LISTED: EMAS and NATA

EMAS (European Menopause and Andropause Society) and NATA (Network for the Advancement of Patient Blood Management, Haemostasis and Thrombosis) are somehow in cahoots. Or at least they both are spamming through the same facilities that are used by nobody else to our knowledge.

On January 3, “Stéphane” (suppose this is Stephane Talboom) claiming to represent salesbridges.com (a domain registered in a Lithuanian city, with the country set to Luxembourg, and a phone number in Germany…) attempted to leave a website comment on our HOW TO GET REMOVED page, which clearly states that one should write emails to the addresses mentioned (not leave public comments on the website). We did not publish the comment; we observe the DNSBL Best Practices, and in accordance with Section 2.2.2, “A Direct Non-Public Way to Request Removal SHOULD Be Available” and is. That is, write email to us. We don’t expect anybody to plead their case in public. But we note we haven’t blogged about their listing yet, so it is appropriate to do so now.

The comment mentioned the IP address 213.159.37.46, which we have been listing since 4 September 2014. We see that we have failed to add all of their domain names to the RHSBL ever since we launched that part of the list in late September, although quite a few more spams have been received ever since. The reason is that they have been careful not to mention their own domain names any more; they’ve been using disposable redirectors instead. That’s fixed now.

The comment asked to “[p]lease remove our ip from the blacklist since we do not send spam.” We replied with a request to describe the methods they have used to build the mailing list. Stephane has not seen it necessary to reply.

At the moment, we list the following IP addresses for having sent EMAS/NATA spam:

  • 78.56.153.34
  • 79.132.171.34
  • 79.132.169.252
  • 95.173.32.4
  • 95.173.33.65
  • 95.173.34.15
  • 95.173.35.53
  • 95.173.45.224
  • 213.159.37.46
  • 213.164.121.101

as well as the following domain names directly belonging to them:

  • emas-online.org
  • mktgm.com
  • mktgstudio.com
  • nataonline.com

as well as the following domain names they have abused:

  • nata1.ddns.net
  • redirectme.net

Most of the IPs we indicate above appear to be domestic cable TV internet connections in Lithuania which shouldn’t be sending any mail at all directly but using the ISP’s dedicated mail servers instead. They’re not listed by the Spamhaus PBL or the SORBS DUHL, but we wonder if they shouldn’t be.

  • 34.153.56.78.in-addr.arpa domain name pointer 78-56-153-34.static.zebra.lt.
  • 34.171.132.79.in-addr.arpa domain name pointer ctv-79-132-171-34.vinita.lt.
  • 252.169.132.79.in-addr.arpa domain name pointer ctv-79-132-169-252.vinita.lt.
  • 4.32.173.95.in-addr.arpa domain name pointer ctv-95-173-32-4.vinita.lt.
  • 65.33.173.95.in-addr.arpa domain name pointer ctv-95-173-33-65.vinita.lt.
  • 15.34.173.95.in-addr.arpa domain name pointer ctv-95-173-34-15.vinita.lt.
  • 53.35.173.95.in-addr.arpa domain name pointer ctv-95-173-35-53.vinita.lt.
  • 224.45.173.95.in-addr.arpa domain name pointer ctv-95-173-45-224.vinita.lt.
  • 46.37.159.213.in-addr.arpa domain name pointer mktgm.com.
  • 101.121.164.213.in-addr.arpa domain name pointer ctv-213-164-121-101.vinita.lt.

Registration information of Salesbridges OÜ, a new company formed by the EMAS/NATA spammers in Estonia in July 2016

9 thoughts on “LISTED: EMAS and NATA

  1. RocketScientist Post author


    $ rblcheck -t 79.132.173.124
    79.132.173.124 RBL filtered by dnsbl.sorbs.net: Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?79.132.173.124

    Now listed also by ScientificSpam as a spammer.

    Reply
  2. RocketScientist Post author

    Around the end of February / beginning of March 2015 EMAS/NATA/mktgmailer.com have obtained services from

    inetnum:        31.170.104.192 - 31.170.104.223
    netname:        BNK-DE-20141007
    descr:          VPS Hosting
    country:        DE
    
    address:        B & K Verwaltungs GmbH
    address:        Kurt-Schumacher-Platz 8
    address:        44787 Bochum
    address:        Germany
    

    Cf.

    • 215.104.170.31.in-addr.arpa. 86400 IN PTR mktgmailer.com.
    • 216.104.170.31.in-addr.arpa. 86400 IN PTR mta1.mktgmailer.com.
    • 219.104.170.31.in-addr.arpa. 86400 IN PTR mta2.mktgmailer.com.
    • 220.104.170.31.in-addr.arpa. 86400 IN PTR mta3.mktgmailer.com.
    • 221.104.170.31.in-addr.arpa. 86400 IN PTR mta4.mktgmailer.com.

    We listed the /27 as a precautionary measure. The complete list of EMAS domains we list now is

    • emas-online.org
    • ihw-conference.com
    • issbd2016.com
    • mailer1.ddns.net
    • mktgm.com
    • mktgmailer.com
    • mktgstudio.com
    • mktmserver.com
    • nata1.ddns.net
    • nataonline.com
    • redirectme.net
    Reply
  3. RocketScientist Post author

    As of late April EMAS have managed to obtain services from Mandrill, the transactional arm of MailChimp. Given that their opposition to the use of scraped, purchased and other types of non opt-in lists is rather well known and established for quite a long time (see references 1, 2, 3) we do not expect this association to last long.

    Reply
  4. RocketScientist Post author

    Now also including Oxford Gene Tech (ogt.com, now listed).

    Registrant Name: Brian Eddington
    Registrant Organization: Oxford Gene Technology
    Registrant Street: IAT Sandy Lane Yarnton
    Registrant City: Yarnton
    Registrant State/Province:
    Registrant Postal Code: OX5 1PF
    Registrant Country: GB
    Registrant Phone: +44.18658568000
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: [email protected]

    Reply
  5. RocketScientist Post author


    inetnum: 92.243.69.0 - 92.243.69.255
    netname: INFOBOX
    descr: Network for VPS
    country: RU

    Listed on February 16.

    Complete list of domains listed for EMAS as of today:
    blackswanfoundation.ch constantmktg.eu emas-online.org erare.eu ihw-conference.com issbd2016.com mktgm.com mktgmailer.com mktgstudio.com mktmserver.com nataonline.com net4healths.org ogt.co.uk ogt.com react-congress.org salesbridges.com vilnius-summit.eu

    Reply
  6. RocketScientist Post author


    inetnum: 130.255.74.32 - 130.255.74.63
    netname: B-N-K-BNK-DE-20160121
    descr: IP Space for dedicated servers
    country: DE

    56.74.255.130.in-addr.arpa. 86400 IN PTR mktgm.com.
    57.74.255.130.in-addr.arpa. 86400 IN PTR mta1.mktgm.com.
    58.74.255.130.in-addr.arpa. 86400 IN PTR mta2.mktgm.com.
    59.74.255.130.in-addr.arpa. 86400 IN PTR mta3.mktgm.com.

    Listed the /24. AS29141 will be notified.

    Reply
  7. RocketScientist Post author

    AS29141 appears to be providing spam support services to EMAS.


    215.104.170.31.in-addr.arpa. 86400 IN PTR constantmktg.eu.
    216.104.170.31.in-addr.arpa. 86400 IN PTR mta1.constantmktg.eu.
    219.104.170.31.in-addr.arpa. 86400 IN PTR mta2.constantmktg.eu.
    220.104.170.31.in-addr.arpa. 86400 IN PTR mta3.constantmktg.eu.
    221.104.170.31.in-addr.arpa. 86400 IN PTR mta4.constantmktg.eu.

    (Cf. earlier comment on same IPs.)

    Reply
  8. RocketScientist Post author

    Since November 2016, EMAS have been partnering with K.I.T. Group GmbH. The spam is being sent with a from of [email protected] from hosts whose names match the regex mx\.newscpt[0-9]{1,2}\.de in the Netways GmbH network range 185.11.253.0/24. All of these are now listed.

    Reply
  9. RocketScientist Post author

    K.I.T. Group GmbH is Stéphane Talboom in yet another role. Salesbridges have also formed an Estonian presence in the summer of 2016 (see screenshot from the Estonian companies house at the end of the main article).

    Reply

Leave a Reply to RocketScientist Cancel reply

Your email address will not be published. Required fields are marked *