://ikillspammers.blogspot.com/2007/12/elite-herbal-genbucks-sancash-and-tulip.html

cashfade.com also claims

>FACT: In a recent survey by Durex Condoms,
>67% of all women admitted that they are
>unhappy with their partner's penis size.
>This proves that size really does matter.

Actually, the Durex Sexual Well-being Global Survey results are here (Turn off Javascripts to view text versions on single pages):
http://www.durex.com/cm/sexual_wellbeing_results.asp
http://www.durex.com/cm/sexual_wellbeing_results_part2.asp
http://www.durex.com/us/gss2005result.pdf

The FACT is that the survey doesn't mention anything about penis size being important to women.

These spam emails violate the US CAN-SPAM act by failing to label the email as advertising or as having adult content, by having forged "from" addresses, by failing to provide the physical address of the sender or a means of unsubscribing, by mailing through open proxies without that server's owner's permission, and by sending to email addresses harvested from websites by webcrawling bots, as evidenced by their being sent to spamtraps (email addresses posted on the internet but never used for real email communication).

IP Converted: 218.61.7.21

dword = 3661432597
hex1 = 0xda3d0715
hex2 = 0xda.0x3d.0x7.0x15
oct = 0332.075.07.025
View CIDR AS4837 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4837

"4837 | CN | apnic | 2001-09-17 | CHINA169-BACKBONE CNCGROUP China169 Backbone"<br />
Extended information for AS4837:
State/Province:
Country: cn
Responsible Domain: cnc-noc.net
Abuse Email: abuse@cnc-noc.net
IP Converted: 77.38.216.168

dword = 1294391464
hex1 = 0x4d26d8a8
hex2 = 0x4d.0x26.0xd8.0xa8
oct = 0115.046.0330.0250


Spamhaus information on this IP address:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL65849
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL66862
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67180View CIDR AS20910 Report: http://www.cidr-report.org/cgi-bin/as-report?as=20910

"20910 | LV | ripencc | 2001-07-04 | BALTKOM-AS BALTKOM Autonomous System"<br />
Extended information for AS20910:
State/Province:
Country: lv
Responsible Domain: parks.lv
Abuse Email: postmaster@parks.lv


The spam email submitted for this report originated at IP address 77.38.216.168, which is in Latvia. The forged "from" address was "Karin Hooker" <linmarstarmet[at]marstar.de> in Germany.

77.38.216.168 is listed with the Composite Block List (CBL) as being infected with malware:
http://cbl.abuseat.org/lookup.cgi?ip=77.38.216.168

>IP Address 77.38.216.168 is currently listed in the CBL.
>
>It was detected at 2008-08-23 15:00 GMT (+/- 30 minutes),
>approximately 2 hours ago.
>
>ATTENTION: At the time of detection, this IP was infected
>with, or NATting for a computer infected with a high volume
>spam sending trojan - it is participating or facilitating a botnet
>sending spam or spreading virus/spam trojans.
>
>ATTENTION: if you simply repeatedly remove this IP address
>from the CBL without correcting the problem, the CBL WILL
>stop letting you delist it.
>
>This is the Cutwail BOT
>
>You MUST patch your system and then fix/remove the trojan.
>Do this before delisting, or you're most likely to be listed again
>almost immediately.
>
>If this IP is a NAT firewall/gateway, you MUST configure the
>NAT to prevent outbound port 25 connections to the Internet
>except from your real mail servers.

Other domains (or their subdomains/nameservers) that have been observed on 218.61.7.21:

acefold.com
aceneed.com
adddollar.com
aikihtuisq.cn
apmjzac.com
archprice.com
avcifeilvd.cn
backrise.com
badecold.com
clipneed.com
clocksuperb.com
daycarry.com
dearyour.com
dollarmust.com
epicsuperb.com
facefold.com
fadegoal.com
fadepad.com
fameneed.com
finesuperb.com
flakewave.com
flickadd.com
foldneed.com
gemneed.com
goodsuperb.com
greatepic.com
handgood.com
highepic.com
highsuperb.com
hwbaepakgn.cn
kindneed.com
lightlit.com
mallneed.com
mustace.com
nearneed.com
omyawrowob.cn
packpad.com
priceepic.com
pricesuperb.com
pushlow.com
qrbiapundi.cn
qualityepic.com
qualitypaid.com
raisecarry.com
reachcarry.com
reachmake.com
renewpaid.com
riseback.com
riselift.com
sameadd.com
sandpaid.com
seenblue.com
shoppaid.com
storeafford.com
superbbest.com
superbepic.com
swiftcome.com
swiftturn.com
tallpaid.com
tapswift.com
tauheanen.com
tearpower.com
tearwill.com
ttueiaal.com
turnlead.com
ujsibziplq.cn
uxewxb.com
walltake.com
waveneed.com
xgcantaxfj.cn

Other domains sharing the nameserver, ns3.sdviqg.com:

badebase.com
badecold.com
bademove.com
camestay.com
casemere.com
caseneed.com
cashcame.com
cashfade.com
deuaohcen.com
famegem.com
galefame.com
galefive.com
gemhave.com
havegem.com
needcame.com
needgem.com
pillspaid.com
sdviqg.com
wavecame.com