Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Global Contact - another spamlist vendor

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Aug 06, 2009 2:14 am    Post subject: Global Contact - another spamlist vendor Reply with quote

These fellows seem to focus on the German market and claim to be based in the UK with an office in Berlin, Germany. Yet all of their connectivity is based in Poland...

Quote:
Delivered-To: <spamtrap>
Received: by 10.223.110.146 with SMTP id {snip};
Wed, 5 Aug 2009 66:66:66 -0700 (PDT)
Received: by 10.204.115.143 with SMTP id {snip};
Wed, 05 Aug 2009 66:66:66 -0700 (PDT)
Return-Path: <info@info.gb-data.info>
Received: from info.gb-data.info (aqw236.internetdsl.tpnet.pl [83.17.182.236])
by mx.google.com with ESMTP id {snip};
Wed, 05 Aug 2009 66:66:66 -0700 (PDT)

Received-SPF: neutral (google.com: 83.17.182.236 is neither permitted nor denied by best guess record for domain of info@info.gb-data.info) client-ip=83.17.182.236;
Authentication-Results: mx.google.com; spf=neutral (google.com: 83.17.182.236 is neither permitted nor denied by best guess record for domain of info@info.gb-data.info) smtp.mail=info@info.gb-data.info
To: <spamtrap>
From: info@info.gb-data.info
Subject: Nachricht
Date: Thu, 6 Aug 2009 66:66:66 +0200
Message-ID: <{snip}@info.gb-data.info>
X-Mailer: WebMail
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0

Guten Tag,

Wir bieten Ihnen eine neue Firmendatenbank an - Auflage 2009.

Dank der Kataloge der deutschen Firmen ist es möglich schnell neue Kunden zu gewinnen, was zu einer wesentlichen Erhöhung des Einkommens der Firma führt.

Die Datenbanken beinhalten die vollständige Firmenadresse, Kontaktinformationen, Ansprechpartner. Alle Adressen sind nach Branche/ Unterbranche und nach Region aufgeteilt.
Wir stellen Ihnen die Programme zur Verfügung, die notwendig sind um eine erfolgreiche Werbekampagne durchzuführen, sowohl per Email als auch Fax.

Nur jetzt haben Sie die Möglichkeit unser besonderes Sommerangebot zu nutzen, das bis zum 11. August 2009 gültig ist.

Alle wichtigen Informationen finden Sie auf unserer Website:

http://www.gb-data.net/

Mit freundlichem Gruß,

Global - Contact Team


The text does not seem to be written by a native German speaker ("Dank der Kataloge der deutschen Firmen [...]" is a give away -> a native speaker would write "Dank deutscher Firmenkataloge"), but still with a good command of that language. Anyway, here's a translation of the message body

Quote:
Greetings,

We offer you a new company database - 2009 edition

Thanks to the catalogues of German companies it is possible to gain new customers quickly, which leads to an essential raise of the company's income [sic].

The databases contain complete company addresses, contacts, representatives. All addresses are sorted by industry/subindustry [sic] and region. We place the programmes at your disposal, which are necessary to perform a successful advertising campaign, both per email and per fax.

Only now have you got the chance to make use of our special summer offer, which is valid till August 11th, 2009

All important information you can find on our website:
http://www.gb-data.net/

Kind regards,
Global - Contact Team

translation note: I tried to keep the translation as authentic as possible, including all the grammar and wording awkwardness of the original.

If we visit their website, we can find the following contacts:

Quote:
Impressum

Adresse:

GlobalContact

2nd Floor LPL
145-157 St John Street
London
EC1V 4PY
United Kingdom

E-mail: info@glob-contact.de
Internet: http://www.glob-contact.de

Korrespondenzanschrift:

GlobalContact

Joachimstaler Str. 4
10623 Berlin
Deutschland

source: http://www.gl-ct.net/?lang=eng&page=impressum

Other domains by this spam outfit (feed your spam filters with it, if you wish Wink):

195.116.35.251
adressen-de.net
adressen-gt.net
db-contact.net
db-firmenadressen.net
db-global.net
db-kontakt.net
gbadressen.net
gcom-adressen.net
gl-adressen.net
gl-contact.net
gl-data.net
globaladressen.net
global-db.net
glob-contact.pl
gt-adressen.net

80.51.89.2
bs-adressen.net
bs-data.net
gb-data.net
gl-ct.net
glob-adressen.net
global-db.net

89.161.158.135
glob-contact.de

83.17.182.236
info.gb-data.info
info.gs-data.info

83.17.182.232 is the sender, a static DSL address in Poland:
Quote:
inetnum: 83.17.182.232 - 83.17.182.239
netname: CUSTOMER-IDSL-049745
descr: static IP
descr: KOCK
descr: POLAND
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered


Seen several times by Project Honey Pot already:
Quote:
83.17.182.236 [Spam Server]

The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server.

http://www.projecthoneypot.org/ip_83.17.182.236

I'm not sure whether 83.17.182.232/29 is under control of the spammer or just some clueless, heavily infested customer of TPnet (note that you can set A records to any ip-address you wish, so this criterion is not really an indicator of ownership)

The locations of the other servers (where the ownership is undisputed):
Quote:
inetnum: 80.51.89.0 - 80.51.89.255
netname: ALFA-SYSTEM
descr: Alfa-System S.J.
descr: ul. Witosa 9
descr: 44-190 Knurow
descr: Poland
country: PL
admin-c: TW8917-RIPE
tech-c: TG849-RIPE
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered


Quote:
inetnum: 89.161.128.0 - 89.161.191.255
netname: HOMEPL
descr: home.pl webhosting farm - static allocation
country: PL
admin-c: hNA8-RIPE
tech-c: hNA8-RIPE
status: ASSIGNED PA
mnt-by: HOMENET-MNT
source: RIPE # Filtered

role: home.pl Network Administrators
address: home.pl sp.j.
address: Plac Rodla 9
address: 70-419 Szczecin
address: Poland
phone: +48 801 44 55 55
phone: +48 91 432 55 55
fax-no: +48 91 432 55 99
admin-c: SJ27-RIPE
tech-c: GB10591-RIPE
nic-hdl: hNA8-RIPE
mnt-by: HOMENET-MNT
source: RIPE # Filtered
abuse-mailbox: abuse {without edges} home.pl


Quote:
inetnum: 195.116.35.0 - 195.116.35.255
netname: ALFA-SYSTEM
descr: ALFA-SYSTEM M. Piwowarski, A. Widera spolka jawna
descr: ul. Lotnikow 6
descr: 44-196 Knurow
country: PL
admin-c: TW8917-RIPE
tech-c: TG849-RIPE
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered


Note that 195.116.35.25, apart from hosting a lot of spam domains, is also a known harvester:
Quote:
195.116.35.251 [Email Address Harvester] [Spam Server]

The Project Honey Pot system has detected behavior from the IP address consistent with that of a spam harvester and mail server.

http://www.projecthoneypot.org/ip_195.116.35.251

The spam domains exhibit the usual spammer signs (anonymised domains):

Quote:
Domain Name: glob-adressen.net
Registrar: CSMJBS Enterprises


Registrant Contact

Name: CSMJBS Enterprises - Private Registration
Address: 412 Lavender Ct.
N. Las Vegas, NV, 89031-0520
US

Email Address: webmaster@glob-adressen.net
Phone Number: (910) 321-1200


Administrative Contact

Name: CSMJBS Enterprises - Private Registration
Address: 412 Lavender Ct.
N. Las Vegas, NV, 89031-0520
US

Email Address: webmaster@glob-adressen.net
Phone Number: (910) 321-1200


Technical Contact

Name: CSMJBS Enterprises - Private Registration
Address: 412 Lavender Ct.
N. Las Vegas, NV, 89031-0520
US

Email Address: webmaster@glob-adressen.net
Phone Number: (910) 321-1200


Record Created on........ 2009-03-11 06:35:13.747
Expire on................ 2010-03-11 06:39:04.000

Domain servers in listed order:

dns.alfa-system.pl
dns2.alfa-system.pl


Quote:
Domain Name: gl-ct.net
Registrar: CSMJBS Enterprises


Registrant Contact

Name: CSMJBS Enterprises - Private Registration
Address: 412 Lavender Ct.
N. Las Vegas, NV, 89031-0520
US

Email Address: webmaster@gl-ct.net
Phone Number: (910) 321-1200


Administrative Contact

Name: CSMJBS Enterprises - Private Registration
Address: 412 Lavender Ct.
N. Las Vegas, NV, 89031-0520
US

Email Address: webmaster@gl-ct.net
Phone Number: (910) 321-1200


Technical Contact

Name: CSMJBS Enterprises - Private Registration
Address: 412 Lavender Ct.
N. Las Vegas, NV, 89031-0520
US

Email Address: webmaster@gl-ct.net
Phone Number: (910) 321-1200


Record Created on........ 2007-05-27 16:10:37.305
Record last updated on... 2009-06-19 05:03:20.210
Expire on................ 2010-05-27 05:03:19.808

Domain servers in listed order:

dns.alfa-system.pl
dns2.alfa-system.pl


And so on... Note that CSMJBS Enterprises is the anonymisation service, not the spammer.

Previous spams from this outfit that hit my traps:


Quote:
info

Aw: Anfrage.‎ - … Mit freundlichem Gruß, Global - Contact Team

===============

info

Nachricht von GlobData‎ - … db-kontakt.net/ -- Global Contact http://www.db-kontakt.net

===============

GC

Anfrage.‎ - … www.globaladressen.net/ -- Global Contact http://www.globaladressen.net

===============

Information

AW: Antwort.‎ - … gcom-adressen.net/ -- Global Contact http://www.gcom-adressen.net

===============

G-Contact

AW: Antwort.‎ - … und Herren, Firma Global Contact bietet Ihnen personalisierte Adresskataloge deutscher Firmen sowie Unternehmen an. Mit Hilfe unserer Datenbanken (opt-in) sowie …

===============

Global - Contact

Neue Angebot.‎ - … Grüßen - Ihr Glob-Contact - Team

===============

GC

AW: Anfrage.‎ - … www.gbadressen.net Global - Contact

===============

GC-Kontakt

Angebot.‎ - … db-firmenadressen.net Global - Contact

===============

G - Contact

Information‎ - … http://www.db-contact.net -- Global Contact http://www.db-contact.net


O.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Aug 13, 2009 7:25 am    Post subject: Global Contact, take II Reply with quote

The lads from Poland returned with another smashing offer...

Quote:
Guten Tag,

wir bieten Ihnen ein vollkommen neues Produkt an, mit dem Sie schnell neue Kunden gewinnen werden.

Die Konkurrenz sucht täglich nach neuen Methoden der Kundengewinnung, unser produkt ermöglicht dies auf effektive Weise.

Schon in den ersten Tagen in denen Sie unsere neuen Lösungen ausprobieren, werden Sie den Unterschied sehen. Unsere Produkte sind die perfekte Lösung zur Gewinnung neuer Kunden und zur Überbietung der Konkurrenz.

Als Beweis der Wirksamkeit unserer Produkte steht die Liste der zufriedenen Kunden, die dank unserer Lösungen schnell und effektiv die entsprechende Zielgruppe, die ihre Dienstleistungen und Produkte gesucht hat, erreichten.

Selbstverständlich ist unser Angebot nicht bindend und man kann es ignorieren, jedoch wäre es nicht schade neue Kunden zu verlieren?

Alle wichtigen Informationen finden Sie auf unserer Website:

http://www.gn-data.net/

Mit freundlichem Gruß


translation to illustrate the context:
Quote:
[...]
we offer you an entirely new product that will enable you to gain new customers quickly.

Competition is looking for new methods of gaining customers daily, our product makes this happen in an effective way.

Within the first days you try our new solutions you will spot the difference. Our products are the perfect solution to the extraction (sic!) [1] of new customers and overbidding (sic!) [2] of the competition.

As a proof of efficiency of our products stands the list of satisfied customers who, thanks to our solutions, reached the corresponding target audience, who was looking for their services and solutions.

As a matter of course, our offer is not binding and one can ignore it, but wouldn't it be a pitty to lose new customers?

All important details you can find on our website
[...]

[1] "Gewinnung" is exclusively used in the sense of "extraction" or "production".
[2] "Überbietung" does not exist in German.


It is interesting to note that unlike previous instances, they avoid to mention anything that resembles associations with spamlists for sale. Presumably they figured out that mentioning these make quite good filter fooder and will decrease the likelihood of actually delivered messages.

The headers indicate some changes:
Quote:
Delivered-To: <spamtrap>
Received: by 10.216.29.196 with SMTP id {snip};
Wed, 12 Aug 2009 66:66:66 -0700 (PDT)
Received: by 10.204.7.75 with SMTP id {snip};
Wed, 12 Aug 2009 66:66:66 -0700 (PDT)
Return-Path: <info@info.gn-data.info>
Received: from info.gn-data.info ([80.55.32.179])
by mx.google.com with ESMTP id {snip};
Wed, 12 Aug 2009 66:66:66 -0700 (PDT)

Received-SPF: neutral (google.com: 80.55.32.179 is neither permitted nor denied by best guess record for domain of info@info.gn-data.info) client-ip=80.55.32.179;
Authentication-Results: mx.google.com; spf=neutral (google.com: 80.55.32.179 is neither permitted nor denied by best guess record for domain of info@info.gn-data.info) smtp.mail=info@info.gn-data.info
To: <spamtrap>
From: info@info.gn-data.info
Subject: Nachricht
Date: Thu, 13 Aug 2009 66:66:66 +0200
Message-ID: <{snip}@info.gn-data.info>
X-Mailer: WebMail
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0


The sender is, like the last spam, a static /29 courtesy of TPnet:
Quote:
inetnum: 80.55.32.176 - 80.55.32.183
netname: CUSTOMER-IDSL-000541
descr: static IP
descr: WARSZAWA
descr: POLAND
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered


The domains involved:
info.gn-data.info -> 80.55.32.179

Listed by Project Honey Pot:
http://www.projecthoneypot.org/ip_80.55.32.179

interestingly, gn-data.info leads to yet another static /29 range:

gn-data.info -> 79.190.105.68

Quote:
inetnum: 79.190.105.64 - 79.190.105.71
netname: CUSTOMER-IDSL-137449
descr: static IP
descr: SOLEC KUJAWSKI
descr: POLAND
country: PL
admin-c: TPHT
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered


Listed by Project Honey Pot:
http://www.projecthoneypot.org/ip_79.190.105.68

It seems our Polish friends have no shortage of disposable /29 ranges Wink The spamvertised domain gb-data.net is hosted on the already known 80.51.89.2 server.

If someone were to reply to this offer by writing back to the sender, he/she/it would notice that it doesn't work as expected:

Quote:
olliver@kaori:~$ host -t mx info.gn-data.info
info.gn-data.info has no MX record

As an explanation: Concerning mail delivery, subdomains are treated like actual domains. That is, they need to point to an extra MX in case they are part of an email address. If they don't, the subdomain (not the actual domain!) will be tried for delivery. Sadly, there is no SMTP service listening for that target:

Quote:
olliver@kaori:~$ host info.gn-data.info
info.gn-data.info has address 80.55.32.179
olliver@kaori:~$ telnet 80.55.32.179 25
Trying 80.55.32.179...

[time out after a while]


To all appearances, their spam is "read-only" and prospective customers need to visit the website in order to get in touch with "Global Contact".

O.
Back to top
View user's profile Send private message
sotet
Junior Member


Joined: 10 Sep 2004
Last Visit: 31 Jan 2010
Posts: 47

PostPosted: Sun Sep 27, 2009 1:52 pm    Post subject: Reply with quote

Interesting finds, olliver, I am not familiar with that particular spam run.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group