So who was behind this spam? Well, the easiest way to find out was to pretend to be interested. I filled in the contact form on the site and eventually got a reply from an outfit called Email Movers Ltd. Now, let's be clear - I don't know 100% that Email Movers were responsible for sending the original spam, but somehow my "lead" ended up with this UK-based marketing company.
The enquiry I made was about PPI leads, the mainstay of many sleazy marketing outfits. The response I got was as follows:
From: Jonathan Coleman [jonathan.coleman@emailmovers.com]
Date: 23 May 2013 11:06
Subject: RE - PPI Leads
Hi [redacted],
Thank you for your enquiry. We have excellent PPI data consisting of over 1 million contacts.
The database consists of UK consumers who have taken out a loan within the last 6 years with a payment protection policy attached to the loan. We have called each consumer from a 300 seat call centre in order to verify these details. The flat file we used in order to contact these consumers was originally one of the country’s largest loan packagers completion files.
Available:
Data Name
Home address
Postcode
Landline telephone number
Mobile telephone number
Selections:
Available 300+ selections available via our syndicated multiple overlay platform.
Example selections include:
Credit rating
Credit history
Credit ac
-----------------------------------------------------------------
The data doesn't get released, we will conduct the email broadcast for you. Min order value applies, no less than 50 000 records and it is £1650. Other volumes are priced as following:
50,000 at £1650 + VAT
100,000 at £1990 + VAT
250,000 at £2700 + VAT
500,000 at £4300 + VAT
1 Million at £8000 + VAT
What do you think?
Jonathan Coleman
Senior Account Manager
D: +44 (0)1723 800022
T: +44 (0)845 226 7181
Trusted email validation Try Email Inspector | Targeted Marketing at a click Try Countrunner
Emailmovers Ltd, Pindar House, Thornburgh Road, Scarborough, North Yorkshire, YO11 3UY UK
Registered in England No. 5046417. Registered office: Medina House, No 2 Station Avenue, Bridlington, YO16 4LZ. United Kingdom.
View email disclaimer
This email comes from an emailmovers.com address with a link to a website emvrs.co. The email originates from a Google IP, so no real clue as to its origin.
Emailmovers have been around for quite a while, but they had attracted quite a lot of adverse comments for spam [1] [2] [3] [4] [5] [6] [7] [8] [9]. They have quite a lot of websites too, in addition to emailmovers.com and emvrs.co, but one in particular caught my eye.. the domain emailinspector.co.uk which is an "email validation" service. Check out the last paragraph in particular:
Email databases decay at an alarming rate. It is imperative to keep your data as accurate and as clean as possible to maintain a good sender reputation and improve the deliverability of your email list.
Email Inspector is a revolutionary new way of updating and cleansing your email addresses without risking blacklisting your IP. This online service allows you to upload bulk lists of email addresses to check for bounces, wrong addresses and duplicates and leaves you with a clean and up-to-date list that is ready for use.
We can also take your database in-house for further analysis to strip out known complainers and run it against our master spam trap file in our full bureau service.
There's another word for this process.. ListWashing. Legitimate mailing lists should never contain spamtrap data, this is only of use if dealing with scraped or malware-harvested email addresses. Exactly what sort of customers is Emailmovers after with a service like this?
The company QuotesPlease Ltd appears to be largely the same operation, with the same personnel and at the same address.
They own several other domains, at least one of which (email-databases.com) has been hacked (see report), also bizibuy.com has been compromised and defaced. theemailexpert.com has also been defaced recently. I don't know if those server contained any personally identifiable data or not.
Perhaps Emailmovers contracted out the lead generation to another party and buy those leads in good faith. I'm sure you can make up your own mind as to how likely that is.
These following domains all appear to belong to Emailmovers Ltd or QuotesPlease Ltd, do with them what you want:
5mins.co.uk
5mins.info
5minsmail.com
5mins-mail.com
5minsmail.net
5mins-mail.net
5mins-mail.org
5mins-ppm.com
5mins-update.com
b2bcompanylist.com
b2bemaillistsuk.com
b2bmailinglistsuk.com
b2bmarketingcompanieslist.com
bestemailmarketinglists.com
bizibuy.biz
bizibuy.com
businessmailinglistsuk.com
callmovers.co.uk
coastline-gallery.com
companiesthatsellemaillists.com
consumeremaillistsuk.com
countrunner.com
dataseeder.com
dataseeder.net
dataseeder.org
emailappending-emailmovers.com
emailcleansing.com
email-databases.com
emailinspector.info
emailinspector.net
emailinspector.org
emailliststobuy.com
emailmarketingconsultancy.com
emailmarketingconsultation.com
emailmovers.com
emm-mail.org
emm-news.com
ems300live.com
emvrs.co
enudge.com
freewordpresstemplates.biz
grannymave.co.uk
likemovers.com
mailinglistuk.com
onlinebusinessecards.com
quotesplease.co.uk
seedalert.com
socialmediaslot.com
theemailexpert.com
ukconsumeremaildatabase.com
ukconsumeremaillist.com
ukemaildata.com
workmug.com
Added: these following domains are also in use for the inital spam, plus there are more details on the comments section:
parkconnect.net
simplequotes.net
Added (II): some more domains these spammers use can be found here.
4 comments:
But wait, there's more!
I DIGged the domains and came up with an astonishing number of IPs upon which they are hosted:
109.235.51.98
184.168.221.40
184.168.221.41
184.168.221.45
184.168.221.47
184.168.221.59
184.168.221.62
188.138.94.230
188.65.115.75
195.62.29.142
217.199.161.194
46.252.196.1
50.63.202.32
50.63.202.39
50.63.202.47
50.63.202.48
50.63.202.60
62.233.121.64
66.147.244.75
69.195.124.73
74.220.199.6
81.27.104.157
83.222.232.148
91.208.99.12
95.142.159.2
95.172.26.38
So then, i ran passive dns on them, for those that aren't shared hosting I found these:
prospectdirect.org d8s A 109.235.51.98
www.prospectdirect.org d8s A 109.235.51.98
smtp.prospectdirect.org d8s A 109.235.51.98
ems300live.com d8s A 188.138.94.230
www.ems300live.com d8s A 188.138.94.230
mail.ems300live.com d8s A 188.138.94.230
messengerdesk.com d8s A 188.138.94.230
smtp.messengerdesk.com d8s A 188.138.94.230
5mins.co.uk d8s A 195.62.29.142
faxmovers.co.uk d8s A 195.62.29.142
callmovers.co.uk d8s A 195.62.29.142
greenermail.co.uk d8s A 195.62.29.142
mabelserver.co.uk d8s A 195.62.29.142
quotesplease.co.uk d8s A 195.62.29.142
businessdownloads.co.uk d8s A 195.62.29.142
countrunner.com d8s A 195.62.29.142
www.countrunner.com d8s A 195.62.29.142
emm-mail.org d8s A 217.199.161.194
smtp.emm-mail.org d8s A 217.199.161.194
smtp.charlie5em.com d8s A 83.222.232.148
5mins-mail.net d8s A 83.222.232.148
smtp.5mins-mail.net d8s A 83.222.232.148
5mins.info d8s A 83.222.232.148
smtp.5mins.info d8s A 83.222.232.148
emm-news.com d8s A 95.172.26.38
smtp.emm-news.com d8s A 95.172.26.38
@Spamfighter. Nice work :) These two domains also seem to be part of the fake initial email:
parkconnect.net
simplequotes.net
Just to add another domain
emdsvr.com
Just received Spam from Volvo, caught by our Spam filter but probably worth adding to your list :)
Just checked companies house here http://wck2.companieshouse.gov.uk//compdetails
Post a Comment