Top spammer Soloway goes on anti-Microsoft rampage

[DavidT]

I found 8 rather long messages in my SC Held Mail this weekend, all with the Subject line:

Spamming by Microsoft - Confidential Report [ 1 of 22 ]

They're from Robert Soloway, a top-10 ROKSO spammer:

http://www.spamhaus.org/rokso/listing.lass...net%20Marketing

His operation was recently targeted by Microsoft in their anti-spam legal efforts:

http://www.oreillynet.com/pub/a/network/20.../spamkings.html

Soloway is promising to send out billions of his anti-Microsoft messages, apparently in 22 installments (see Subject line above), and has been posting in the anti-spam Usenet group, NANAE:

http://groups-beta.google.com/group/news.a...747455587b195e8

DT

[Merlyn]

Do you have the headers from one you can share or maybe a link to the Spamcop parse?

It's origins would be interesting. :-)

[DavidT]

I thought about posting a Tracking URL on one of them (I reported them manually), but they were all from hijacked/zombied machines all over the world, so the sources are pretty random. Here...I'll give you the rest of the headers on a sample (this one happened to come to me courtesy of Comcast's incompetence):

Return-Path: <contact[at]spamis.org>

(snip)

Received: from c-66-30-238-22.hsd1.ma.comcast.net (c-66-30-238-22.hsd1.ma.comcast.net [66.30.238.22])

by x.com (8.11.6/8.11.6) with SMTP id j4LHlwU10728

for <x[at]x.com>; Sat, 21 May 2005 13:47:58 -0400

Received: from 182.224.8.192 by 66.30.238.22; Sat, 21 May 2005 11:40:06 -0700

Message-ID: <FXIEVVJPLAQAKIWGGAYCRFJS[at]catcha.com >

From: "SPAMIS" <contact[at]spamis.org>

Reply-To: "SPAMIS" <contact[at]spamis.org>

To: x[at]x.com

Subject: Spamming by Microsoft - Confidential Report [ 1 of 22 ]

Date: Sat, 21 May 2005 17:48:06 -0100

X-Mailer: eGroups Message Poster

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--6557527546179637839"

X-Priority: 3

X-MSMail-Priority: Normal

[Merlyn]

So, just more proof he is raping machines and stealing resources to spam. Thanks....

[acebirddog]

This guy has been pulling a "Joe Job" on me...

I am getting about 40 to 50 failed delivery messages every hour. All of them with random *usernames[at]mydomain.com.

Analyzing the headers, they are all from Open Proxies. 14 different ones so far. Not much I can do. Cannot seem to block IP addresses fast enough.

I turned off my catch all but it is still doing damage. They need to send this guy to jail. I know he is the one that is sending out the viagra and other drug spam, as well as selling his opt-in mailing list to whoever will pay for it.

I would sure like to see him get the full punishment of law.

[Jeff G.]

I am getting about 40 to 50 failed delivery messages every hour. All of them with random *usernames[at]mydomain.com.

Analyzing the headers, they are all from Open Proxies. 14 different ones so far. Not much I can do. Cannot seem to block IP addresses fast enough.

31568[/snapback]

Those are misdirected bounces, which should be avoided by using 500-series errors during the SMTP transaction. Such misdirected bounces are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of On what type of email should I (not) use SpamCop? and the Misdirected bounces section of Why are auto-responders (and delayed bounces) bad?.

[Turmoyl]

He's just throwing a tantrum due to Scott Richter getting crushed by M$ earlier this week. By tonight we (meaning the anti-spam movement, collectively) should have all of his new IP's blocked (this is kind of inevitable, especially with him posting on NANAE and thereby highlighting himself to everyone) and he's blocked on the "right-hand side" as well at RFCI:

http://www.rfc-ignorant.org/tools/lookup.p...ain=spamis.info

There might be a trickle of new IP's in use on every one of the 22 installments he plans to send but it shouldn't be too hard at all to keep up with.

[btech]

Here's a few I did:

http://www.spamcop.net/sc?id=z795364728z3e...e93d2a382add1cz

I've had about 10 in the past 4 days. Is there an addy [at] MS we can forward them to? The only one I know is 'piracy' and I doubt they care about this spammer.

I was thinking about callin the phone number in the email, since it's supposedly here in Seattle where I am...

[acebirddog]

Well Soloway must have read this because he is hammering me with his stupid spamis junk and using my main e-mail address as the from... The bounces have stopped however. He seems to have changed the e-mail some. It is still stupid useless rambling. He does not even know how to use proper English.

Return-Path: <xxx>

Received: from host2.lifetimewebsites.com (root[at]localhost)

by xxxxx.com (8.12.10/8.12.10) with ESMTP id j7H90Rv2000949

for <xxxxxxxx>; Wed, 17 Aug 2005 05:00:27 -0400

X-ClientAddr: 130.94.132.69

Received: from whatsup.splitinfinity.net (whatsup.splitinfinity.net [130.94.132.69])

by host2.lifetimewebsites.com (8.12.10/8.12.10) with SMTP id j7H90Cfc032733

for <xxxxxxxx>; Wed, 17 Aug 2005 05:00:18 -0400

Date: Wed, 17 Aug 2005 05:00:12 -0400

Message-Id: <200508170900.j7H90Cfc032733[at]host2.lifetimewebsites.com>

From: xxxxxxxx

To: xxxxxxxxxx

Subject: Fw: interesting microsoft news article...

X-Lifetime-Websites-MailScanner-Information: Please contact Lifetime Websites for more information

X-Lifetime-Websites-MailScanner: Not scanned: Please contact Lifetime Websites for details

X-Lifetime-Websites-MailScanner-SpamScore: 4

X-MailScanner-From: ace

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on

host2.lifetimewebsites.com

X-spam-Level: *

X-spam-Status: No, hits=1.3 required=5.0 tests=LINES_OF_YELLING,

MAILTO_TO_SPAM_ADDR,NO_REAL_NAME autolearn=no version=2.63

130.94.132.69 is an open proxy

REPORT

[btech]

Yea, I got 3 from him today, but what has me puzzled is how the FROM and TO were both my email address, but in the report, it's an "X"

http://www.spamcop.net/sc?id=z797427008zcf...e97c0f1ff1d39fz

[Wazoo]

Yea, I got 3 from him today, but what has me puzzled is how the FROM and TO were both my email address, but in the report, it's an "X"

31797[/snapback]

Go to your www.spamcop.net page, follow the Preferences link.

Under Report Handling Options, there's a checkbox for spam Munging with a bit of an explanation. Assumedly, your current setting is Obscure identifying information

[btech]

that's the thing, I turned off munging over a year ago, because I didn't see the need. That's why I'm soooo confused. All three of the email from this fool did the same thing and since I have my own domain name whitelisted, the email got into my inbox, but when I reported it, I saw only "X"s

[StevenUnderwood]

that's the thing, I turned off munging over a year ago, because I didn't see the need.  That's why I'm soooo confused.  All three of the email from this fool did the same thing and since I have my own domain name whitelisted, the email got into my inbox, but when I reported it, I saw only "X"s

31801[/snapback]

For me, the parse has been showing me the "x" for a while now, but if you look at the reports, the email address is showing. I actually see this as a feature so that when you post a tracking URL, it will not show your email address in that link.

[acebirddog]

I got about 8 of these SPAMIS rants last night. All of them have my email address as the from and to. I have read several other people on the internet are getting the same thing as well.

I would like to thank Soloway for service on my joe and for making me understand that spammers are truely pieces of dirt that do not respect any rules we have for conduct on the Internet. I get this picture of him in my mind, 400 pound geeky looking I.T. person that never showers. Probably never comes out of that appartment in Washington. BTW - That phone number on his registrar info is for some law firm. They have never heard of him. More reason to send him to jail.

Keep up your SPAMIS rant jerky boy. You are ticking off a pit bull that will bite back.

[m3mn0ch]

[HELP ME PLEASE !!!

I have been receiving large amounts of SPAMIS emails, as well as other spam that from google searching apparently comes from the same spammer. Recently, using email dns traces, i sent out a number of emails to suspect ip address' criticising the people for sending the SPAMIS emails for being hypocrites.

Now i am receiving large amounts of SPAMIS spam emails to my 2 main email address' on my domain-name "chris[at]nurv.com.au" & "admin[at]nurv.com.au", and the sender address on all the emails now is my 2 email adress' as above, obviously spoofed. I presume that some of my emails got through to the people behind the spam and now i am being personally targeted.

Is there anything I can do to stop the now flood of spam i am receiving from the "SPAMIS" person. I am desperate as to what to do. Any advice or referalls welcome. I have done numerous google searches looking for a solution and am posting this message to a number of sites in the hope someone can offer some advice to help me.

You can email me on "chris[at]nurv.com.au". Thankyou for your time.

Chris Richards, Australia

Edit: Moderator munged posted email addresses to help avoid future spam to them.

[btech]

the only thing you can do is to make up a new email address OR institute a 'verify' system in your email, so only people that reply a second time will get through.

[StevenUnderwood]

OR institute a 'verify' system in your email, so only people that reply a second time will get through.

31823[/snapback]

NOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!

This is called Challenge/Response and if you search on those 2 words, you will find plenty of problems, including getting blacklisted because the challenge you are sending out ends up going to a spamtrap somewhere.

[acebirddog]

Create a filter that sends any thing with the word SPAMIS in it to the trash or forward to your domains blackhole. POOF - problem gone.

I did this myself. Dont see his crap anymore.

[Jeff G.]

institute a 'verify' system in your email, so only people that reply a second time will get through.

31823[/snapback]

SpamCop doesn't recommend such CR (Challenge/Response) systems - they are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of On what type of email should I (not) use SpamCop? and the Challenge/response spam filtering section of Why are auto-responders (and delayed bounces) bad?.

[acebirddog]

http://www.solowaysucks.net/

Keep it up Boobie!

ROBERT ALAN SOLOWAY SUCKS

[Jank1887]

yeah.. that'll work.