ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
HerbalKing

Records Menu:

< Index


Country: India
State:
HerbalKing


HerbalKing SBL Listings History
Current SBL Listings
Archived SBL Listings

Main Info


HerbalKing is a massive affiliate style spam program for snakeoil Body Part Enhancement scams (penis enlargement). It has also done spam campaigns for replica luxury goods, pharma (counterfeit pills) and porn. Spam arrives via botnets with spamvertised sites on "bulletproof" hosting offshore, particularly in China. The group also uses fast-flux hosting, running sites on hacked botnet PCs.

HerbalKing, with connections to India (possibly due to pharmaceutical supplies), rivals the traditional Eastern European spam gangs for volume and criminal botnet methods of its spam. "Tulip Labs" appears to be the source of HerbalKing's herbal remedy products. The main operation is run out of New Zealand and Australia by long-time spamming brothers Lance & Shane Atkinson. (see: http://www.geekzone.co.nz/juha/2237 ) ROKSO listed spammer Jody Smith is also a gang leader. A Roland Smits is part of the gang too.

There are hundreds of SBL listings related to HerbalKing but some may not be linked to this ROKSO due to the tremendous number of identities and domains used by the program. Lists of domains should be considered examples of that abuse of domain name space, not comprehensive lists of their registrations.

_________________________________________________________

Lance Atkinson

New Pacific Resources
Inet Ventures Pty Ltd
MegaDik
ManSter

_________________________________________________________


spam sample:

Received: from 152197C0 (cpe-74-69-193-129.maine.res.rr.com [74.69.193.129])
by <redacted> (8.12.9/8.12.2) with SMTP id <redacted>
for <redacted>; Thu, 30 Nov 2006 22:08:50 -0800 (PST)
Received: from mx.maria.slivery.com.cl (HELO 60-138.F.dial.o-tel-o.net [64.15.205.224])
by mx.maria.bartholomew.com.cl (Estfix) with ESMTP <redacted>
for <Massive.Size@mecoengineering.com>; Thu, 30 Nov 2006 22:22:29 -0800
Date: Thu, 30 Nov 2006 22:22:29 -0800
From: "Massive.Club" <Massive.Size@mecoengineering.com>
Message-ID: <8D6A.A7EB.65.805@dg.net>
To: <redacted>
Subject: Tank.XL

Many gifts will excite you this year as they do every year.
But the best gift will probaby be the one you get yourself.
We're talking about feeling bigger, more confident, and in
charge when it comes to any women. MAKE A DIFFERENCE this
holiday season.
*Longer, Bigger
*More confidence, less stress
*Enjoy, play

http://fymx.net




[whois.joker.com]
domain: rx4you2.com
origin-c: CCOM-910162
owner: Ursula Nilsen
organization: Tufa Corporation
email: admin@tufacorp.com
address: 2146 Molly Ave
city: Duncan
state: BC
postal-code: V9L 4C8
country: CA
phone: +1.5127861188
admin-c: CCOM-497782 admin@tufacorp.com
tech-c: CCOM-497782 admin@tufacorp.com
billing-c: CCOM-497782 admin@tufacorp.com
nserver: ns1.bdns1.net 61.152.169.37
nserver: ns2.bdns1.net 61.152.169.37
status: lock
created: 2006-07-28 09:51:25 UTC
modified: 2006-08-21 08:57:14 UTC
expires: 2007-07-28 05:51:26 UTC

contact-hdl: CCOM-497782
person: Ursula Nilsen
organization: Tufa Corporation
email: admin@tufacorp.com
address: 2146 Molly Ave
city: Duncan
state: BC
postal-code: V9L 4C8
country: CA
phone: +1.5127861188




Tufa Corporation is a "shelf company" similar to those advertised on the Internet like this:

http://www.aaa-offshore-shelf-companies.com/offshore%20shelf%20company%20application.html
<quote>
Our Offshore Shelf Company Special price of $1,995 includes everything you need to be in business offshore at the time the company was formed:

* A Vanuatu International Company
* Assistance with Bank Account Application including Signatories
* Provision of Registered Agent/Office
* Provision of 1Director/Nominee Shareholder
* All government fees paid to 30 June 2008

Please note that this special price only applies to shelf companies formed after June 2006. Like fine wines, older vintages cost more.

Special add-ons If you would like your Company to be owned by a Discretionary Trust please add US$825.00 which includes the Trustee Fee to 30th June, 2008. Credit Card $550, Internet Access to Bank Account $100
</quote>



[whois.joker.com]
domain: tufacorp.com
origin-c: CCOM-908952
owner: Ursula Nilsen
organization: Tufa Corporation
email: admin@tufacorp.com
address: 2146 Molly Ave
city: Duncan
state: BC
postal-code: V9L 4C8
country: CA
phone: +1.5127861188
admin-c: CCOM-497782 admin@tufacorp.com
tech-c: CCOM-497782 admin@tufacorp.com
billing-c: CCOM-497782 admin@tufacorp.com
nserver: ns1.bdns1.net 61.152.169.37
nserver: ns2.bdns1.net 61.152.169.37
status: lock
created: 2006-07-23 19:51:40 UTC
modified: 2006-08-21 08:58:03 UTC
expires: 2007-07-23 15:51:41 UTC

contact-hdl: CCOM-497782
person: Ursula Nilsen
organization: Tufa Corporation
email: admin@tufacorp.com
address: 2146 Molly Ave
city: Duncan
state: BC
postal-code: V9L 4C8
country: CA
phone: +1.5127861188




[whois.joker.com]
domain: spruced.net
owner: Jose Hoyos
organization: Optin Media Inc
email: admin@optinmedia.net
address: Andre Peggion 110, Office 12
city: Sao Paulo
postal-code: 51020025
country: BR
phone: +55.8188365550
admin-c: CNET-370375 admin@optinmedia.net
tech-c: CNET-370375 admin@optinmedia.net
billing-c: CNET-370375 admin@optinmedia.net
nserver: ns1.briggsadnstratton.com
nserver: ns2.briggsadnstratton.com
status: lock
created: 2006-09-30 12:03:18 UTC
modified: 2006-10-05 10:34:20 UTC
expires: 2007-09-30 08:03:18 UTC

contact-hdl: CNET-370375
person: Jose Hoyos
organization: Optin Media Inc
email: admin@optinmedia.net
address: Andre Peggion 110, Office 12
city: Sao Paulo
postal-code: 51020025
country: BR
phone: +55.8188365550

source: joker.com live whois service
query-time: 0.018816
db-updated: 2006-11-20 02:21:29





[whois.afilias.info]
Domain ID:D19665358-LRMS
Domain Name:XTRASIZE-PLUS.INFO
Created On:27-Aug-2007 11:29:14 UTC
Last Updated On:27-Aug-2007 11:29:16 UTC
Expiration Date:27-Aug-2008 11:29:14 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH d/b/a joker.com (R161-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CAFI-272310
Registrant Name:Jose Hoyos
Registrant Organization:Optin Media Inc
Registrant Street1:Andre Peggion 110, Office 12
Registrant Street2:
Registrant Street3:
Registrant City:Sao Paulo
Registrant State/Province:--
Registrant Postal Code:51020025
Registrant Country:BR
Registrant Phone:+55.8188365550
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:admin@optinmedia.net
Admin ID:CAFI-227075
Admin Name:Jose Hoyos
Admin Organization:Optin Media Inc
Admin Street1:Andre Peggion 110, Office 12
Admin Street2:
Admin Street3:
Admin City:Sao Paulo
Admin State/Province:--
Admin Postal Code:51020025
Admin Country:BR
Admin Phone:+55.8188365550
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:admin@optinmedia.net
Billing ID:CAFI-227075
Billing Name:Jose Hoyos
Billing Organization:Optin Media Inc
Billing Street1:Andre Peggion 110, Office 12
Billing Street2:
Billing Street3:
Billing City:Sao Paulo
Billing State/Province:--
Billing Postal Code:51020025
Billing Country:BR
Billing Phone:+55.8188365550
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:admin@optinmedia.net
Tech ID:CAFI-227075
Tech Name:Jose Hoyos
Tech Organization:Optin Media Inc
Tech Street1:Andre Peggion 110, Office 12
Tech Street2:
Tech Street3:
Tech City:Sao Paulo
Tech State/Province:--
Tech Postal Code:51020025
Tech Country:BR
Tech Phone:+55.8188365550
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:admin@optinmedia.net
Name Server:NS1.123456789DNS.INFO
Name Server:NS2.123456789DNS.INFO



[whois.joker.com]
domain: optinmedia.net
owner: Jose Hoyos
organization: Optin Media Inc
email: admin@optinmedia.net
address: Andre Peggion 110, Office 12
city: Sao Paulo
postal-code: 51020025
country: BR
phone: +55.8188365550
admin-c: CNET-370375 admin@optinmedia.net
tech-c: CNET-370375 admin@optinmedia.net
billing-c: CNET-370375 admin@optinmedia.net
nserver: not-renewed.joker.com
status: expired
created: 2006-08-27 08:38:17 UTC
modified: 2007-08-29 08:26:31 UTC
expires: 2007-08-27 08:38:16 UTC

contact-hdl: CNET-370375
person: Jose Hoyos
organization: Optin Media Inc
email: admin@optinmedia.net
address: Andre Peggion 110, Office 12
city: Sao Paulo
postal-code: 51020025
country: BR
phone: +55.8188365550

source: joker.com live whois service
query-time: 0.036209
db-updated: 2007-09-03 02:35:23




[whois.joker.com]
domain: ettyproductionslimited.com
owner: Gino Roberts
organization: Etty Productions Limited
email: admin@ettyproductionslimited.com
address: Rua Pedroso Alvarenga, 332
city: Sao Paulo
state: --
postal-code: 04531-001
country: BR
phone: +55.1183145121
admin-c: CCOM-933298 admin@ettyproductionslimited.com
tech-c: CCOM-933298 admin@ettyproductionslimited.com
billing-c: CCOM-933298 admin@ettyproductionslimited.com
nserver: ns1.chongdns99.com
nserver: ns2.chongdns99.com
status: lock
created: 2006-11-22 10:15:09 UTC
modified: 2007-09-06 04:02:57 UTC
expires: 2007-11-22 10:15:09 UTC

contact-hdl: CCOM-933298
person: Gino Roberts
organization: Etty Productions Limited
email: admin@ettyproductionslimited.com
address: Rua Pedroso Alvarenga, 332
city: Sao Paulo
state: --
postal-code: 04531-001
country: BR
phone: +55.1183145121

source: joker.com live whois service
query-time: 0.019499
db-updated: 2007-10-14 17:54:00




Here's a nice bit of trickery from spammy! He fakes a "registrar hold" on his domains as a bit of "playing possum" while a domain lies fallow by using another domain under his control which sounds like it could be a registrar'. But look up that tricky domain and it is really controlled by spammy.


[whois.dns.com.cn]

Domain Name.......... chongdns67.com
Creation Date........ 2007-08-15 11:42:21
Registration Date.... 2007-08-15 11:42:21
Expiry Date.......... 2008-08-15 11:42:21
Organisation Name.... Health Worldwide Inc
Organisation Address. 105/F ENTERPRISE SQUARE
Organisation Address.
Organisation Address. Hongkong
Organisation Address. 000000
Organisation Address. HK
Organisation Address. CN

Admin Name........... Danny Lee
Admin Address........ 105/F ENTERPRISE SQUARE
Admin Address........
Admin Address........ Hongkong
Admin Address........ 000000
Admin Address........ HK
Admin Address........ CN
Admin Email.......... admin@healthworldwideinc.com
Admin Phone.......... +852.945898445
Admin Fax............ +852.945898445

Tech Name............ Danny Lee
Tech Address......... 105/F ENTERPRISE SQUARE
Tech Address.........
Tech Address......... Hongkong
Tech Address......... 000000
Tech Address......... HK
Tech Address......... CN
Tech Email........... admin@healthworldwideinc.com
Tech Phone........... +852.945898445
Tech Fax............. +852.945898445

Bill Name............ Danny Lee
Bill Address......... 105/F ENTERPRISE SQUARE
Bill Address.........
Bill Address......... Hongkong
Bill Address......... 000000
Bill Address......... HK
Bill Address......... CN
Bill Email........... admin@healthworldwideinc.com
Bill Phone........... +852.945898445
Bill Fax............. +852.945898445
Name Server.......... ns2.dnsonhold.com
Name Server.......... ns1.dnsonhold.com



[whois.joker.com]
domain: dnsonhold.com
owner: Gino Roberts
organization: Etty Productions Limited
email: admin@ettyproductionslimited.com
address: Rua Pedroso Alvarenga, 332
city: Sao Paulo
state: --
postal-code: 04531-001
country: BR
phone: +55.1183145121
admin-c: CCOM-933298 admin@ettyproductionslimited.com
tech-c: CCOM-933298 admin@ettyproductionslimited.com
billing-c: CCOM-933298 admin@ettyproductionslimited.com
nserver: ns1.dnsonhold.com 121.1.2.3
nserver: ns2.dnsonhold.com 121.1.2.3
nserver: ns3.dnsonhold.com 121.1.2.3
status: hold,infringe-3rd-parties
created: 2006-11-22 10:29:35 UTC
modified: 2007-08-20 09:58:32 UTC
expires: 2007-11-22 10:29:35 UTC

contact-hdl: CCOM-933298
person: Gino Roberts
organization: Etty Productions Limited
email: admin@ettyproductionslimited.com
address: Rua Pedroso Alvarenga, 332
city: Sao Paulo
state: --
postal-code: 04531-001
country: BR
phone: +55.1183145121

source: joker.com live whois service
query-time: 0.044426
db-updated: 2007-09-17 06:43:05




Related URLs
Two blogs with extensive research into the HerbalKing-Tulip Labs connection:
http://www.spaminmyinbox.com/
http://ikillspammers.blogspot.com/
Partner In Spam: Jody Smith, ROKSO

The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7802

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2010 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy