ScienceDomain International and/or IK Press

Something calling itself “ScienceDomain International Ltd”, apparently of Third Floor, 207 Regent Street, London, W1B 3HH, continues to turn up in spamtraps. They have existed as an UK company twice, but both registrations have been dissolved (Reg. No 07794635 – Dissolved on 14 January 2014; Reg. No 08988029 – Dissolved on 24 November 2015). Nonetheless, they process personal data without having ever registered with the Information Commissioner’s Office, which in itself is a criminal act in the United Kingdom.


A recent spam led us to perform a reverse DNS scan of the OVH netblock 37.59.222.0/24. The relevant part ranges from .160 to .191:

161.222.59.37.in-addr.arpa. 86400 IN    PTR     server.ijeart-publication.net.
162.222.59.37.in-addr.arpa. 86400 IN    PTR     server3.sciencedomainn.net.
168.222.59.37.in-addr.arpa. 86400 IN    PTR     server5.mark-riese.net.
169.222.59.37.in-addr.arpa. 86400 IN    PTR     server4.mark-riese.net.
170.222.59.37.in-addr.arpa. 86400 IN    PTR     server3.mark-riese.net.
171.222.59.37.in-addr.arpa. 86400 IN    PTR     server2.mark-riese.net.
172.222.59.37.in-addr.arpa. 86400 IN    PTR     server1.mark-riese.net.
173.222.59.37.in-addr.arpa. 86400 IN    PTR     server.irpublication.me.
174.222.59.37.in-addr.arpa. 86400 IN    PTR     server.woar-journals.net.
175.222.59.37.in-addr.arpa. 86400 IN    PTR     server1.sciencedomainn.net.
176.222.59.37.in-addr.arpa. 86400 IN    PTR     server.eclatpub.net.
177.222.59.37.in-addr.arpa. 86400 IN    PTR     server.sciencedomaines.net.
178.222.59.37.in-addr.arpa. 86400 IN    PTR     server.indore-infoline.net.
179.222.59.37.in-addr.arpa. 86400 IN    PTR     server.ijoear.website.
180.222.59.37.in-addr.arpa. 86400 IN    PTR     server.ijoer.org.
181.222.59.37.in-addr.arpa. 86400 IN    PTR     server2.sciencedomainn.net.
182.222.59.37.in-addr.arpa. 86400 IN    PTR     server1.ikpres.net.
183.222.59.37.in-addr.arpa. 86400 IN    PTR     server.ikpres.net.
184.222.59.37.in-addr.arpa. 86400 IN    PTR     server.mark-riese.net.
185.222.59.37.in-addr.arpa. 86400 IN    PTR     server.erpublication.net.
187.222.59.37.in-addr.arpa. 86400 IN    PTR     server.ijeas.biz.
188.222.59.37.in-addr.arpa. 86400 IN    PTR     server.ijntr.com.
189.222.59.37.in-addr.arpa. 86400 IN    PTR     server.astropublication.net.
190.222.59.37.in-addr.arpa. 86400 IN    PTR     server.actiondna.biz.

which gives us some identification and a few more IPs and domain names to list. Out of the above, ijeart-publication.net had already been listed on 20151218, sciencedomaines.net yesterday (20160101), ijoer.org on 20151208, ikpres.net 20151226, erpublication.net 20151110, ijeas.biz 20151029, ijntr.com as IKPRESS 20150826, and astropublication.net as enet-blaster on 20151128.

The /24 and all remaining domain names have now been listed. OVH will be alerted.

10 thoughts on “ScienceDomain International and/or IK Press

  1. RocketScientist Post author

    In February 2015, they were spamming through SendGrid, and were promptly terminated by the same.

    In March 2015, they were spamming through Turbo-SMTP, and were promptly terminated by the same.

    In April 2015, they were spamming through Mandrill, and (yes, you guessed it) were promptly terminated by the same. X-Mandrill-User: md_30321211

    Reply
  2. RocketScientist Post author

    Fresh spam in:

    Received-SPF: pass (ikkprress.com: 69.197.144.195 is authorized to use          
            '[email protected]' in 'mfrom' identity (mechanism                      
            'ip4:69.197.144.192/27' matched)) receiver=x
            identity=mailfrom; envelope-from="[email protected]";                   
            helo=mta1.ikpreess.com; client-ip=69.197.144.195                        
    

    Let’s see about this netblock:

    195.144.197.69.in-addr.arpa. 38400 IN   PTR     mta1.ikpreess.com.
    196.144.197.69.in-addr.arpa. 38400 IN   PTR     mta2.ikpreess.com.
    204.144.197.69.in-addr.arpa. 29698 IN   PTR     mta1.sciiencedomaiins.com.
    205.144.197.69.in-addr.arpa. 38400 IN   PTR     mta2.sciiencedomaiins.com.
    206.144.197.69.in-addr.arpa. 38399 IN   PTR     mta3.sciiencedomaiins.com.
    207.144.197.69.in-addr.arpa. 38400 IN   PTR     mta4.sciiencedomaiins.com.
    208.144.197.69.in-addr.arpa. 38399 IN   PTR     mta5.sciiencedomaiins.com.
    209.144.197.69.in-addr.arpa. 38399 IN   PTR     mta6.sciiencedomaiins.com.
    210.144.197.69.in-addr.arpa. 33213 IN   PTR     mta3.ikpreess.com.
    211.144.197.69.in-addr.arpa. 38399 IN   PTR     mta4.ikpreess.com.
    

    This WholesaleInternet /24 is now listed. The /27 is not suballocated in ARIN WHOIS or WholesaleInternet RWHOIS, which is a violation of ARIN policies.

    Reply
  3. RocketScientist Post author

    Response just in from the ICO, as well.

    I understand that you are concerned that Science Domain is not registered with the ICO for processing personal data and does not appear to have valid and up to date records on Companies House.

    After searching our register for data controllers, it appears to be the case that Science Domain is not registered with the ICO as you have outlined. I have therefore referred this matter to our Notifications department who will carry out the relevant steps in relation to Science Domain’s registration with us.

    Manisha Basumondal / Manisha Basu, DOB 4/1979, and Pinaki Mondal, DOB 12/1976, whatcha gonna do when dey come for you?

    Reply
  4. RocketScientist Post author

    Now spamming from the German ISP Contabo.

    237.236.212.173.in-addr.arpa. 86400 IN  PTR     mta3.ikkppress.org.
    238.236.212.173.in-addr.arpa. 86400 IN  PTR     mta3.ikkppress.org.
    239.236.212.173.in-addr.arpa. 86400 IN  PTR     mta1.yourjournal4u.org.
    240.236.212.173.in-addr.arpa. 86400 IN  PTR     mta2.yourjournal4u.org.
    241.236.212.173.in-addr.arpa. 86400 IN  PTR     mta3.yourjournal4u.org.
    242.236.212.173.in-addr.arpa. 86400 IN  PTR     mta4.yourjournal4u.org.
    243.236.212.173.in-addr.arpa. 86400 IN  PTR     mta1.ikkpress.org.
    244.236.212.173.in-addr.arpa. 86400 IN  PTR     mta2.ikkpress.org.
    245.236.212.173.in-addr.arpa. 86400 IN  PTR     mta3.ikkpress.org.
    246.236.212.173.in-addr.arpa. 86400 IN  PTR     mta4.ikkpress.org.
    248.236.212.173.in-addr.arpa. 86400 IN  PTR     server1.mqsend.org.
    249.236.212.173.in-addr.arpa. 86400 IN  PTR     server2.mqsend.org.
    250.236.212.173.in-addr.arpa. 86400 IN  PTR     server3.mqsend.org.
    251.236.212.173.in-addr.arpa. 86400 IN  PTR     server4.mqsend.org.
    

    Listed the /18.

    Reply
  5. RocketScientist Post author

    Added 213.136.64.0/20, another Contabo range.

    96.76.136.213.in-addr.arpa. 3600 IN     PTR     mta1.yourjournal4.org.
    97.76.136.213.in-addr.arpa. 3600 IN     PTR     mta2.yourjournal4.org.
    98.76.136.213.in-addr.arpa. 3600 IN     PTR     mta3.yourjournal4.org.
    99.76.136.213.in-addr.arpa. 3600 IN     PTR     mta4.yourjournal4.org.
    101.76.136.213.in-addr.arpa. 3600 IN    PTR     mta1.mqsends.org.
    102.76.136.213.in-addr.arpa. 3600 IN    PTR     mta2.mqsends.org.
    103.76.136.213.in-addr.arpa. 3600 IN    PTR     mta3.mqsends.org.
    104.76.136.213.in-addr.arpa. 3600 IN    PTR     mta4.mqsends.org.
    
    Reply
  6. RocketScientist Post author
    26.205.212.173.in-addr.arpa. 86400 IN   PTR     mta1.ikkppress.org.
    27.205.212.173.in-addr.arpa. 86400 IN   PTR     mta2.ikkppress.org.
    
    Reply
  7. RocketScientist Post author

    It seems we have failed to blog about the inclusion of all of Velianet’s ranges on our BL because of this. Here’s an example:


    $ host -t txt 109.217.61.37.bl.scientificspam.net
    109.217.61.37.bl.scientificspam.net descriptive text "[SCIENCEDOMAIN] /20 escalation - Velianet supporting ScienceDomain Intl Ltd spammers https://scientificspam.net/?p=256 [email protected] 20170324"

    Reply
  8. RocketScientist Post author

    Velianet have been in touch.

    85.195.64.0/18
    146.0.224.0/19
    37.61.208.0/20
    134.119.176.0/20

    are listed. Since they claim they are unable to use the Received: lines (indicating HELO, rDNS and IP) to figure out who the customer is, even though the data set consists of 150 unique entries in these networks that have been doing this since June 2016, they figured they’d get their way by threatening legal action. It so happens that Velianet is a Go Daddy subsidiary these days; the guys at Go Daddy will probably think otherwise.

    Reply
  9. Pingback: CARTOONEY: Velianet, a subsidiary of Go Daddy Software | Scientific Spam

Leave a Reply to RocketScientist Cancel reply

Your email address will not be published. Required fields are marked *