Something calling itself “ScienceDomain International Ltd”, apparently of Third Floor, 207 Regent Street, London, W1B 3HH, continues to turn up in spamtraps. They have existed as an UK company twice, but both registrations have been dissolved (Reg. No 07794635 – Dissolved on 14 January 2014; Reg. No 08988029 – Dissolved on 24 November 2015). Nonetheless, they process personal data without having ever registered with the Information Commissioner’s Office, which in itself is a criminal act in the United Kingdom.
A recent spam led us to perform a reverse DNS scan of the OVH netblock 37.59.222.0/24. The relevant part ranges from .160 to .191:
161.222.59.37.in-addr.arpa. 86400 IN PTR server.ijeart-publication.net. 162.222.59.37.in-addr.arpa. 86400 IN PTR server3.sciencedomainn.net. 168.222.59.37.in-addr.arpa. 86400 IN PTR server5.mark-riese.net. 169.222.59.37.in-addr.arpa. 86400 IN PTR server4.mark-riese.net. 170.222.59.37.in-addr.arpa. 86400 IN PTR server3.mark-riese.net. 171.222.59.37.in-addr.arpa. 86400 IN PTR server2.mark-riese.net. 172.222.59.37.in-addr.arpa. 86400 IN PTR server1.mark-riese.net. 173.222.59.37.in-addr.arpa. 86400 IN PTR server.irpublication.me. 174.222.59.37.in-addr.arpa. 86400 IN PTR server.woar-journals.net. 175.222.59.37.in-addr.arpa. 86400 IN PTR server1.sciencedomainn.net. 176.222.59.37.in-addr.arpa. 86400 IN PTR server.eclatpub.net. 177.222.59.37.in-addr.arpa. 86400 IN PTR server.sciencedomaines.net. 178.222.59.37.in-addr.arpa. 86400 IN PTR server.indore-infoline.net. 179.222.59.37.in-addr.arpa. 86400 IN PTR server.ijoear.website. 180.222.59.37.in-addr.arpa. 86400 IN PTR server.ijoer.org. 181.222.59.37.in-addr.arpa. 86400 IN PTR server2.sciencedomainn.net. 182.222.59.37.in-addr.arpa. 86400 IN PTR server1.ikpres.net. 183.222.59.37.in-addr.arpa. 86400 IN PTR server.ikpres.net. 184.222.59.37.in-addr.arpa. 86400 IN PTR server.mark-riese.net. 185.222.59.37.in-addr.arpa. 86400 IN PTR server.erpublication.net. 187.222.59.37.in-addr.arpa. 86400 IN PTR server.ijeas.biz. 188.222.59.37.in-addr.arpa. 86400 IN PTR server.ijntr.com. 189.222.59.37.in-addr.arpa. 86400 IN PTR server.astropublication.net. 190.222.59.37.in-addr.arpa. 86400 IN PTR server.actiondna.biz.
which gives us some identification and a few more IPs and domain names to list. Out of the above, ijeart-publication.net had already been listed on 20151218, sciencedomaines.net yesterday (20160101), ijoer.org on 20151208, ikpres.net 20151226, erpublication.net 20151110, ijeas.biz 20151029, ijntr.com as IKPRESS 20150826, and astropublication.net as enet-blaster on 20151128.
The /24 and all remaining domain names have now been listed. OVH will be alerted.
In February 2015, they were spamming through SendGrid, and were promptly terminated by the same.
In March 2015, they were spamming through Turbo-SMTP, and were promptly terminated by the same.
In April 2015, they were spamming through Mandrill, and (yes, you guessed it) were promptly terminated by the same. X-Mandrill-User: md_30321211
Fresh spam in:
Let’s see about this netblock:
This WholesaleInternet /24 is now listed. The /27 is not suballocated in ARIN WHOIS or WholesaleInternet RWHOIS, which is a violation of ARIN policies.
Response just in from the ICO, as well.
Manisha Basumondal / Manisha Basu, DOB 4/1979, and Pinaki Mondal, DOB 12/1976, whatcha gonna do when dey come for you?
Last week, spamming from SparkPost. We expect this to be very shortlived indeed.
Now spamming from the German ISP Contabo.
Listed the /18.
Added 213.136.64.0/20, another Contabo range.
It seems we have failed to blog about the inclusion of all of Velianet’s ranges on our BL because of this. Here’s an example:
$ host -t txt 109.217.61.37.bl.scientificspam.net
109.217.61.37.bl.scientificspam.net descriptive text "[SCIENCEDOMAIN] /20 escalation - Velianet supporting ScienceDomain Intl Ltd spammers https://scientificspam.net/?p=256 [email protected] 20170324"
Velianet have been in touch.
85.195.64.0/18
146.0.224.0/19
37.61.208.0/20
134.119.176.0/20
are listed. Since they claim they are unable to use the Received: lines (indicating HELO, rDNS and IP) to figure out who the customer is, even though the data set consists of 150 unique entries in these networks that have been doing this since June 2016, they figured they’d get their way by threatening legal action. It so happens that Velianet is a Go Daddy subsidiary these days; the guys at Go Daddy will probably think otherwise.
Pingback: CARTOONEY: Velianet, a subsidiary of Go Daddy Software | Scientific Spam