Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 1 June 2009

VistaPrint spam - still happening after > 3 years!

I've never signed up for VistaPrint, never signed up for anything remotely related to them - so why have I been receiving spam from them for the last 3 odd years? I decided to find out.

The latest spam I received is below, and shows it's going through their marketing partners;

1. clicks.exclusivenetoffers.co.uk (67.213.94.242 - ns1.financetrackeronline.co.uk)
2. clickboothlnk.com (69.25.190.36)
3. publishers.clickbooth.com (67.216.238.10 - integraclick.wip.directresponsetech.com)
4. vistaprint.co.uk (69.17.223.12)

Actual headers

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 01 Jun 2009 15:46:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
location: http://www.clickboothlnk.com/e/?enc=bqyyvskfgsqyy&optionalinfo=_11645&deployid=0&land=0&pid=0
Content-Type: text/html; charset=UTF-8

HTTP/1.1 302 Found
Date: Mon, 01 Jun 2009 15:47:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.3
Location: http://publishers.clickbooth.com/ez/bqyyvskfgsqyy/_11645&dp=0&l=0&p=0
Content-Length: 0
Connection: close
Content-Type: text/html

HTTP/1.1 301 Moved Permanently
Date: Mon, 01 Jun 2009 15:48:19 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9 with Suhosin-Patch
Vary: Host
X-Server-Name: www@dc1dtweb142
X-Powered-By: PHP/5.2.9
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_integraclick=05ebc310a3b65ea15e3ecd02105bd4e6; expires=Tue, 02-Jun-2009 15:48:19 GMT; path=/
Set-Cookie: directtrack_lead_integraclick=05ebc310a3b65ea15e3ecd02105bd4e6; expires=Tue, 29-Sep-2009 15:48:19 GMT; path=/
Set-Cookie: directtrack_lead_integraclick=05ebc310a3b65ea15e3ecd02105bd4e6; expires=Tue, 29-Sep-2009 15:48:19 GMT; path=/; domain=.directtrack.com
Location: http://www.vistaprint.co.uk/vp/gateway.aspx?S=0494720417&affid=CD73818
Connection: close
Content-Type: text/html

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Server: Microsoft-IIS/6.0
P3P: CP="VPRT "
X-AspNet-Version: 2.0.50727
X-Served-By: 33c2af3c1e6a66516efcaa19424c8ba4
Content-Length: 946
Vary: Accept-Encoding
Date: Mon, 01 Jun 2009 15:48:48 GMT
Connection: close
Set-Cookie: P=DF=0%3a&V=19.9&SID=0494720417&PID=346&TC=aAAS5AAAtACZRACZrACa4ACeYACf6ACg%2bAChGAChJAChSAChUAChuACh8ACh%2fACiXACilACisACivACi1ACi7ACi%2fACjPACjSACjYACjfACjkACjrACjvACj1ACj5ACj8ACj%2fACkHACkZACkbACkfACkjACk2ACk4AClFAClUAClbACljACmFACm4ACnJ; expires=Tue, 01-Jun-2010 15:48:48 GMT; domain=.vistaprint.co.uk; path=/
Set-Cookie: PSC=PDATE=6%2f1%2f2009+11%3a48%3a48+AM&SID=0494720417&TC=aAAS5AAAtACZRACZrACa4ACeYACf6ACg%2bAChGAChJAChSAChUAChuACh8ACh%2fACiXACilACisACivACi1ACi7ACi%2fACjPACjSACjYACjfACjkACjrACjvACj1ACj5ACj8ACj%2fACkHACkZACkbACkfACkjACk2ACk4AClFAClUAClbACljACmFACm4ACnJ&PSID=&pc=on&VID=936608645783&AFFID=CD73818&LANGID=2; expires=Tue, 01-Jun-2010 15:48:48 GMT; domain=.vistaprint.co.uk; path=/
Set-Cookie: SITE=sc=on&sps=0&ns=True&SPOTEXT=1&SUBSN=650745410&S=835508720; domain=.vistaprint.co.uk; path=/
Set-Cookie: tduid=; domain=.vistaprint.co.uk; path=/
Set-Cookie: v1st=E25D97E4B26DB6CF; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.vistaprint.co.uk
Expires: Sun, 31 May 2009 23:08:48 GMT
Cache-Control: private


From clickbooth.com, you're then taken to VistaPrint.co.uk.

Note for researchers: The links are Geo-location based, so you'll need to ensure you're using a UK proxy or you'll be given a "This offer is not available in your area" error

Exported by: Outlook Export v0.1.6


From: Vista
E-mail:ts@exclusivenetoffers.co.uk [ 67.213.94.242 - ns1.financetrackeronline.co.uk ]
Date: 01/06/2009 13:22:09
Subject: [SPAM] Congrats you've been selected to receive complementary products
**************************************************************************
Links
**************************************************************************

Link: http://clicks.exclusivenetoffers.co.uk/usertracking/ut/ot.asp?mid=11645&uid=244184
Domain: clicks.exclusivenetoffers.co.uk
IP: 67.213.94.242 [ ns1.financetrackeronline.co.uk ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184
Domain: clicks.exclusivenetoffers.co.uk
IP: 67.213.94.242 [ ns1.financetrackeronline.co.uk ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://www.eset.com
Domain: www.eset.com
IP: 72.3.254.86 [ www.eset.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=16544&mid=11645&UID=244184
Domain: clicks.exclusivenetoffers.co.uk
IP: 67.213.94.242 [ ns1.financetrackeronline.co.uk ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=16545&mid=11645&UID=244184
Domain: clicks.exclusivenetoffers.co.uk
IP: 67.213.94.242 [ ns1.financetrackeronline.co.uk ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: Unknown


**************************************************************************
Text Version
**************************************************************************
<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/ot.asp?mid=11645&uid=244184>

If you can't read or see this email, Click Here <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>

Get 250 FREE Business Cards Now! <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184> CONGRATULATIONS!
<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184> $FIRSTNAME$
You have been selected to receive
250 FREE business cards
+ a FREE business card holder!
Get 250 FREE Business Cards Now! <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
• Easy ordering in just minutes
• Choose from 42 designs
• Satisfaction guaranteed


Over 12,000,000 customers
can’t be wrong!

Order Now <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
Hurry! Exclusive limited time offer! <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>

<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>
Excludes VAT. Postage and pprocessing, product upgrades and photo/logo uploads not included unless otherwise specified. Not valid on previous purchases. See web site for details.
________________________________

VistaPrint provides the highest quality, full-colour graphic design and printing at the lowest prices!
VistaPrint has served more than 12,000,000 customers worldwide.
The products and services described in this e-mail are provided by VistaPrint Limited,
the international leader for webtop graphic design and printing.

<http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=60137&mid=11645&UID=244184>

This email is intended for at the e-mail address CEO@IT-MATE.CO.UK. If you are not this person please click HERE <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=16544&mid=11645&UID=244184> to unsubscribe. You have been sent this e-mail because you opted in to receive e-mail on a website owned by one of our partners. This e-mail has been delivered to you by Trust Senders Inc., an independent marketing company. We are not directly affiliated with any of the companies advertised in our products, and any e-mail we deliver is brought to you solely by Trust Senders Inc., not the advertised company directly. If you would like to view our privacy policy click HERE <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=16545&mid=11645&UID=244184> . If you no longer desire to receive e-mail from Trust Senders Inc. then please use the appropriate Unsubscribe <http://clicks.exclusivenetoffers.co.uk/usertracking/ut/cte.html?L=16544&mid=11645&UID=244184> link, or write us at:

11-80 Mapleton Road | Suite 196 | Moncton, NB | E1C 7W8 | Canada


After a little scouring I came cross the UK freephone number, who gave me the number for their US corporate office;

VistaPrint Corporate: 001 781 652 6300
VistaPrint UK: 0800 028 8251

Calling their corporate office, I mentioned to the rep that I was receiving spam pointing to VistaPrint.co.uk for an offer for "250 free business cards", and since I've never registered for VistaPrint, wanted to know how they obtained my e-mail address (especially given the spam was coming to {random}@it-mate.co.uk), and further wanted the name and number of the marketing partner they used so I could speak to them concerning this issue.

Instead of answering my questions, the rep told me I had actually registered an account using the e-mail address owner@mydomin - something I've never done, then further told me that I had registered using a Compuserve address (again, something I've never done).

Since the latest e-mail came to ceo@mydomain, this was clearly balls as if I had registered for their companies rubbish, it would have come to owner@ since they advised that I'd registered using that e-mail address.

This begs the question, how did they get my address? Obviously someone registered with them using my address, that's a given, but does not answer the question of why their marketing partners, are sending spam for VP, to {random}@ .... Alas however, the VP rep I spoke to did not seem to want to give me the contact details for their partner, so I decided to go back to the e-mails themselves and see what I could digg up.

The first thing I started with was "Trust Senders Inc.", since that's who it claimed to come from (word of note, there have been thousands of these over the years, for varying sites, all claiming to come from a variety of companies - the company mentioned always changes after a few weeks). The Trust Senders Inc website gives the impression of it's being a legit professional marketing company - but alas nope, it's not. I decided first to try the phone number listed on their website and not surprisingly, it didn't work (number doesn't exist apparently), so I decided to see if the number was listed in the WhoIs;

http://hosts-file.net/?s=trustsenders.com&wn=1

Registration Service Provided By: Enom, Inc
Contact: CustomerSupport@enom.com
Visit: www.enom.com

Domain name: trustsenders.com

Administrative Contact:
Trust Senders Inc
Ian MacIsaac (domainadmin@trustsenders.com)
+1.6179340547
Fax: +1.
11-80 Mapleton Road
Suite 196
Moncton, NEW-BRUNSWICK E1C 7W8
CA

Technical Contact:
Trust Senders Inc
Ian MacIsaac (domainadmin@trustsenders.com)
+1.6179340547
Fax: +1.
11-80 Mapleton Road
Suite 196
Moncton, NEW-BRUNSWICK E1C 7W8
CA

Registrant Contact:
Trust Senders Inc
Ian MacIsaac ()

Fax:
11-80 Mapleton Road
Suite 196
Moncton, NEW-BRUNSWICK E1C 7W8
CA

Status: Locked

Name Servers:
NS1.TRUSTSENDERS.COM
NS2.TRUSTSENDERS.COM

Creation date: 01 Mar 2008 20:16:00
Expiration date: 01 Mar 2010 20:16:00


Alas, the number provided in the WhoIs doesn't work either - surprised? Me neither. I then decided to see if they had another website, and indeed they do (trustsendersflyers.com and trustsenderspartners.com), but alas the number is the same (at least they're consistent). But we're not done yet - looking at the IP netblock info, we see Trust Senders also owns the block they're using, under the name Trust Senders SPD - alas however, there's no contact details in the net-block info, so we'll have to go to SPD Networks instead, and see if we can get in touch with them (surely they've got a working phone number for them?).

SPD Networks however, also do not seem to have a telephone number, not on their contact page anyway;

http://www.spdnetwork.net/7209.html

Nor do they have a valid number in the WhoIs details;

http://hosts-file.net/?s=spdnetwork.net&wn=1

I'm not hopeful of an e-mail response, but I'll send them an e-mail anyway. In the meantime, some of the domains I've seen since this started include;

http://hosts-file.net/misc/VistaPrint_spam.html

pull.xmr3.com        137.236.223.2
www.xmr3.com        137.236.223.7
emailinform.co.uk        193.203.192.69
emailinform.com        193.203.192.69
www.emailinform.co.uk        193.203.192.69
myhomennow.com        204.92.139.147
content.myhomennow.com        204.92.139.148
ct.mykindofsound.co.uk        204.92.141.107
content.mykindofsound.co.uk        204.92.141.108
ct.mykindofsound.com        204.92.141.123
content.mykindofsound.com        204.92.141.124
ct.canwebetogether.com        204.92.141.155
content.canwebetogether.com        204.92.141.156
ct.myclubnow.co.uk        204.92.141.171
content.myclubnow.co.uk        204.92.141.172
ct.myclubnow.com        204.92.141.187
content.myclubnow.com        204.92.141.188
ct.traveltogethernow.com        204.92.141.219
content.traveltogethernow.com        204.92.141.220
ct.myhomennow.co.uk        204.92.141.235
content.myhomennow.co.uk        204.92.141.236
ht0.info        208.43.75.195
vistaprint.li        208.43.75.195
www.emc1.co.uk        212.50.164.133
mailing.getmeaticket.co.uk        217.8.250.48
informedstore.fagms.net        62.27.38.101
content.dynamicmessenger.com        64.40.98.15
clicks.exclusivenetoffers.co.uk        67.213.94.242
clicks.exclusivenetoffers.co.uk        67.213.94.242
clicks.financetrackeronline.co.uk        67.213.94.242
clicks.financetrackeronline.co.uk        67.213.94.242
theoasispath.com        69.64.155.119
ungrantcloth.com        69.64.155.123
za51.com        74.54.82.224
www.primafirst.com        85.232.41.133
www.superblyvisual.co.uk        85.232.41.133
images.getmeaticket.com        92.60.117.185
www.urfreesim.co.uk        92.60.120.226

*************************************
No longer resolve
*************************************
activesegsway.com        127.0.0.1
brainscoffer.com        127.0.0.1
demandcallback.com        127.0.0.1
violetpansy.com        127.0.0.1


I'll leave the research on the above domains as an excercise for the reader. In the meantime, should you receive any spam pointing to VistaPrint, and you did NOT register on their site to receive such - give them a call and make sure you give them a piece of your mind.

No comments: