ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Vincent Chan gang

Evidence Menu:

Vincent Chan gang Index


Country: Hong Kong
State:
Vincent Chan and his Chinese partners have been sending spam for years. They mainly do pharmacy, and are able to send out huge amounts daily. They use vast numbers of compromised computers -- for sending, hosting and proxy hijacking. Now seem to be an "oursourced" server obtainer for other spam gangs.


Vincent Chan gang SBL Listings History
Current SBL Listings
Archived SBL Listings

Massive Geocities abuse


In august 2005 a lot of spam appeared with uk.geocities.com addresses. Someone had scripted the webforms to create Geocities accounts by the tens, possibly hundreds, of thousands. The Chan gang was pioneering this abuse, presumably to avoid URL filtering (20-30 new domains per day didn't seem enough?). The Geocities pages hosted a simple redirector to the real site.

Sample Geocities URL's:

http://uk.geocities.com/Dana_Santana001/?q=Bh6dGt620
http://uk.geocities.com/Burl_Mesidor/?q=MKiwd8ef
http://uk.geocities.com/Parker_Castleberry/?q=N4MKidh82
http://uk.geocities.com/Quinn_Umlauf/?q=Jbnd5auP
http://uk.geocities.com/Quentin_Forgie/?p1e=cdhYJ
http://uk.geocities.com/Merrill_Strom/?dfefg9G5=fJ

Later on, in october 2005, they started with other subdomains too:

http://de.geocities.com/weston_lynaugh/?de=anh
http://mx.geocities.com/ismael_estep/?dew=lp
http://sg.geocities.com/michael_pardo1/?mn=mdeojd
http://mx.geocities.com/clint_reagan/?fv=ldflef
http://sg.geocities.com/arron_mazur/?rn=skdjfhd
http://it.geocities.com/claud_benischek/?wc=ksjhe
http://au.geocities.com/jonathon_jakupcak/?gfo=kdoe
http://uk.geocities.com/jere_webber/?efrg=wsuedk
http://au.geocities.com/emory_langer/?bm=cmpiwe

To avoid Geocities scanning for certain patterns they encrypted the redirection Javascript:

<SCRIPT LANGUAGE="JavaScript">
<!--
eval(unescape("\x76\x61\x72\x25\x32\x30\x55\x52\x49\x25\x33
\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x53\x43
--etc--

Which decrypts to things like this below. The Javascript part randomly chooses any of the supplied domains.


"var t=window.top;
function ria(a) {
return Math.floor(Math.random() * a.length);
}
function xl(u){
t.location.href=u;
}
function homepage(){
xl(prefix + domain_to + folder);
}
function gounsub(){
xl(prefix + domain_to + "/r"+ "support/");
}
var prefix = 'http://replica-watch-store.';
var tds = new Array();
tds[tds.length]='cooperativerelationship.com';
tds[tds.length]='optionforthefinest.com';
tds[tds.length]='treasurewonderchance.com';
tds[tds.length]='superdealnumberone.com';
tds[tds.length]='unforgetablespace.com';
tds[tds.length]='timeofcybergroup.com';
tds[tds.length]='bestbuygenerator.com';
tds[tds.length]='easybiztime.com';
tds[tds.length]='alwayscybertime.com';
tds[tds.length]='smartclientsvisit.com';
tds[tds.length]='willofsavings.com';
tds[tds.length]='nicegrowthtime.com';
tds[tds.length]='forevercyber.com';
tds[tds.length]='masterofbestsale.com';
tds[tds.length]='alltogethersave.com';
tds[tds.length]='powertoboost.com';
tds[tds.length]='electrodealcircle.com';
tds[tds.length]='eworldmetro.com';
tds[tds.length]='visitourcbd.com';
tds[tds.length]='cybercbd.com';
tds[tds.length]='allthegoody.com';
tds[tds.length]='findyourgoody.com';
tds[tds.length]='delightfulmoment.com';
tds[tds.length]='momentofmitigation.com';
var d_i = ria(tds);
var domain_to = tds[d_i];
var fds = new Array();
fds[fds.length]="/6i0";
fds[fds.length]="/p2a";
fds[fds.length]="/a3g";
fds[fds.length]="/0o1";
var f_i = ria(fds);
var folder = fds[f_i];


Related URLs

A usenet posting with samples and more info. Other archives available by request.


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK6930/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy