Fraud Reports Wiki


ED Express

ED Express 2011

ED Express was first noticed in October 2007. It displays a copyright statement for Canadian Pharmacy.

Copyright Canadian Pharmacy

However, there is sufficient evidence to attribute this spam brand to Vincent Chan - the author of the ED Choice brand.


ED Express sites have a variety of appearances. It also may be called "Pills for Men" or "United ED Meds." All variants load images from a common domain, such as, or a common IP address ( or They also share a common "monthly special" marketing device.

ED Express variant 1

ED Express variant 2

ED Express variant 3

ED Express variant 4

ED Express variant 5

ED Express variant 6

ED Express variant 7

ED Express variant 8

ED Express variant 9

False Pretenses[]

False: "Safe as Fort Knott" secure link claim[]

In a laughable display of ignorance, the spam site developer repeats the same error as seen in other scams including ED Choice. Once again he confuses the US gold repository with the Knott's Berry Farm family entertainment site near Disneyland in Los Angeles, in an attempt to impress people with the site's security.

False security: Fort Knott and MyPaySystems

To make it worse, he refers to "world wide known processor" which is unfortunately known for all the wrong reasons.

But it gets even worse than that. When you go to their checkout page you are expected to enter your identity details and your full credit card information on a page using non-secure http instead of secure https despite the previous assurances of security - another example of fraud.

False: Claim to be Canadian[]

The copyright notice would lead you to believe that this site is somehow related to Canada. But in the Frequently Asked Questions link there is some conflicting information:

FAQ geographical location claims - London and India

Spam Examples[]

Subject: "Re: ClALnlS - $ 1.45 (arrears superpose) VilAGRA - $ 1.29"


Subject: "RE: CltALlS : $ 2.53; VlAGRtA : $ 1.34 quest"


Spam emails include a footnote promoting a legitimate site. That URL may be picked up by and reported as a spammed URL if the reporter is not alert when confirming the report.



In February 2010, spammers began using redirection abuse on Microsoft's free hosting service The redirection target was registered on INTERNET.BS CORP by Registrant

   Ksenia Siniceva
   Kondrikova str. 6-219
   620143 Zavoljsk
   Tel: +7.3912488322

Storm Trojan[]

As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format

For ED Express, the redirection sites detected were


Sponsoring Registrars[]

Name Servers[]

Spamvertized Sites[]

  • Site = Beijing Innovative Linkage Technology (Uses image server
  • Site = Registrar = 厦门华商盛世网络有限公司 = Bizcn
  • Site = Registrar = Beijing Innovative Linkage Technology (Uses image server

Some of the other multiple domains spammed within a three day period:


These examples from March 2009 use two name servers registered with Russian providers


Web site registrant details:

personname:     Aleksandr Belkov
street address: Molodezhnaya str. d.9 kv.1
postal code:    152061
city:           Sereda
country:        Russland
phone:          +74853161263
fax-no:         +74853161263

Image Servers[]

  • Site = Registrar = MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE for has address,,,,, mail is handled by and
  • Site = Registrar = Digital Communications Inc.

Typical Fake WHOIS Contact Information[]

Domain Name..........
 Creation Date........ 2008-01-27 13:28:05
 Registration Date.... 2008-01-27 13:28:05
 Expiry Date.......... 2009-01-27 13:28:05
 Organisation Name.... Sevila FC
 Organisation Address. Spain City
 Organisation Address.
 Organisation Address. Bulgaria
 Organisation Address. 45214
 Organisation Address. WG
 Organisation Address. BG

How to report this spam[]

The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence. Image servers should be reported directly to the responsible registrar.

Evidence to include:

  • Any violations of your country's anti-spam laws (such as forged "from" fields or lack of contact information/unsubscribe information in the U.S.)
  • Violations of terms of service of registrar (many of the image servers have been on Yahoo servers and are quickly taken down by that company for acceptable use violations)
  • Advertising counterfeit generic versions of drugs that are still under patent (patent law violation)
  • Use of the name/image of those drugs without authorization from the manufacturers (trademark violations)
  • False whois information, if you are able to contact the person listed in the whois info by phone or mail (not email)
  • If there is any evidence of botnet activity, as shown by sites with multiple/frequently changing IP addresses (although not observed for this site, it is a common occurrence with the site "Canadian Pharmacy")

Related spam operations[]

The "Fort Knott security" gaffe can be used as a "fingerprint" to locate other spam brands most likely from the same author.

  • Pills for Men
  • United ED Meds
  • ED Choice

ED Choice is the fore-runner to this spam brand. All of the above related spam operations are attributable to the same source, Vincent Chan.


Sharing the same IP Address

No known relation: ED Pill Store

Refer to the captured screen image. In 2011, spammer affiliates who registere with the Mailien spamming program were presented with pharmacy operations to select from. These included