Facediili.fi: Spamming Xmas present tips

Facediili Oy (www, biz reg) is spamming on behalf of happydealsday.com (see domain registration below; the two are owned by what amounts to the same entity). The spam has been sent to a compound file consisting of their own customer file, the Finnish Trade Register (aka the Biz Info System) and “other public registers”.  This spam obviously has nothing to do with anybody’s job function.

Spamming IP: 174.132.43.149 (WebsiteWelcome, Softlayer/ThePlanet)

Spam headers:

Return-Path: <support@happydealsday.com>
Received: from hap.happydealsday.com (hap.happydealsday.com [174.132.43.149])
        by x (Postfix) with ESMTP id x
        for <x>; Tue, 11 Dec 2012 03:mm:ss +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=happydealsday.com; s=default;
        h=Message-ID:Content-Transfer-Encoding:Content-Type:MIME-Version:Date:From:Subject:To;
        bh=x;
        b=x;
Received: from sohan by hap.happydealsday.com with local (Exim 4.80)
        (envelope-from <support@happydealsday.com>)
        id x
        for x; Mon, 10 Dec 2012 19:mm:ss -0600
To: x
Subject: Parhaat joululahjat: Omenahotelli, König, Eirikuva ja paljon muuta
X-PHP-Script: happydealsday.com/admin/functions/send_app_eng.php for
        174.132.43.149
From: "facediili.fi" <noreply@facediili.fi>
Date: Mon, 10 Dec 2012 05:mm:ss -0600
X-LibVersion: 3.3.1_4
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="_=_swift-x.x=_"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced by SwiftMailer 3.3.1_4
X-mid: x
X-Mailer: AC Mailer
Message-ID: <20121211hhmmss.x.x.swift@happydealsday.com>
X-AntiAbuse: This header was added to track abuse, please include it with any
        abuse report
X-AntiAbuse: Primary Hostname - hap.happydealsday.com
X-AntiAbuse: Original Domain - x
X-AntiAbuse: Originator/Caller UID/GID - [500 500] / [47 12]
X-AntiAbuse: Sender Address Domain - happydealsday.com
X-Get-Message-Sender-Via: hap.happydealsday.com: authenticated_id:
        sohan/sender_address_domain

Spam contents: Practically nothing in plaintext.

http://happydealsday.com/newsletters/december/10122012/facediili.html

To Unsubscribe, please click here :
http://www.happydealsday.com/box.php?funcml=unsub2&nl=x&mi=x&email=x


Domain registration:

   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: HAPPYDEALSDAY.COM
      Created on: 28-Mar-11
      Expires on: 28-Mar-13
      Last Updated on: 29-Mar-12

   Registrant:
   Fernando Francisco
   Nuottakunnantie 7 D 17
   Espoo, Espoo 02230
   Finland

   Administrative Contact:
      Francisco, Fernando  fgfrancisco@yahoo.com
      Nuottakunnantie 7 D 17
      Espoo, Espoo 02230
      Finland
      +358.405664755

   Technical Contact:
      Francisco, Fernando  fgfrancisco@yahoo.com
      Nuottakunnantie 7 D 17
      Espoo, Espoo 02230
      Finland
      +358.405664755

   Domain servers in listed order:
      NS1.HAPPYDEALSDAY.COM
      NS2.HAPPYDEALSDAY.COM

The phone number in the domain registration has three matches in the online phone dictionary. One is to 360Amigo Oy, one is to Business Bakers, a private d/b/a, and one is to an individual, Gonçalves Francisco Fernando at the address indicated in the domain registration.  This individual has lots of hits in the Bisnode business register, and based on his present and past association with Malwarebytes, Lavasoft Ad-Aware and F-Secure, seems an unlikely candidate for a spammer.  But the evidence speaks for itself.

3 Responses to Facediili.fi: Spamming Xmas present tips

  1. Hap.happydeals.com is spamming again, on behalf of Haaga-Helia, a business polytechnic. Between last time and today, Fernando Francisco has taken the precaution of anonymizing his spamming domain registration. Isn’t it good I kept notes.

  2. A while ago, Facediili Oy acquired Offerium from Sanoma News Oy. Predictably, spam appeared. During the last days of November, this spam was coming from 192.169.55.222,

    Received: from kivipost.arvixevps.com (kivipost.arvixevps.com [192.169.55.222])

    A few days later, they enlisted the services of MailChimp, one of our favourite ESPs (sending domains include mcdlv.net, mcsv.net and rsgsv.net). Attempting to partner with MailChimp appears to be a mistake for any spammer. Termination ensued on Dec 8.

    Now they are spamming through Koodiviidakko (sending domain pvmailer.net). Recent experience indicates that attempting to partner with Koodiviidakko is a mistake for spammers as well.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top