Norwegian spammer
January 4, 2005: He had to renew his visa, and was captured. He was wanted in connection with another matter. Hopefully he’ll be charged with the spamming as well, even if he did it from another country.
—————
Decemer 20, 2005: The spammer came by this page today. Still on the same net connection that he spammed from.
————
He’s at it again, December 3rd, 2005. New post about that spamrun.
He’s still at it. I just received another one. This time he’s spamming straight from India:
Received: from Lars ([203.101.44.130]) by munged with mungedantispamsolution; Thu, 17 Nov 2005 19:49:01 +0100
————-
A Norwegian sent a few hundred thousand spams from India during the last few days (I assume he’s either in India or has a machine there). I got three of them to various defunct addresses (postmaster mailbox at work).
I’ve had e-mail before that I thought was Norwegian spam. But what was unique with this one, was that he sent to personal e-mail addresses.
In Norway, it’s illegal to send spam to personal e-mail addresses. It’s unfortunately still legal to send to various “company” addresses, but not to specific employees or private citizens.
The first time I saw this particular spam, I wondered if it was sent to a company, as a legitimate sales mail (well, legitimate according to the law). But some checking of the mail logs soon disabused me of that notion.
Unfortunately, news about this joker isn’t easy to come by. I’ve only found one news story so far. He’s been thrown out of two web hotels. One of them is the one who got tagged in the headers below.
Here are some headers:
Return-Path:
Received: (qmail 3941 invoked from network); 16 Nov 2005 08:26:00 -0000
Received: from munged
by 0 with SMTP; 16 Nov 2005 08:26:00 -0000
Received: from mx.webhuset.no ([81.27.32.102]) by munged with
mungedspamfilter; Wed, 16 Nov 2005 09:31:01 +0100
Received: (qmail 22895 invoked by uid 502); 16 Nov 2005 08:34:31 -0000
Received: from dsl-chn-static-130.44.101.203.touchtelindia.net (HELO dnr2)
(salg@nor-plast.no@203.101.44.130) by 0 with ESMTPA; 16 Nov 2005 08:34:31
-0000
Reply-To:
From: “Norsk Plastimport”
To:
Subject: =?iso-8859-1?Q?Til_innkj=F8psansvarlig?=
Date: Wed, 16 Nov 2005 12:09:35 +0530
Organization: NPI
Whois info:
Organization Name……….: EXCURIA NORGE
Organization Number……..: 988485381
Post Address……………: Lilleakerveien 25
Postal Code…………….: N-0283
Postal Area…………….: OSLO
Country………………..: Norway
Phone Number……………: +47 22 08 36 80
Fax Number……………..: +47 22 08 36 81
Email Address…………..: excurianorge@yahoo.no
This is a daughter company of a company registered in the UK. He has a quarantine in Norway for starting new companies, but this was a way he could get around that.
The domain no longer resolves, of course.
Ah, found a second news story, including a photo.
——–
December 5th, 2005 at 3:21 pm
[…] porting to Alestra Norwegian spammer at it again I wrote about a Norwegian spammer a while back. He’s at it again. And this time he says it’s no […]
February 8th, 2006 at 2:14 am
He’s back .. as of 8th of February 2005. I got his mail today … Here are some headers (my email has been censored to aaa@bbb.cc):
From - Wed Feb 08 08:38:39 2006
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
From salg@plastsekker.com Wed Feb 08 01:26:24 2006
Return-path:
Received: from [10.9.9.162] (helo=pepper.runbox.com)
by fenris.runbox.com with esmtp (Exim 4.50)
id 1F6dA8-0006Q1-1U
for aaa@bbb.cc; Wed, 08 Feb 2006 01:26:24 +0100
Received: from exim by pepper.runbox.com with spamfilter (Exim 4.50)
id 1F6dA6-0003l1-Pa
for aaa@bbb.cc; Wed, 08 Feb 2006 01:26:23 +0100
Received: from [209.59.175.26] (helo=host2.domenepartner.com)
by pepper.runbox.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1F6dA4-0003k9-S3
for aaa@bbb.cc; Wed, 08 Feb 2006 01:26:22 +0100
Received: from 216-140-159.0101.adsl.tele2.no ([193.216.140.159]:4413 helo=PC09)
by host2.domenepartner.com with esmtpa (Exim 4.52)
id 1F6cpt-0003Ia-1i; Wed, 08 Feb 2006 01:05:37 +0100
Reply-To:
From: “Salg av avfallssekker”
To:
Subject: =?iso-8859-1?Q?Tilbud_p=E5_avfallssekker_-_kr_5=2C50_Pr._Rull_-_Kr_110=2C?=
=?iso-8859-1?Q?-_Pr._Kartong._?=
Date: Wed, 8 Feb 2006 00:52:00 +0100
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/related;
boundary=”—-=_NextPart_000_0206_01C62C4B.F221F980″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-ClamAntiVirus-Scanner: This mail is clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host2.domenepartner.com
X-AntiAbuse: Original Domain - runbox.no
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - plastsekker.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on pepper.runbox.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=5.0 tests=DCC_CHECK,HTML_90_100,
HTML_EMBEDS,HTML_FONT_BIG,HTML_MESSAGE,HTML_TAG_EXIST_MARQUEE
autolearn=disabled version=3.0.3
This is a multi-part message in MIME format.
February 8th, 2006 at 4:50 am
Now that you tell me, I had a few messages whiz by on my server as well. Not as many as last time.
Domenet plastsekker.com ble registrert 6 februar. Men
The domain plastsekker.com was registered February 6 for one year, according to whois.sc. But the registrar claims it wasn’t registered with them. Chances are they’ve suspended or removed the domain already.
Here’s the output from whois.sc today:
PLASTSEKKER.COM
Alexa Trend/Rank: Not Ranked
Website Status: not active
Blacklist Status: Clear
Record Type: Domain Name
Name Server: NS1.DNS-WEB2.NET NS2.DNS-WEB2.NET
ICANN Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM
Created: 06-feb-2006
Expires: 06-feb-2007
Status: ACTIVE
plastsekker.com is not registered by us.