As my regular readers will know, I run an antispam and antivirus email filtering service called antibodyMX. About two weeks ago, I started seeing some deeply weird junk traffic coming through. A lot of it. It was odder because it was going to an awful lot of different domains we filter. Statistically we filter a very very tiny set of domains and to see junk mail arriving for many of them all at the same time was very strange indeed.
The domain names the mails were being sent from were also strange. They were all .co.uk domains and all not-quite-words. Here are a few:
bagumbayansa.co.uk balabagansa.co.uk balambanred.co.uk balangasere.co.uk balangigada.co.uk balangkayansa.co.uk
All the domains are registered to an individual called Chris Hepworth, a company called Communicado, or “World trading Partners BVI 1611097”, or “Phil Neck”, or some combination thereof. I called them up and asked them what was going on. I was asked to send an email explaining the problem, I did, no reply.
More mail from yet more domains kept arriving, the domain count got up to over 300.
Using the resources of a somewhat underground entity known to some as The Fish Tank, I spoke to someone who suggested I sign up to Nominet’s PRSS tool which would let me search for domains more easily. I did so and started domain hunting.
I fed the list of domains I had through a trigram analyser and used the results of that to tease more domains out of the search tool; “qua” was especially useful, finding more than 80 domains.
More mail from yet more domains kept arriving, the domain count got up to over 800.
Searching the web and talking to people, I found that an awful lot of people I knew were getting unwanted email from these people. I also found one lady who is taking them to court. I tried calling them again, my voicemail has not been returned.
Today I have spoken to the Information Commissioner’s Office who say they are very interested in the data I have collected. It will be interesting to see what, if anything, they choose to pursue here. On the face of it, Communicado do appear to be breaching the DPA.
I have been told there is no immediate reason why I cannot publish the list of domains I have collected, you can find it here and it currently contains 1255 3971 4500 4539 5145 5249 domains. An example use might be an ACL on your mail server. If you run exim, you would add an ACL along the lines of:
deny message = http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/ sender_domains = ${if exists{/etc/exim4/hepworth.txt}{/etc/exim4/hepworth.txt}}
The file will be updated as and when I have time. If you want to capture it via a cronjob, you’re welcome to but please:
- DO email me to tell me you’re doing so, and from which host(s). You have permission when you click send.
- DO tell relevant colleagues and friends about it.
- DO consider donating a little money to charity. Because of my nephew, I suggest here.
- DON’T cron it for an obvious time like “12am and 12pm”. Spread the load, please.
You do, of course, use this list entirely at your own risk.
HELO names and IPs seen this month that sent mails from domains on your list, sorted by frequency:
24 enrilegita.co.uk H=(smtp2.enrilegita.co.uk) [109.202.103.61]
19 iguigteros.co.uk H=(smtp1.iguigteros.co.uk) [67.159.32.10]
19 hurvabne.co.uk H=(smtp9.hurvabne.co.uk) [76.73.91.117]
19 hinbangana.co.uk H=(smtp4.hinbangana.co.uk) [192.151.147.229]
19 hernandeza.co.uk H=(smtp1.hernandeza.co.uk) [212.7.198.60]
19 gleraquozys.co.uk H=(smtp1.gleraquozys.co.uk) [192.151.147.226]
19 galimuyoda.co.uk H=(smtp6.galimuyoda.co.uk) [177.85.96.169]
19 fortierasa.co.uk H=(smtp14.fortierasa.co.uk) [76.73.91.29]
19 forniernos.co.uk H=(smtp11.forniernos.co.uk) [76.73.91.26]
19 catanduane.co.uk H=(smtp7.catanduane.co.uk) [64.235.54.30]
19 carboquozu.co.uk H=(smtp4.carboquozu.co.uk) [188.240.33.117]
19 carboquovu.co.uk H=(smtp3.carboquovu.co.uk) [188.240.33.116]
19 calubians.co.uk H=(smtp1.calubians.co.uk) [188.240.33.114]
19 aparrianas.co.uk H=(smtp4.aparrianas.co.uk) [177.85.96.167]
19 alumihevente.co.uk H=(smtp5.alumihevente.co.uk) [177.85.96.168]
16 pennasle.co.uk H=(smtp12.pennasle.co.uk) [76.73.91.27]
16 nickequovo.co.uk H=(smtp14.nickequovo.co.uk) [76.73.91.29]
16 candijayla.co.uk H=(smtp1.candijayla.co.uk) [109.202.100.43]
16 bleryquorume.co.uk H=(smtp13.bleryquorume.co.uk) [76.73.91.28]
15 vurvasce.co.uk H=(smtp3.vurvasce.co.uk) [27.131.144.21]
15 klyraquorume.co.uk H=(smtp2.klyraquorume.co.uk) [109.202.100.53]
15 ilumiquoule.co.uk H=(smtp2.ilumiquoule.co.uk) [188.240.33.115]
15 ibaanbatas.co.uk H=(smtp7.ibaanbatas.co.uk) [91.213.11.239]
15 hingyonlos.co.uk H=(smtp13.hingyonlos.co.uk) [76.73.91.28]
15 hernanilia.co.uk H=(smtp2.hernanilia.co.uk) [212.7.198.245]
15 dumalagian.co.uk H=(smtp10.dumalagian.co.uk) [76.73.91.118]
15 carboheverlse.co.uk H=(smtp4.carboheverlse.co.uk) [109.202.103.63]
15 barirata.co.uk H=(smtp9.barirata.co.uk) [91.213.11.225]
15 apayaotesa.co.uk H=(smtp3.antiquarim.co.uk) [207.244.67.233]
14 tungaquovi.co.uk H=(smtp3.tungaquovi.co.uk) [207.244.67.233]
14 opalaquovo.co.uk H=(smtp14.opalaquovo.co.uk) [91.213.11.230]
14 klyraquovi.co.uk H=(smtp12.klyraquovi.co.uk) [91.213.11.228]
14 jetsoquove.co.uk H=(smtp11.jetsoquove.co.uk) [91.213.11.227]
14 guiposobio.co.uk H=(smtp1.guiposobio.co.uk) [64.235.54.86]
14 gleraquoule.co.uk H=(smtp10.gleraquoule.co.uk) [91.213.11.226]
14 catubigian.co.uk H=(smtp6.catubigian.co.uk) [91.213.11.222]
14 cabugaona.co.uk H=(smtp2.cabugaona.co.uk) [192.151.147.227]
13 wurvilke.co.uk H=(smtp13.wurvilke.co.uk) [91.213.11.229]
13 unclaquovo.co.uk H=(smtp6.unclaquovo.co.uk) [64.235.54.29]
13 sapharachap.co.uk H=(smtp2.sapharachap.co.uk) [64.235.54.87]
13 hurlaquoza.co.uk H=(smtp3.hurlaquoza.co.uk) [91.213.11.235]
13 hurlaquovy.co.uk H=(smtp2.hurlaquovy.co.uk) [109.202.100.57]
13 hungduanos.co.uk H=(smtp16.hungduanos.co.uk) [91.213.11.232]
13 glerahevente.co.uk H=(smtp1.glerahevente.co.uk) [91.213.11.233]
13 flinarachai.co.uk H=(smtp5.flinarachai.co.uk) [192.151.147.230]
13 dumalnegre.co.uk H=(smtp5.dumalnegre.co.uk) [162.210.197.15]
13 dichoharu.co.uk H=(smtp2.dichoharu.co.uk) [192.96.201.42]
13 davaonia.co.uk H=(smtp5.davaonia.co.uk) [207.244.67.235]
13 cuyochola.co.uk H=(smtp8.cuyochola.co.uk) [64.235.54.31]
13 cadiznile.co.uk H=(smtp1.cadiznile.co.uk) [109.202.100.52]
13 bacacayle.co.uk H=(smtp7.bacacayle.co.uk) [91.213.11.223]
12 ifugaobagi.co.uk H=(smtp1.ifugaobagi.co.uk) [91.213.11.248]
12 ibajayfern.co.uk H=(smtp8.ibajayfern.co.uk) [91.213.11.240]
12 hindangara.co.uk H=(smtp3.hindangara.co.uk) [192.151.147.228]
12 fortierasa.co.uk H=(smtp12.fortierasa.co.uk) [76.73.91.27]
12 emeraheverlyn.co.uk H=(smtp7.bacacayle.co.uk) [91.213.11.223]
12 caylabnere.co.uk H=(smtp5.caylabnere.co.uk) [192.151.145.46]
12 candontian.co.uk H=(smtp1.candontian.co.uk) [27.131.144.19]
12 bleryheverlyn.co.uk H=(smtp1.bleryheverlyn.co.uk) [192.151.147.226]
11 saphaquovi.co.uk H=(smtp2.saphaquovi.co.uk) [192.96.201.42]
11 granderlia.co.uk H=(smtp3.granderlia.co.uk) [207.244.67.233]
11 ganassilos.co.uk H=(smtp15.ganassilos.co.uk) [76.73.91.30]
11 alumirachad.co.uk H=(smtp1.alumirachad.co.uk) [109.202.103.60]
10 hinigarana.co.uk H=(smtp9.hinigarana.co.uk) [76.73.91.117]
10 bisligno.co.uk H=(smtp4.bisligno.co.uk) [192.151.145.45]
9 yurveche.co.uk H=(smtp5.yurveche.co.uk) [91.213.11.237]
9 vitriquovi.co.uk H=(smtp6.vitriquovi.co.uk) [64.235.54.91]
9 rencanle.co.uk H=(smtp3.rencanle.co.uk) [109.202.100.54]
9 precoquovi.co.uk H=(smtp6.precoquovi.co.uk) [91.213.11.238]
9 jetsorachap.co.uk H=(smtp6.jetsorachap.co.uk) [64.235.54.91]
9 ilumiquoze.co.uk H=(smtp6.ilumiquoze.co.uk) [64.235.54.29]
9 igbarasios.co.uk H=(smtp2.igbarasios.co.uk) [91.213.11.249]
9 hurlarachal.co.uk H=(smtp4.hurlarachal.co.uk) [91.213.11.236]
9 hondaguara.co.uk H=(smtp15.hondaguara.co.uk) [91.213.11.231]
9 guiuanlosa.co.uk H=(smtp2.guiuanlosa.co.uk) [188.240.33.115]
9 gleraquovo.co.uk H=(smtp2.gleraquovo.co.uk) [91.213.11.234]
9 glerahevinge.co.uk H=(smtp4.glerahevinge.co.uk) [64.235.54.89]
9 gleraheverlse.co.uk H=(smtp1.gleraheverlse.co.uk) [64.235.54.24]
9 eruvasno.co.uk H=(smtp3.eruvasno.co.uk) [192.151.147.228]
9 ecijanueva.co.uk H=(smtp5.ecijanueva.co.uk) [91.213.11.221]
9 dipacula.co.uk H=(smtp2.dipacula.co.uk) [64.235.54.87]
9 carborachai.co.uk H=(smtp5.carborachai.co.uk) [188.240.33.118]
9 calbigan.co.uk H=(smtp5.calbigan.co.uk) [64.235.54.90]
9 bruvnile.co.uk H=(smtp4.bruvnile.co.uk) [109.202.100.59]
9 bleryheverlse.co.uk H=(smtp4.bleryheverlse.co.uk) [192.151.145.45]
9 bilirano.co.uk H=(smtp3.bilirano.co.uk) [64.235.54.88]
7 canlaonter.co.uk H=(smtp5.canlaonter.co.uk) [162.210.197.15]
6 jetsoquottre.co.uk H=(smtp2.jetsoquottre.co.uk) [27.131.144.20]
5 klyraquoshe.co.uk H=(smtp3.klyraquoshe.co.uk) [109.202.100.58]
5 ilumirachal.co.uk H=(smtp8.ilumirachal.co.uk) [64.235.54.31]
5 iliganfant.co.uk H=(smtp1.iliganfant.co.uk) [64.235.54.24]
5 flinaquoza.co.uk H=(smtp4.flinaquoza.co.uk) [192.151.147.229]
4 senbarle.co.uk H=(smtp1.senbarle.co.uk) [64.235.54.24]
4 klyrarachan.co.uk H=(smtp8.klyrarachan.co.uk) [64.235.54.93]
We’re using this within Spamassassin to give a couple of extra points, which is definitely helping to mark messages as spam. Thanks!
Dear Sir
Following on from a recent test case, may I suggest following my lead on this.
Send these idiots a letter telling them that you are levying a £10 charge to review each of their un-solicited message, and then DO invoice them appropriately. If they do not pay (obviously) then issue proceedings in the County Court.
I’m sure then they will back down. I’ve just been warned by my ISP about the amount of band width these numpties are hijacking with spam.
Apologies for my post- I didn’t realise someone else had already done this. But I would recommend everyone follow suit; at worst, court action will lose you £80 (unlikely costs would be awarded if you lost)