Verkkotarjous.com: Spamming Finns from “Panama”
These spams have been seen in addresses found in emaildump.txt, the Finnish equivalent of the Millions CD and the bestest address source around. Others have spotted it before me.
Spamming IP: Anything in 217.149.59.128/28. SenderBase has notes on them, too. [Update Nov 28: The notes were “Poor” SBRS on a number of hosts at the time of writing that.]
130.59.149.217.in-addr.arpa. 14400 IN PTR c130.verkkotarjous.com. 131.59.149.217.in-addr.arpa. 14400 IN PTR c131.verkkotarjous.com. 132.59.149.217.in-addr.arpa. 14400 IN PTR c132.verkkotarjous.com. 133.59.149.217.in-addr.arpa. 14400 IN PTR c133.verkkotarjous.com. 134.59.149.217.in-addr.arpa. 14400 IN PTR c134.verkkotarjous.com. 135.59.149.217.in-addr.arpa. 14400 IN PTR c135.verkkotarjous.com. 136.59.149.217.in-addr.arpa. 14400 IN PTR c136.verkkotarjous.com. 137.59.149.217.in-addr.arpa. 14400 IN PTR c137.verkkotarjous.com. 138.59.149.217.in-addr.arpa. 14400 IN PTR c138.verkkotarjous.com. 139.59.149.217.in-addr.arpa. 14400 IN PTR c139.verkkotarjous.com. 140.59.149.217.in-addr.arpa. 14400 IN PTR c140.verkkotarjous.com. 141.59.149.217.in-addr.arpa. 14400 IN PTR c141.verkkotarjous.com. 142.59.149.217.in-addr.arpa. 14400 IN PTR c142.verkkotarjous.com. 143.59.149.217.in-addr.arpa. 14400 IN PTR customer14.verkkotarjous.com. 144.59.149.217.in-addr.arpa. 14400 IN PTR customer15.verkkotarjous.com.
The sending IPs are in Finland.
[whois.ripe.net] inetnum: 217.149.48.0 - 217.149.63.255 netname: FI-NBLNETWORKS-20040603 org: ORG-NNO1-RIPE descr: Nebula Oy country: FI
The domain’s name is clearly Finnish (verkko = net, tarjous = offer), but it’s registered to something in Panama:
[whois.internet.bs]
Domain verkkotarjous.com
Date Registered: 2012-3-7
Date Modified: 2012-8-14
Expiry Date: 2013-3-7
DNS1: ns1.dns09fi.com
DNS2: ns2.dns09fi.com
Registrant
Efficient Internet Ltd.
Fernando Gartner
Email:domain@verkkotarjous.com
Ave Samuel Lewis y Calle 58
Piso 5, Office 5-B
0816-04373 Apartado
Panama
Tel: +507.5013009970
The contents of the advertised web page arewere in perfect Finnish, as iswas their description of the personal data file. (Unfortunately I didn’t take a copy, and the Wayback Machine never archived this site either.) Now why would a Panaman entity feel compelled to try to observe the Personal Data Act of Finland? A Panaman business would certainly not be bound by the laws of Finland.
The advertised services are in the Netherlands,
$ host www.verkkotarjous.com www.verkkotarjous.com is an alias for verkkotarjous.com. verkkotarjous.com has address 46.19.35.27 $ host c.verkkotarjous.com c.verkkotarjous.com has address 164.138.25.79 $ host pois.verkkotarjous.com pois.verkkotarjous.com is an alias for verkkotarjous.com. verkkotarjous.com has address 46.19.35.27
as per RIPE,
[whois.ripe.net] inetnum: 46.19.35.0 - 46.19.35.255 netname: TILAA descr: Tilaa country: NL [whois.ripe.net] inetnum: 164.138.25.0 - 164.138.25.255 netname: TILAA descr: Tilaa country: NL
except for the mail handling host,
verkkotarjous.com mail is handled by 1 alpha.verkkotarjous.com.
which is in Finland, in the same network as the spam sending IPs:
$ host alpha.verkkotarjous.com alpha.verkkotarjous.com has address 217.149.59.129 $ host 217.149.59.129 129.59.149.217.in-addr.arpa domain name pointer goodwill.kuucom.net.
Apparently, the reverse DNS indication above (as with any rDNS indicating the same parties) is outdated.
DNS to verkkotarjous.com and mbm-mail.com (in the same /25) is provided by dns09fi.com.
[whois.gandi.net] domain: dns09fi.com reg_created: 2012-04-12 20:39:42 expires: 2013-04-12 20:39:42 created: 2012-04-12 22:39:42 changed: 2012-06-05 20:31:30 transfer-prohibited: yes ns0: a.dns.gandi.net ns1: b.dns.gandi.net ns2: c.dns.gandi.net owner-c: nic-hdl: JS7027-GANDI owner-name: Webvalue organisation: Webvalue person: Gena Zabalujev address: 'Novinsky bulv., 8, TC "Lotte Plaza", 9th floor' zipcode: 125445 city: MOSCOW country: Russia phone: +7.4957802330 fax: ~ email: 712ba85da51f2c1d03df33bf49aa459b-1480513@contact.gandi.net lastupdated: 2012-06-05 20:11:03
The bit in boldface just HAS to be coincidental. I mean, why wouldn’t a Russian business that doesn’t otherwise exist have an interest in providing DNS services to “Panaman” domains, operating in Finland, providing services targeted solely at Finns?
The DNS services are in the same owner’s network as the spam-advertised services themselves.
$ host ns1.dns09fi.com ns1.dns09fi.com has address 164.138.26.6 $ host ns2.dns09fi.com ns2.dns09fi.com has address 164.138.26.6 [whois.ripe.net] inetnum: 164.138.26.0 - 164.138.26.255 netname: TILAA descr: Tilaa country: NL
The coincidence is that there happens to be a recently bankrupt Finnish business of the same name, and there’s a connection between a person who recently made threats against me and the biz that went belly up. Coincidence, it’s all coincidence, of course.
One of the parties whose content was recently included in verkkotarjous.com spams indicated that their content was included in a newsletter sent by the “publishers” (not quite… subcontractors, more like, but that’s the word they used) of EuroAds. A message from the Sales Director of EuroAds Finland that was forwarded by said party says (my translation from the original Finnish):
We, EuroAds Finland Oy, and [our customer, said party] do not send newsletters, but instead they are sent by our collaborators. They own email lists to which they send various kinds of advertisements. We demand of all our partners that the email addresses have to have been collected legally and that our partners observe the rules of email marketing. We strive to control to the best of our ability that the rules are observed.
Another blog post and its comments has that same somebody admitting to be an affiliate publisher of EuroAds content. Coincidence, it’s all coincidence, of course.
The use of non-existent “realnames” as senders by verkkotarjous.com (as evidenced below) has been noticed by others, too.
Spam headers:
Return-path: <b-x@verkkotarjous.com>
Received: from c132.verkkotarjous.com (c132.verkkotarjous.com [217.149.59.132])
by x (Postfix) with ESMTP id x
for <x>; Wed, 14 Nov 2012 hh:mm:ss +0200 (EET)
Date: Wed, 14 Nov 2012 hh:mm:ss +0200
From: Aino Ahmo <info@verkkotarjous.com>
Subject: Valitse vapaasti painatus ilmaiseen T-paitaasi
To: x
Message-id: <timestamp.x@verkkotarjous.com>
MIME-version: 1.0
Content-type: multipart/alternative;
boundary="=_x"
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=x; s=x; t=x;
c=relaxed/simple; h=From:To:Subject; d=verkkotarjous.com;
z=From:=20Aino=20=20Ahmo=20<info@verkkotarjous.com> |To:=20x
|Subject:=20=3D?UTF-8?B?VmFsaXRzZSB2YXBhYXN0aSBwYWluYXR1cyBpbG1haXNlZW4gVC1wYWl0YWFzaSA=3D?=3D;
bh=eo+3eUJsK9aOPwn+HMZ6odUL8EE=;
b=c5dJjaG+SIs2ccNKow8b0o2jq47P4JPgLa2IYwok3tZBL4GmSlreHBU0TQD27gQ+ZrmiayyAY/DbY1TAeJ0zShdcA8vscuBU4ILrDeh4oyPX/1Ib5Ht67KgabCfGMY+ld/nHy696Zp2rt0ymqoid1JDcpQnKgYX+YyEkYsvJNbE=
X-DKIM: php-dkim.sourceforge.net
List-Unsubscribe: <mailto:u-x@verkkotarjous.com>
Human-readable spam contents: Vistaprint…
5 Responses to Verkkotarjous.com: Spamming Finns from “Panama”