Legend:  new window    outside link    tools page  glossary link   

Classic Spam: Doctor Spammer, RPh

Update, 15 June 2008: I see by my site statistics that this page has now ousted the page on stock spam from the top-five most popular pages served from this site. To mark the occasion, I’ve brought the page up to date (including some new statistics on the prevalence of drug spam).

The bottom line: Be warned that many prescription drug spams are no more than attempts to steal your money, or (worse) your personal info (including credit card info). Even if you do actually get merchandise from one of these outfits (which is by no means certain to happen), this merchandise may turn out to be something that you wouldn’t want to put in your mouth (or any other orifice).

Black-market pharmaceutical drugs and spam marketing are truly a match made in heaven — or, maybe in hell, if you’re among the tens or hundreds of millions of spam recipients who have to scrape this stuff out of their inboxes every day.

In earlier versions of this page, I cited an August, 2005 report from Sophos that indicated that drug spam accounted for a 41% plurality of all spam. We now have some more recent data: in June, 2008, Barracuda (a manufacturer of e-mail security products) estimated that drug spam accounted for about two-thirds of all spam sent; in other words, drug spam now greatly outnumbers all other spam put together, and this on a volume of spam mail that has increased severalfold since the earlier Sophos figure. Needless to say, the growth in drug spam has been meteoric. 

Surprisingly, perhaps, nearly all of this stuff can be traced back to a tiny handful of scammers (like this large outfit) who rely upon extensive technical resources all around the world (generally, stolen resources) to distribute the spam, host the website, and “process” the “orders.”

Spam pharmacies offer to sell you nearly any drug you need (or just think you need) with no questions asked (and no prescriptions requried). These outfits tend to feature blockbuster “lifestyle” drugs (like the ever-popular Viagra and Cialis) in their spam mail, although they claim to offer a wide variety of other drugs, some not legal for sale in the U.S.

Often, they claim that that their drugs are “generic,” but since many of these products are still under patent protection, the production of generic versions would have to be done without the authorization of the inventors and in violation of those inventors’ patent rights (and therefore quite probably illegal in most parts of the world). 

Of course, drug spammers don’t release income statements, and it would be very difficult to get an accurate measurement of exactly how many people buy — or attempt to buy — their medicine from spammers (although some have tried), but it seems safe to say that this spam must work. Otherwise, I can’t see how it gets to constitute as much as two-thirds of our unwanted mail. Obviously, there are a sufficient number of stupid people who ignore sound advice not to do business with spammers that the fruit of their stupidity winds up clogging the inboxes of the rest of us.

Canada must be larger than I thought

According to the U.S. Food and Drug Administration, it is against federal law for U.S. citizens to import drugs from other countries (including Canada) except under very limited circumstances. This hasn’t stopped individual Americans, and even their state and county governments, from looking north of the border to buy pharmaceuticals at prices that often run far less than in the U.S. In fact, “Canadian Pharmacy” has become quite the catchphrase in the U.S. over the past few years, and many spammers have hopped right onto the bandwagon, even many who are no more Canadian than was Al Capone (who, in his day, also had a hand in conveying certain controlled substances across the St. Lawrence).

On this page, we’ll take a look at one such outfit from which used to get spam mail, a group we’ll call (for want of an actual verifiable company name) “MyCanadianPharmacy.”

MyCanadianPharmacy has been at the game awhile, and (typically for this kind of operation) has developed an elaborate skein of phony credentials and certificates which they display on their website. I’d hate them less if they just sold the drugs and left off all the lying, because (as we will see) they aren’t very good at it. On the other hand, maybe their target customer base doesn’t require much effort in order to be hoodwinked. Here’s a bit of their website:

On this particular week, this peregrinating site was found at a web host named madock.net, which in turn was found at IP address (according to host), in a China Telecom net block located in Anhui Province in the People’s Republic of China (which, last time I checked, is not part of Canada). Here’s the DNS server info for this domain, from a dig ns lookup:

alu-g4pb:~ rconner$ dig ns madock.net

; <<>> DiG 9.2.2 <<>> ns madock.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59466
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;madock.net. IN NS

madock.net. 600 IN NS ns1.madock.net.
madock.net. 600 IN NS ns2.madock.net.

ns1.madock.net. 600 IN A
ns2.madock.net. 600 IN A

From this, it appears that name service for the domain was provided by a single host within this same domain having two aliases (ns1.madock.net and ns2.madock.net) and at the same IP address as the website. This establishes that these guys are among the more sophisticated of today’s spammers; by combining their authoritative DNS and web service on the same host, they’re able to hop from location on the net to another with great ease and frequency. Don’t expect the madock.net domain to be online by the time you get around to reading this; these guys will be moving along very shortly (probably to some other Chinese hosting service with yet another alphabet-soup domain name) so as to keep investigators guessing and hunting.

The domain madock.net shows up in domain-whois as being registered by one Alexander Sultanov at Benadicka 7 in Bratislava, Slovak Republic. This location, you will note, is not much closer to Ontario than was Anhui Province (although admittedly this registration data is likely to be every bit as bogus as the rest of this operation).

Further down the page, MyCanadianPharmacy claims to be associated with a number of legitimate organizations including PharmacyChecker, the Better Business Bureau (BBB), Verified by Visa, Verisign, and the Canadian International Pharmacy Association (CIPA); I suppose this might be reason to trust them if the claims were true, but in fact they are arrant horseshit. The links from the icons lead to “certificate” pages on the madock.net website, but these don’t include any links to these outside organizations to allow you to verify the status of this outfit for yourself. In fact, the business name listed on these “certificates” is simply “Pharmacy,” which is a bit too generic to stand much scrutiny.

This portion of the web page (bottom left in the picture) also offers a link to view the “licence file” for this outfit, which is by far the biggest lie on this lie-infested site. When you click it, you see this:

When they forged this certificate, MyCanadianPharmacy did use the proper Canadian spelling of “licence” a couple of times (it’s “license” here in the US), but in every other respect this “licence” is just so much additional rubbish. It is headed “State of Ontario,” although Ontario is a province in Canada (which does not have “states.”) The watermark, showing a guy with a bow and arrow, is inscribed “Ontario County;” there’s no such thing in Canada, although there is an Ontario County in western New York State, which has a county seal (at left) that, as you can see, is suspiciously similar to the bow-and-arrow guy seen in the watermark.

The address at “1592 Wilson Avenue, Toronto, Ontario, M3L 1A6” is undeniably Canadian, has a proper postal code, and does show up properly in Yahoo! Maps (albeit in the middle of a shopping mall). Unfortunately, however, a search of Canadian telephone listings (at www.canada411.ca) reveals nothing and no one at that precise address, nor could they return any other listings for “MyCanadianPharmacy” in this postal code.

So, we have a domain registered in the Slovak Republic operating from a net host in Mainland China, using a suspicious DNS setup, and providing forged credentials and a postal address that cannot be independently verified — I think you’ll agree that it would require quite a stretch to call this a “Canadian Pharmacy.” If these folks will lie about such a trivial and easily-verified matter, then how much more truthful can we expect them to be about any other part of their operation? My spam rules 1 and 1a are very much to be kept in mind here.

Morphology of drug spam

We have to divide the drug spam racket into two parts: the folks who set up the drug websites, and the others whom they employ to send out the mail. Because I frequently see the same sites advertised using different mail techniques, I conclude that these are usually two different sets of people.

The mails I receive on behalf of spam pharmacies are a mixed lot: some are simple plain text messages with “creative” spelling; some are in HTML with oddball tricks (like using HTML tables or CSS attributes to obfuscate text); still others use embedded images to deliver the pitch (in a fashion similar to what I describe for stock spams).

These messages come from all over the place; many of the originating hosts are at what look like broadband home-user addresses, and therefore are probably open proxies. These mailers are persistent, often mailing every day or several times per day, switching their network setup often, and surviving for many months or even years. This suggests that many of the folks who send this stuff are probably specialists in spam mailing, and function as affiliates of the sites they promote.

The drug websites themselves are generally very well coded and not terribly easy to snoop around in. These sites tend to “share” many of their images (particularly the bogus affiliation seals); they may all be produced by the same outfits, or these guys may simply steal clip art from each other. Many if not most of these sites offer affiliate programs (usually with — ha ha — no-spam policies), which offers further proof that the website operators aren’t the spammers. Sometimes, you can see where they “’fess up” to getting their product from factories in India or elsewhere in Asia (and not from Canada).

Excellent reasons not to buy drugs from spammers

Buying prescription drugs via the internet is not at all a bad thing; in fact, many insurance companies are now encouraging their customers to do just this (through the companies’ own favored operations, of course). It is important, however, to make sure that you are dealing only with legal and competent outfits, in which categories the spammers do not appear. Drug spam, in fact, is threatening to spoil the market for internet drug sales in general, which is one reason to hope that law enforcement will get around to taking more aggressive action against the crooks.

In the mean time, here are some good common-sense reasons (should you need them) not to refill your prescriptions with spammers:

  1. The drugs may be counterfeit (i.e., fake).
  2. The drugs may be contaminated.
  3. The drugs may be in versions or packaging not approved for sale in the U.S.
  4. The drugs may be past their “sell-by” date, and may have lost much of their potency.
  5. The drugs may not have been stored properly while awaiting sale (e.g., injectable insulin or HGH preparations not refrigerated).
  6. The drugs may be of the incorrect strength for your prescription (i.e., too weak or too strong).
  7. Maybe you won’t get the drugs at all, and who’re you going to complain to?
  8. Your name, address, medical data, and credit-card information could be used in identity theft.
  9. If the drugs come from outside the U.S. (as they probably always do in the case of spam “pharmacies”), then you are probably breaking U.S. federal law in buying them. The drugs may end up getting seized by federal officials when they arrive in-country.

 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2008, Richard C. Conner ( )

13526 hits since March 28 2009

Updated: Sun, 15 Jun 2008