Herbal King

From Spamwiki
(Redirected from Elite Herbal)
Jump to: navigation, search

Description

Alias V.E.P. Virility Enlarge Pills, Power Gain+, MaxGain+, MaxGain, VPXL, Express Herbals, Elite Herbal, MaxHerbal, and Herbal King, MaxGentleman, Dr.MaXman among others, this is a highly spammed website. This is the product analyzed by the BBC's Simon Cox in a report on his radio show "The Investigation." bbc.co.uk: Super scam me, Dec. 13, 2007. The tablets Cox had analyzed as part of his investigation contained no active ingredients. (Since there is no product known to increase penis size in males who have reached sexual maturity, it hardly matters.)

Often the spam emails only contain domain names that redirect to a destination site, such as ebaygods.com, where victims are defrauded through sale and delivery (or sometimes nondelivery) of fake drugs, and appropriation of their personal details for use in future fraud.

MaxGain+ exploits many different methods of redirections to try to escape detection.

Geographical locations are India and Hong Kong.

V.E.P. Virility Enlarge Pills
Power Gain+
Max Gain+
Express Herbals / VPXL
Express Herbals / Manster
Elite Herbal
Herbal Growth
Max Herbal
Herbal King
MaxGentleman
Dr.MaxMan
MaxGain 2011

Samples of the spam

ManXL

subject: Is yours Below 5 Innches Long?

Here's latest "ManXL" formula has been proven
to add inches to the sizes while multiplying
orgasms like never had before. 
Our products is light years ahead of our competitors
which has millions of happy users.

Check us out..You won't regret. 

http:(domain deleted by Spamwiki admin)

MegaDik

subject: To get the best possible results we recommend using the program for at least four months.

No, MegaDik Pills do not cause any known adverse side effects.
http://ealyon.com [links to Elite Herbal]

Manster

subject: 60 Pills Of Manster = 1 Months Supply

When should you stop taking Manster Pills?
http://dizimos.com [links to Elite Herbal]

Combination spam

This shows multiple different spam operations all linked together in the one spam

Add some inches fast, safe and effective as seen on
NBC and prooven to work 100% ... http://csmo.net [links to Herbal King]

Have you ever wished you ejaculate like a porn star?
Now you can... http://chrk.net [links to Wondercum]

Wish you could rock her world all night long? Now you
can.. http://cdjw.net [links to Vigramax]

Sounds like a dream? Turn that dream to reality
with this personal device.. http://ctmay.com [links to Personal Pussy]

If a relaxing moment turns into the right moment,
will you be ready? http://minjkirrreat.com/  [links to ED Pill Store]

Lose weight Fast! Certified 100% Pure South African
Hoodia.. http://uacor.com (Hoodia Gordonii)

Get $500 Free.. http://staunbrad.com/micro/7 [links to Mint Las Vegas]
Have you ever wished you ejaculate like a porn star?
Now you can.. http://thonr.com [links to WonderCum]

Add some inches fast, safe and effective as prooven
on NBC Dateline to work 100% ... http://csmo.net [links to Herbal King] 

Did you ejaculate before or within a few minutes of 
penetration? Help is here... http://buoon.com [links to Extra Time]

Wish you could rock her world all night long? Now you
can.. http://cgide.com [links to Vigramax]

If a relaxing moment turns into the right moment, 
will you be ready? http://ezurozven.com [links to ED Pill Store]
Subject: MegaDik.. do you have 10 inches? Maybe You want enlarge him   
 tracking code munged

This example contains both MegaDik and Manster references.

Dear victim@example.com

http://kazmway.com/w.php

Do  you want Enlarge your Penis? 
t Gain 3+ Inches In Length.
100% Money Back Guarantee.
t *3 FREE Bottles Of ManSter !!

http://kazmway.com/w.php

Thanks
Mary Anniston


victim@example.com wrote:
> > MegaDik.. do you have 10 inches? Maybe You want enlarge him
 tracking code munged-
out me now
http://kazmway.com/w.php

History

The following announcement was published on an online forum to recruit new spammers:

Post Posted: Sun Apr 22, 2007 8:54 am   
Post subject: New RX pharmacy  	
 
WE NOW have online pharmacy take a look ......ablepharmacy.com

Payments are every Thursday like clockwork, no delays or arrays

Our "Low Price Pharmacy Store" design sports a professional array of pharmaceuticals.
This is definatly (sic) our top converting website.

Other product:
herbal
fleshlight
enlargement pills
very popular sextoy
hoodia
cum pills

msg me with a valid email for an account

The sample site quoted, ablepharmacy.com was registered by

person:       Eduardo Macias
organization: TOLMEN STAR ENTERPRISES LTD
email:        admin@querendamx.com
address:      Querenda No. 353, Fracc. Bosque Camelinas
city:         Michoacan
postal-code:  58290
country:      MX
phone:        +52.443655187

The registrar who accepted this criminal spammer's contract for domain name registration was

Domain Name: ABLEPHARMACY.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM

To this day, this criminal spammer still uses many registered domains which are widely spammed. The registrar who is still accepting his contracts for registrations under the same registrant details is COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM

Other fake company names that are a "fingerprint" for these registrations include

  • Chang Limited
  • Black Network Inc
  • Etty Productions Limited
  • Gutierrez Ventures
  • Liquid Ventures Inc
  • Miura Promotions LLC
  • Mohamed Ventures Limited
  • Optin Media Inc
  • Pump It Productions
  • Tolmen Star Enterprises Ltd
  • Tufa Corporation
  • Xinyu Inc
  • Zhou Ventures Ltd

Any registration from these false companies constitutes sufficient evidence for any law abiding registrar to suspend the domain.


  • The registered domains may have a redirect to a central site, such as herbal-kings.net or aplusherbals.com or elite-herbals.com or ezherbals.com
  • Typically the spammed domains are registered with CSL Computer Service LANGENBACH GMBH (www.joker.com)
  • The name servers (eg ns1.b12dns.com ns2.b12dns.com ns3.b12dns.com ns1.sacodns.com ns2.sacodns.com ns1.centdns1.com ns2.centdns1.com ns1.maindns4.com ns2.maindns4.com ns1.gzrealm.com ns2.gzrealm.com) are registered with CSL (www.joker.com)
  • The redirected domains herbal-kings.net aplusherbals.com elite-herbals.com ezherbals.com ezherbals.net are registered with CSL (www.joker.com)
MaxGain+ 
Domain Name: HINTEIRA.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.NS-EARTHLING.COM
Name Server: NS2.NS-EARTHLING.COM
Billing Contact:
       Li Ming
       NO.38,YongFeng street,Tianchange City,Anhui Province
       Tianchange Anhui 239355
       CN
       tel:   2400568
       fax:   2400568
       yayun22@163.com
Domain Name: ELITE-HERBALS.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.CENTDNS1.COM
Name Server: NS2.CENTDNS1.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
owner:        Jason Poon
organization: Black Network INC
Domain Name: HERBAL-KINGS.NET
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.MAIN-DNS3.COM
Name Server: NS2.MAIN-DNS3.COM
Name Server: NS3.MAIN-DNS3.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
owner:        Eduardo Macias
organization: TOLMEN STAR ENTERPRISES LTD
Domain Name: APLUSHERBALS.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.MAINDNS4.COM
Name Server: NS2.MAINDNS4.COM
Name Server: NS3.MAINDNS4.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
owner:        Eduardo Macias
organization: TOLMEN STAR ENTERPRISES LTD
Domain Name: EZHERBALS.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.GZREALM.COM
Name Server: NS2.GZREALM.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
owner:        Jason Poon
organization: Black Network INC
Domain Name: ACTIONHERBALS.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.GZREALM.COM
Name Server: NS2.GZREALM.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
owner:        Jason Poon
organization: Black Network INC
Domain Name: TEXENMET.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.JDNS2008.COM
Name Server: NS2.JDNS2008.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited


Before and After Photos

Most of these sites attempt to convince visitors their products are effective by showing "before" and "after" photos of male genitalia.

Anyone with photo manipulation software can create realistic appearing photos of unrealistically large anatomy. That type of photo manipulation is commonly done for porn images. Men should not accept photographs as evidence that anyone with genitalia that size exist, let alone that they got that way from using one of these products.

An example based on a real image from one of these spamvertised sites is at

http://spamtrackers.eu/wiki/index.php/Image:Beforeafter.jpg

(image alert: this is an image of nude male genitalia)

How to Report this Spam

Generally, the most effective way to demand that registrars cancel their illegal contracts with criminals is to use the tool provided for Windows users at Complainterator.

If the registrar is CSL, however, be aware that they refuse to act on email complaints, so you can ignore the mandatory ICANN registered email address at info@nrw.net.

At www.joker.com click on Register. Become a registered client. Once registered, you can log in and fill out a complaint form.

  • Register at www.joker.com
  • Login as a registered user
  • Select "Support/Contact"
  • Select "Report spammers/phishing"
  • Fill in the relevant CSL registered spammed domain or its name server
  • Fill in the complaint with links to evidence

Note that you can generate the text of the complaint using Complainterator and copy/paste it into the web page.

Related Spams

See also PowerEnlarge, LNHSolutions, King Replicas relationships

  • Herbal King
  • Express Herbals
  • Vigramax (vigramax.net)
  • Hoodia Gordonii (leanwithhoodia.com)
  • MaxHerbal
  • VPXL see Canadian Healthcare
  • MaxGain+

These

  1. use the same name servers
  2. are registered at the same time
  3. use the same registrar
  4. use the same redirection

Evidence

Registrations of all three types under same name servers, extracted from http://rss.uribl.com/ns/b12dns_com.html

#  	Domain  	Date/Time Added
#1	aaopc.net	Sun, 01 Apr 2007 05:10:16 +0000
#2	abaud.com	Sat, 31 Mar 2007 21:09:50 +0000
#3	cifab.net	Fri, 30 Mar 2007 08:44:00 +0000
#1	aaopc.net	Wed, 21 Mar 2007 13:28:57 +0000
#2	ajsic.net	Mon, 19 Mar 2007 10:44:03 +0000
#3	afhti.net	Mon, 19 Mar 2007 10:42:28 +0000
#4	afloe.net	Mon, 19 Mar 2007 09:54:31 +0000
#1	cgfile.net	Mon, 19 Feb 2007 00:30:54 +0000
#2	brightboss.com	Sun, 18 Feb 2007 22:41:54 +0000
#3	acmtc.net	Sun, 18 Feb 2007 21:08:42 +0000
#4	ansign.net	Sun, 18 Feb 2007 14:25:02 +0000
#5	calldoun.com	Sun, 18 Feb 2007 14:24:06 +0000
#6	myane.net	Sun, 18 Feb 2007 12:32:41 +0000
#7	aoam.net	Sun, 18 Feb 2007 11:16:50 +0000
#8	alusan.net	Sun, 18 Feb 2007 07:53:12 +0000
#9	aboyn.net	Sun, 18 Feb 2007 05:39:16 +0000
#10	ndcuk.com	Sun, 18 Feb 2007 01:39:47 +0000
#11	aaums.net	Sat, 17 Feb 2007 22:49:27 +0000
#12	callatree.com	Sat, 17 Feb 2007 14:25:17 +0000
#13	brianyzip.com	Sat, 17 Feb 2007 11:08:00 +0000
#14	yurho.com	Sat, 17 Feb 2007 08:15:35 +0000
#15	aaopc.net	Fri, 16 Feb 2007 06:36:49 +0000
Also, registered on CSL Computer Service Langenbach GmbH aka joker.com, by TOLMEN STAR ENTERPRISES LTD, using name servers on bdns1.net or maindns4.com
  • ablepharmacy.com (Online Pharmacy Store) [not using securepay]
  • vigramax.net
  • leanwithhoodia.com (Hoodia Gordonii) [**]
  • wonderspurm.net
  • aplusherbals.com [**]
  • exxtratime.com [**]
  • personalpussy.net [**]
  • herbal-kings.net [**]
  • megadik.com
  • herbal-land.com [**]
  • elitereplicawatches.com (King Replica) [no]
  • mansterone.com [**]
  • mysecurepay.net
Online Pharmacy Store
[**] mysecurepay.net is used at check-out time to request the identity and credit card details. When you are on one of these pages and go to checkout, you find yourself on a mysecurepay.net page using https. But when you look down at the bottom of the page, guess what you see?
Copyright © 2001-2007, Herbal King Inc. 	

Another example of linkages between different families of spammed sites: name servers ns1.gzrealm.com and ns2.gzrealm.com registered with CSL Computer Service Langenbach GmbH control access to

  • herbalextratime.com
  • fastedstore.com ED Pill Store
  • vigramaxpill.com
  • ewondercum.com
  • fastsizeup.com
  • actionherbals.com (Herbal King)
  • elitereplicas.net
  • actionherbals.net (Herbal King)

That ties them all together. Spamhaus has similar details with the same findings

Fake links

Other name servers used by the same family include

  • ns1.masterkeydns1.com ns2.masterkeydns1.com [ClientHold]
  • ns1.master22.com ns2.master22.com [on hold]
  • ns1.master67.com ns2.master67.com
  • ns1.ceechongsu.com ns2.ceechongsu.com
  • ns1.chechiewaz.com ns2.chechiewaz.com
  • ns1.chechiewaz2.com ns2.chechiewaz2.com
  • ns1.chechiewaz67.com ns2.chechiewaz67.com Beijing Innovative Linkage Technology

Redirection web sites belonging to this family and resolved by those name servers include


The same name servers resolve domains that land on

Redirections

As at February 2008

Target site of many spammed site redirections. The current formula is a redirection based on the first character to the subdomain name:


  • a*.domain.tld: pdandotherb.com (shut down)
  • b*.domain.tld: ageshell.com (Canadian Pharmacy)
  • c*.domain.tld: wehelpyounow.com/clothes/ (shut down)
  • d*.domain.tld: wehelpyounow.com/freepenispill/ (shut down)
  • g*.domain.tld: fqa34s2.com (US Pharmacy)
  • h*.domain.tld: diet350.info (100% Pure Hoodia Gordonii Pills)
  • i*.domain.tld: iakospro.com (VPXL) affiliate ID 2515592000
  • k*.domain.tld: ideaexciting.com (US Pharmacy)
  • p*.domain.tld: iakospro.com (VPXL) affiliate ID 2515592000
  • r*.domain.tld: keogbw.net (SwissWatchesDirect)
  • s*.domain.tld: parpower.com (VPXL) affiliate ID 2515592000
  • t*.domain.tld: flutteoi.com (Replica Store) affiliate ID 3508239664
  • v*.domain.tld: wehelpyounow.com/vm/ (shut down)

Before February 2008

Spammed sites:

  • bbdw.knshallwe.com
  • bzvun.knshallwe.com
  • bhcisf.knshallwe.com
  • dqpl.knshallwe.com
  • djtwd.knshallwe.com
  • kpwi.knshallwe.com
  • kmfvnu.knshallwe.com
  • kkjsp.knshallwe.com
  • rhlybg.knshallwe.com
  • rxtm.knshallwe.com
  • rutdkl.knshallwe.com

This one domain redirects to multiple different scams.

  1. Prefix letter A = Elite Herbals on saverxp.org which was not operational from Sept 2007. In December it redirected to samolsen.com
  2. Prefix letter B = Reliable Pharmacy redirected to onlinequalitypills.com [Beijing dns.com.cn], subsequently to jumewa.com - Global Pharmacy
  3. Prefix letter C = redirected to hoodiastoresale.com - Naturaslim Hoodia - 100% Pure Hoodia Gordonii Diet Pills , subsequently to Dolce & Gabbana .. Designer Fashion Clothing
  4. Prefix letter D = Herbal King redirected to samsege.com [CSL / Joker], subsequently to wehelpyounow.com/freepenispill/ - ManXL
  5. Prefix letter K = Pharma Shop redirected to r2.rx-shop.biz subsequently to r2.pharm-shop.biz [GMO INTERNET]
  6. Prefix letter R = SwissWatchesDirect redirected to einison.net or pornogh.net or azfuek.net [INTERNET.BS CORP]
  7. Prefix letter S = Wondercum redirected to fozip.com subsequently to parpower.com
  8. Prefix letter T = redirected to getthasteppin.com which was not operational as at Sept 2007, subsequently in December to wehelpyounow.com/su/ SizeUp.
  9. Prefix letter V = redirected to wehelpyounow.com/vm/ Vigramax

The switching is achieved on a redirector that announces itself upon connection thus

HTTP/1.1 302 Found
Date: Tue, 03 Dec 2007 20:17:21 GMT
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.7 with Suhosin-Patch
X-Powered-By: PHP/4.4.7

and a redirection in the form

Location: http://wehelpyounow.com/su/

SanCash (in early 2008 known as "Etranzmu", the underground sponsor affiliate program related to GenBucks) is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.