EMAS (European Menopause and Andropause Society) and NATA (Network for the Advancement of Patient Blood Management, Haemostasis and Thrombosis) are somehow in cahoots. Or at least they both are spamming through the same facilities that are used by nobody else to our knowledge.
On January 3, “Stéphane” (suppose this is Stephane Talboom) claiming to represent salesbridges.com (a domain registered in a Lithuanian city, with the country set to Luxembourg, and a phone number in Germany…) attempted to leave a website comment on our HOW TO GET REMOVED page, which clearly states that one should write emails to the addresses mentioned (not leave public comments on the website). We did not publish the comment; we observe the DNSBL Best Practices, and in accordance with Section 2.2.2, “A Direct Non-Public Way to Request Removal SHOULD Be Available” and is. That is, write email to us. We don’t expect anybody to plead their case in public. But we note we haven’t blogged about their listing yet, so it is appropriate to do so now.
The comment mentioned the IP address 213.159.37.46, which we have been listing since 4 September 2014. We see that we have failed to add all of their domain names to the RHSBL ever since we launched that part of the list in late September, although quite a few more spams have been received ever since. The reason is that they have been careful not to mention their own domain names any more; they’ve been using disposable redirectors instead. That’s fixed now.
The comment asked to “[p]lease remove our ip from the blacklist since we do not send spam.” We replied with a request to describe the methods they have used to build the mailing list. Stephane has not seen it necessary to reply.
At the moment, we list the following IP addresses for having sent EMAS/NATA spam:
- 78.56.153.34
- 79.132.171.34
- 79.132.169.252
- 95.173.32.4
- 95.173.33.65
- 95.173.34.15
- 95.173.35.53
- 95.173.45.224
- 213.159.37.46
- 213.164.121.101
as well as the following domain names directly belonging to them:
- emas-online.org
- mktgm.com
- mktgstudio.com
- nataonline.com
as well as the following domain names they have abused:
- nata1.ddns.net
- redirectme.net
Most of the IPs we indicate above appear to be domestic cable TV internet connections in Lithuania which shouldn’t be sending any mail at all directly but using the ISP’s dedicated mail servers instead. They’re not listed by the Spamhaus PBL or the SORBS DUHL, but we wonder if they shouldn’t be.
- 34.153.56.78.in-addr.arpa domain name pointer 78-56-153-34.static.zebra.lt.
- 34.171.132.79.in-addr.arpa domain name pointer ctv-79-132-171-34.vinita.lt.
- 252.169.132.79.in-addr.arpa domain name pointer ctv-79-132-169-252.vinita.lt.
- 4.32.173.95.in-addr.arpa domain name pointer ctv-95-173-32-4.vinita.lt.
- 65.33.173.95.in-addr.arpa domain name pointer ctv-95-173-33-65.vinita.lt.
- 15.34.173.95.in-addr.arpa domain name pointer ctv-95-173-34-15.vinita.lt.
- 53.35.173.95.in-addr.arpa domain name pointer ctv-95-173-35-53.vinita.lt.
- 224.45.173.95.in-addr.arpa domain name pointer ctv-95-173-45-224.vinita.lt.
- 46.37.159.213.in-addr.arpa domain name pointer mktgm.com.
- 101.121.164.213.in-addr.arpa domain name pointer ctv-213-164-121-101.vinita.lt.
$ rblcheck -t 79.132.173.124
79.132.173.124 RBL filtered by dnsbl.sorbs.net: Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?79.132.173.124
Now listed also by ScientificSpam as a spammer.
Around the end of February / beginning of March 2015 EMAS/NATA/mktgmailer.com have obtained services from
Cf.
We listed the /27 as a precautionary measure. The complete list of EMAS domains we list now is
As of late April EMAS have managed to obtain services from Mandrill, the transactional arm of MailChimp. Given that their opposition to the use of scraped, purchased and other types of non opt-in lists is rather well known and established for quite a long time (see references 1, 2, 3) we do not expect this association to last long.
Now also including Oxford Gene Tech (ogt.com, now listed).
Registrant Name: Brian Eddington
Registrant Organization: Oxford Gene Technology
Registrant Street: IAT Sandy Lane Yarnton
Registrant City: Yarnton
Registrant State/Province:
Registrant Postal Code: OX5 1PF
Registrant Country: GB
Registrant Phone: +44.18658568000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
inetnum: 92.243.69.0 - 92.243.69.255
netname: INFOBOX
descr: Network for VPS
country: RU
Listed on February 16.
Complete list of domains listed for EMAS as of today:
blackswanfoundation.ch constantmktg.eu emas-online.org erare.eu ihw-conference.com issbd2016.com mktgm.com mktgmailer.com mktgstudio.com mktmserver.com nataonline.com net4healths.org ogt.co.uk ogt.com react-congress.org salesbridges.com vilnius-summit.eu
inetnum: 130.255.74.32 - 130.255.74.63
netname: B-N-K-BNK-DE-20160121
descr: IP Space for dedicated servers
country: DE
56.74.255.130.in-addr.arpa. 86400 IN PTR mktgm.com.
57.74.255.130.in-addr.arpa. 86400 IN PTR mta1.mktgm.com.
58.74.255.130.in-addr.arpa. 86400 IN PTR mta2.mktgm.com.
59.74.255.130.in-addr.arpa. 86400 IN PTR mta3.mktgm.com.
Listed the /24. AS29141 will be notified.
AS29141 appears to be providing spam support services to EMAS.
215.104.170.31.in-addr.arpa. 86400 IN PTR constantmktg.eu.
216.104.170.31.in-addr.arpa. 86400 IN PTR mta1.constantmktg.eu.
219.104.170.31.in-addr.arpa. 86400 IN PTR mta2.constantmktg.eu.
220.104.170.31.in-addr.arpa. 86400 IN PTR mta3.constantmktg.eu.
221.104.170.31.in-addr.arpa. 86400 IN PTR mta4.constantmktg.eu.
(Cf. earlier comment on same IPs.)
Since November 2016, EMAS have been partnering with K.I.T. Group GmbH. The spam is being sent with a from of
[email protected]
from hosts whose names match the regexmx\.newscpt[0-9]{1,2}\.de
in the Netways GmbH network range185.11.253.0/24
. All of these are now listed.K.I.T. Group GmbH is Stéphane Talboom in yet another role. Salesbridges have also formed an Estonian presence in the summer of 2016 (see screenshot from the Estonian companies house at the end of the main article).