Isteer.net: No bounce processing, no RFC2142/5321 required role addresses, no respect for opt-out

Isteer.net, a domain name registered to IPSS-Intelligent Precision Solutions and Services Oy, a Finnish limited company, is an ESP to various Finnish advertisers. They don’t process bounces, they deliberately refuse mail to abuse and postmaster, and they don’t respect opt-out.

This is not related to Intellectual Property Software Solutions of Wirral, UK, in any way.

Spamming IP: 77.73.6.98 (Memset Hosting, UK)

One of the slightly interesting bits here is that isteer.net was registered only in December 2010. (As per the Finnish Business Information System search above, of course the company itself is about 12 years old.) Anyway, isteer.net didn’t exist, and consequently couldn’t have started providing ESP services to anybody until well after Savon Voima plc had abandoned atro.fi in the end of August 2009. IPSS were using ipss.fi for the same purpose earlier, and to a degree, were and still are using (UK) Memset Ltd’s miniserver.com.

I keep mail logs for a year, so I currently have data starting from October 24, 2010. The first occurrence of isteer.net sent mail is from the end of February 2011 (cue Postfix log snippet):

Feb 23 06:41:08 myhostname postfix/qmgr[13605]: 69D4C794D24: from=<bounce_a_b_c_d@bounce.isteer.net>, size=19453, nrcpt=1 (queue active)
Feb 23 06:41:08 myhostname postfix/local[14496]: 69D4C794D24: to=<spam@myhostname>, orig_to=<some.address@atro.fi>, relay=local, delay=0.36, delays=0.29/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)

The first occurrence of ipss.fi and miniserver.com is from February 1, 2011 (cue Postfix log snippet):

Feb  1 10:54:48 myhostname postfix/smtpd[3857]: connect from ipssoaa5.miniserver.com[77.73.6.98]
Feb  1 10:54:48 myhostname postfix/smtpd[3857]: B5D80794CE4: client=ipssoaa5.miniserver.com[77.73.6.98]
Feb  1 10:54:48 myhostname postfix/cleanup[3861]: B5D80794CE4: message-id=<1460312650.1173108.1296550436345.JavaMail.tomcat@ipssoaa5.miniserver.com>
Feb  1 10:54:48 myhostname postfix/qmgr[13605]: B5D80794CE4: from=<bounce_a_b_c_d@bounce.ipss.fi>, size=10441, nrcpt=1 (queue active)
Feb  1 10:54:48 myhostname postfix/smtpd[3857]: disconnect from ipssoaa5.miniserver.com[77.73.6.98]
Feb  1 10:54:48 myhostname postfix/local[3862]: B5D80794CE4: to=<spam@myhostname>, orig_to=<some.address@atro.fi>, relay=local, delay=0.27, delays=0.21/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)

Postmaster and abuse at {memset.com, miniserver.com, ipss.fi} were informed on February 8, 2011, that atro.fi had changed owners and needed to be removed from all lists. Abuse at ipss.fi bounced as “no such user”. All the rest were eventually delivered (have mail logs to prove). No answer, no reaction.

On June 1, 2011, isteer.net sent UBE on behalf of huuto.net, a Finnish online auction site. This led to the mail to abuse and postmaster that failed on June 2. The failure note has been forwarded to the CEO’s personal address, to postmaster, and abuse at ipss.fi. As in February, postmaster was accepted, abuse rejected. The CEO’s address accepted the mail, too.

Sometime after that, I seem to have set up a policy rule to reject their messages at HELO level. Cue Postfix log snippet:

Jul  5 09:29:16 myhostname postfix/smtpd[28222]: connect from bounce.isteer.net[77.73.6.98]
Jul  5 09:29:16 myhostname postfix/smtpd[28222]: NOQUEUE: reject: RCPT from bounce.isteer.net[77.73.6.98]: 554 5.7.1 <bounce.isteer.net>: Helo command rejected: See http://www.rfc-ignorant.org/; from=<bounce_a_b_c_d@bounce.isteer.net> to=<some.address@atro.fi> proto=ESMTP helo=<bounce.isteer.net>
Jul  5 09:29:16 myhostname postfix/smtpd[28222]: disconnect from bounce.isteer.net[77.73.6.98]

This is obviously a non-issue to them:

Aug 19 11:00:28 myhostname postfix/smtpd[22477]: NOQUEUE: reject: RCPT from bounce.isteer.net[77.73.6.98]: 554 5.7.1 <bounce.isteer.net>: Helo command rejected: See http://www.rfc-ignorant.org/; from=<bounce_a_b_c_d@bounce.isteer.net> to=<some.address@atro.fi> proto=ESMTP helo=<bounce.isteer.net>

Aug 29 18:18:03 myhostname postfix/smtpd[25169]: NOQUEUE: reject: RCPT from bounce.isteer.net[77.73.6.98]: 554 5.7.1 <bounce.isteer.net>: Helo command rejected: See http://www.rfc-ignorant.org/; from=<bounce_a_b_c_d@bounce.isteer.net> to=<some.address@atro.fi> proto=ESMTP helo=<bounce.isteer.net>

Sep 16 16:27:09 myhostname postfix/smtpd[18989]: NOQUEUE: reject: RCPT from bounce.isteer.net[77.73.6.98]: 554 5.7.1 <bounce.isteer.net>: Helo command rejected: See http://www.rfc-ignorant.org/; from=<bounce_a_b_c_d@bounce.isteer.net> to=<some.address@atro.fi> proto=ESMTP helo=<bounce.isteer.net>

Sep 30 09:54:00 myhostname postfix/smtpd[364]: NOQUEUE: reject: RCPT from bounce.isteer.net[77.73.6.98]: 554 5.7.1 <bounce.isteer.net>: Helo command rejected: See http://www.rfc-ignorant.org/; from=<bounce_a_b_c_d@bounce.isteer.net> to=<some.address@atro.fi> proto=ESMTP helo=<bounce.isteer.net>

Oct 13 10:30:14 myhostname postfix/smtpd[5859]: NOQUEUE: reject: RCPT from bounce.isteer.net[77.73.6.98]: 554 5.7.1 <bounce.isteer.net>: Helo command rejected: See http://www.rfc-ignorant.org/; from=<bounce_a_b_c_d@bounce.isteer.net> to=<some.address@atro.fi> proto=ESMTP helo=<bounce.isteer.net>

Earlier this week, I had a glitch on my main mail server and a secondary was accepting mail, without all of the usual rules in place. Hence, some mail was delivered:

Oct 21 20:45:59 otherhost postfix/smtpd[25179]: connect from bounce.isteer.net[77.73.6.98]
Oct 21 20:45:59 otherhost postfix/smtpd[25179]: D94D815FAC8: client=bounce.isteer.net[77.73.6.98]
Oct 21 20:45:59 otherhost postfix/cleanup[25183]: D94D815FAC8: message-id=<361998890.577489.1319218855230.JavaMail.tomcat@ipssoaa5.miniserver.com>
Oct 21 20:46:00 otherhost postfix/qmgr[23110]: D94D815FAC8: from=<bounce_a_b_c_d@bounce.isteer.net>, size=12223, nrcpt=1 (queue active)
Oct 21 20:46:00 otherhost postfix/smtpd[25179]: disconnect from bounce.isteer.net[77.73.6.98]
Oct 21 20:46:00 otherhost postfix/local[25184]: D94D815FAC8: to=<spam@mydomain>, orig_to=<some.address@atro.fi>, relay=local, delay=0.27, delays=0.22/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
Oct 21 20:46:00 otherhost postfix/cleanup[25183]: 1700D15FAC9: message-id=<361998890.577489.1319218855230.JavaMail.tomcat@ipssoaa5.miniserver.com>
Oct 21 20:46:00 otherhost postfix/qmgr[23110]: 1700D15FAC9: from=<bounce_a_b_c_d@bounce.isteer.net>, size=12367, nrcpt=1 (queue active)
Oct 21 20:46:00 otherhost postfix/local[25184]: D94D815FAC8: to=<some.address@atro.fi>, relay=local, delay=0.3, delays=0.22/0.01/0/0.07, dsn=2.0.0, status=sent (forwarded as 1700D15FAC9)
Oct 21 20:46:00 otherhost postfix/qmgr[23110]: D94D815FAC8: removed

And here, finally, are the spam headers for the most recent entry:

From bounce_a_b_c_d@bounce.isteer.net  Fri Oct 21 20:46:00 2011
Return-Path: <bounce_a_b_c_d@bounce.isteer.net>
Received: from bounce.isteer.net (bounce.isteer.net [77.73.6.98])
by mail.atrotossavainen.fi (Postfix) with ESMTP id D94D815FAC8
for <some.address@atro.fi>; Fri, 21 Oct 2011 20:45:59 +0300 (EEST)
Received: from ipssoaa5.miniserver.com (localhost [127.0.0.1])
by bounce.isteer.net (Postfix) with ESMTP id 3905D53CE3E
for <some.address@atro.fi>; Fri, 21 Oct 2011 20:40:55 +0300 (EEST)
Date: Fri, 21 Oct 2011 20:40:55 +0300 (EEST)
From: "Keltainen pörssi" <kepo.palaute@sanoma.fi>
To: some.address@atro.fi
Message-ID: <361998890.577489.1319218855230.JavaMail.tomcat@ipssoaa5.miniserver.com>
Subject: Kodinkonepaketti tonnilla!
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_577488_190403560.1319218855228"
Status: RO
Content-Length: 11263
Lines: 178

Keltainen Pörssi is a “submit your ad for free” kind of paper. Sanoma.fi is Sanoma News Oy, Finland’s largest newspaper publisher.

12 Responses to Isteer.net: No bounce processing, no RFC2142/5321 required role addresses, no respect for opt-out

  1. Pingback: Isteer.net » MainSleaze

  2. Pingback: Keltainen Pörssi and isteer.net keep pushing it » MainSleaze

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top