Spamming Finns from “Panama”

These spams have been seen in addresses found in emaildump.txt, the Finnish equivalent of the Millions CD and the bestest address source around. Others have spotted it before me.

Spamming IP: Anything in SenderBase has notes on them, too. [Update Nov 28: The notes were “Poor” SBRS on a number of hosts at the time of writing that.] 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR 14400 IN   PTR

The sending IPs are in Finland.

inetnum: -
netname:        FI-NBLNETWORKS-20040603
org:            ORG-NNO1-RIPE
descr:          Nebula Oy
country:        FI

The domain’s name is clearly Finnish (verkko = net, tarjous = offer), but it’s registered to something in Panama:


Date Registered: 2012-3-7
Date Modified: 2012-8-14
Expiry Date: 2013-3-7


    Efficient Internet Ltd.
    Fernando Gartner
    Ave Samuel Lewis y Calle 58
    Piso 5, Office 5-B
    0816-04373 Apartado
    Tel: +507.5013009970

The contents of the advertised web page arewere in perfect Finnish, as iswas their description of the personal data file. (Unfortunately I didn’t take a copy, and the Wayback Machine never archived this site either.) Now why would a Panaman entity feel compelled to try to observe the Personal Data Act of Finland? A Panaman business would certainly not be bound by the laws of Finland.

The advertised services are in the Netherlands,

$ host is an alias for has address
$ host has address
$ host is an alias for has address

as per RIPE,

inetnum: -
netname:        TILAA
descr:          Tilaa
country:        NL

inetnum: -
netname:        TILAA
descr:          Tilaa
country:        NL

except for the mail handling host, mail is handled by 1

which is in Finland, in the same network as the spam sending IPs:

$ host has address
$ host domain name pointer

Apparently, the reverse DNS indication above (as with any rDNS indicating the same parties) is outdated.

DNS to and (in the same /25) is provided by

reg_created: 2012-04-12 20:39:42
expires: 2013-04-12 20:39:42
created: 2012-04-12 22:39:42
changed: 2012-06-05 20:31:30
transfer-prohibited: yes
  nic-hdl: JS7027-GANDI
  owner-name: Webvalue
  organisation: Webvalue
  person: Gena Zabalujev
  address: 'Novinsky bulv., 8, TC "Lotte Plaza", 9th floor'
  zipcode: 125445
  city: MOSCOW
  country: Russia
  phone: +7.4957802330
  fax: ~
  lastupdated: 2012-06-05 20:11:03

The bit in boldface just HAS to be coincidental. I mean, why wouldn’t a Russian business that doesn’t otherwise exist have an interest in providing DNS services to “Panaman” domains, operating in Finland, providing services targeted solely at Finns?

The DNS services are in the same owner’s network as the spam-advertised services themselves.

$ host has address
$ host has address


inetnum: -
netname:        TILAA
descr:          Tilaa
country:        NL

The coincidence is that there happens to be a recently bankrupt Finnish business of the same name, and there’s a connection between a person who recently made threats against me and the biz that went belly up. Coincidence, it’s all coincidence, of course.

One of the parties whose content was recently included in spams indicated that their content was included in a newsletter sent by the “publishers” (not quite… subcontractors, more like, but that’s the word they used) of EuroAds. A message from the Sales Director of EuroAds Finland that was forwarded by said party says (my translation from the original Finnish):

We, EuroAds Finland Oy, and [our customer, said party] do not send newsletters, but instead they are sent by our collaborators. They own email lists to which they send various kinds of advertisements. We demand of all our partners that the email addresses have to have been collected legally and that our partners observe the rules of email marketing. We strive to control to the best of our ability that the rules are observed.

Another blog post and its comments has that same somebody admitting to be an affiliate publisher of EuroAds content. Coincidence, it’s all coincidence, of course.

The use of non-existent “realnames” as senders by (as evidenced below) has been noticed by others, too.

Spam headers:

Return-path: <>
Received: from ( [])
        by x (Postfix) with ESMTP id x
        for <x>; Wed, 14 Nov 2012 hh:mm:ss +0200 (EET)
Date: Wed, 14 Nov 2012 hh:mm:ss +0200
From: Aino Ahmo <>
Subject: Valitse vapaasti painatus ilmaiseen T-paitaasi 
To: x
Message-id: <>
MIME-version: 1.0
Content-type: multipart/alternative;
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=x; s=x; t=x;
 c=relaxed/simple; h=From:To:Subject;;
 z=From:=20Aino=20=20Ahmo=20<> |To:=20x
List-Unsubscribe: <>

Human-readable spam contents: Vistaprint

5 Responses to Spamming Finns from “Panama”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top