We’ve been on the receiving end of spam from Origene since March 2015. At the time, we listed 124.127.105.206, a few domain names, and thought nothing more of it. We had the occasion to look at their spam a little more closely today. It’s all coming from a /15 (that’s 131,072 IP addresses) assigned to a research facility in China. The spamming domain name is smarttargetonline.net, registered to a person without an organization. Worth looking at a little more.
On paper, this appears to be a company based in Rockville, MD (Department ID F04352993 in Maryland DAT). However, there is a strong connection to China, which is evident from their spamming.
The IP address lookup for 124.127.105.206 at APNIC indicates the following:
% Information related to '124.126.0.0 - 124.127.255.255' inetnum: 124.126.0.0 - 124.127.255.255 netname: RITELE descr: Research Institution of Telecom descr: No.1 Gaojiayuan,Xicheng District,Beijing,China country: CN admin-c: YZ1264-AP tech-c: YZ1264-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE changed: [email protected] 20070228 source: APNIC person: Yiming Zheng nic-hdl: YZ1264-AP e-mail: [email protected] address: No.1 Gaojiayuan,Xicheng District,Beijing,China phone: +86-010-84588176 fax-no: +86-010-84588021 country: CN changed: [email protected] 20070429 mnt-by: MAINT-CNNIC-AP source: APNIC % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)
A huge network assigned to a research institution of telecom in China, complete with a Hotmail contact address (for a name that suggests a Senior Market Research Analyst at Shanghai Research Institution of China Telecom, if you are to believe the LinkedIn profile of one Yiming Zheng). Lovely. Now what about the domain name?
Domain Name: SMARTTARGETONLINE.NET Registry Domain ID: Registrar WHOIS Server: whois.domain.com Registrar URL: www.domain.com Updated Date: 2015-09-15T23:55:44Z Creation Date: 2010-03-12T06:20:23Z Registrar Registration Expiration Date: 2020-03-12T05:20:23Z Registrar: Domain.com, LLC Registrar IANA ID: 886 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.6027165396 Reseller: Domain.com Reseller: [email protected] Reseller: +1.8004033568 Domain Status: ok Registry Registrant ID: Registrant Name: Xiaodong Zhou Registrant Organization: Xiaodong Zhou Registrant Street: 14 Chao Yang Men Nan Da Jie Registrant City: Beijing Registrant State/Province: Registrant Postal Code: 100081 Registrant Country: CN Registrant Phone: +86.13701005811 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: Xiaodong Zhou Admin Organization: Xiaodong Zhou Admin Street: 14 Chao Yang Men Nan Da Jie Admin City: Beijing Admin State/Province: Admin Postal Code: 100081 Admin Country: CN Admin Phone: +86.13701005811 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: Xiaodong Zhou Tech Organization: Xiaodong Zhou Tech Street: 14 Chao Yang Men Nan Da Jie Tech City: Beijing Tech State/Province: Tech Postal Code: 100081 Tech Country: CN Tech Phone: +86.13701005811 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: NS2.DOMAIN.COM Name Server: NS1.DOMAIN.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2015-09-15T23:55:44Z <<< Registration Service Provider: Domain.com, [email protected] +1.8004033568 This company may be contacted for domain login/passwords, DNS/Nameserver changes, and general domain support questions.
And the actual spam-advertised domain name?
Domain Name: ORIGENE.COM Registry Domain ID: 442862_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com Updated Date: 2015-01-28T23:40:58Z Creation Date: 1996-12-17T05:00:00Z Registrar Registration Expiration Date: 2019-12-16T05:00:00Z Registrar: NETWORK SOLUTIONS, LLC. Registrar IANA ID: 2 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.8003337680 Reseller: Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: OriGene Technologies, Inc. Registrant Organization: OriGene Technologies, Inc. Registrant Street: 9620 Medical Center Drive Registrant City: Rockville Registrant State/Province: MD Registrant Postal Code: 20850 Registrant Country: US Registrant Phone: +1.2406200237 Registrant Phone Ext: Registrant Fax: +1.9999999999 Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: Deng, James Admin Organization: Origene Inc Admin Street: 9620 Medical Center Drive suite 200 Admin City: Rockville Admin State/Province: MD Admin Postal Code: 20850 Admin Country: US Admin Phone: +1.2406200253 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: Master, Host Tech Organization: Tech Street: 1950 Stemmons Frwy Tech City: Dallas Tech State/Province: TX Tech Postal Code: 75207 Tech Country: US Tech Phone: +1.8005531989 Tech Phone Ext: Tech Fax: +1.2142617144 Tech Fax Ext: Tech Email: [email protected] Name Server: NS1.PAETEC.NET Name Server: NS2.PAETEC.NET DNSSEC: Unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: Wed, 23 Sep 2015 10:23:21 GMT <<<
Looking at the LinkedIn list of people who have Origene Technologies somewhere on their profile returns a number of people all of Chinese origin. The first hit in the list that this author received is Xiaodong Zhou, Director of IT... who just so happens to be the owner of the spamming domain.
So, the 124.126.0.0/15 network of the Shanghai Research Institute for China Telecom is listed, along with all the domain names involved, and the IP address of their American website host on Lore Systems, Inc. (204.9.46.203; ARIN WHOIS indicates Lore RWHOIS, which is refusing connections in violation of ARIN Number Resource Policy #3.2).
Also spamming from
Received: from mail14.smarttargetonline.net (unknown [58.214.245.130])
which is in a CHINANET Jiangsu /12. This IP is listed since 3/26.
Earlier in September 2015 they had also managed to obtain services from ExactTarget, an US ESP.
Received: from xtinmta02-30.exacttarget.com (xtinmta02-30.exacttarget.com
[207.67.38.30])
162.245.214.58.in-addr.arpa. 1800 IN PTR mail10.smarttargetonline.net.
163.245.214.58.in-addr.arpa. 1800 IN PTR mail11.smarttargetonline.net.
164.245.214.58.in-addr.arpa. 1800 IN PTR mail12.smarttargetonline.net.
165.245.214.58.in-addr.arpa. 1800 IN PTR mail13.smarttargetonline.net.
166.245.214.58.in-addr.arpa. 1800 IN PTR mail14.smarttargetonline.net.
All listed now.
Still spamming from ExactTarget,
Subject: Video Protocol: Gene Knockout via CRISPR
Received: from xtinmta02-30.exacttarget.com (xtinmta02-30.exacttarget.com
[207.67.38.30])
From: OriGene Technologies Inc
Date: Mon, 19 Oct 2015 10:17:09 -0600
just in.
Partners in Europe with Acris Antibodies:
Received: from web03.acris-antibodies.com (web03.acris-antibodies.com
[178.63.70.136])
...
Subject: Take a 2-min survey on cDNA clone use and win a fit-bit wristband
Date: Fri, 5 Aug 2016 hh:mm:ss +0200
From: Acris Antibodies / OriGene Europe <[email protected]>
and
Received: from web03.acris-antibodies.com (web03.acris-antibodies.com
[178.63.70.136])
...
Subject: Live Webinar: All about Lenti-Virus
Date: Tue, 20 Sep 2016 hh:mm:ss +0200
From: Acris Antibodies / OriGene Europe <[email protected]>