ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Kobeni Solutions

Evidence Menu:

Kobeni Solutions Index


Country: United States of America
State: Florida
High volume snowshoe spam operation based in Florida. The manager or owner of the company seems to be a Yair Shalev / . (Former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO-listed spammer Dan Abramovich. Sued for fraud by the US FTC in 2014.


Kobeni Solutions SBL Listings History
Current SBL Listings
Archived SBL Listings

Main Info


Yair Shalev is a high volume snowshoe spammer living in the Miami, Florida area. He also uses the names Yair Szlaifer, Yair Shalev-Szlaifer, Yair Szlaifer-Shalev, and many other aliases that are not related to his real name at all. Like many snowshoe spammers [1], Shalev has a number of partners and employees involved in his spam operation, some related to him. He's also strongly connected to ROKSO spammer Darrin Wohl, although recent evidence suggests that he is spamming independently of Wohl now. In the past, he has worked with ROKSO spammer Eddy Marin.

Shalev normally spams from small numbers of IPs, often a /28 or /29 allocation, sometimes an unaligned set of IPs that cross allocation boundaries. We rarely find SWIP or ARIN allocation information for his blocks, suggesting that he tries to avoid having his IPs swipped to him. He may also deliberately ask for unaligned IPs in hopes that nearby innocent bystanders will prevent or delay listings of his IPs on blocklists.

Shalev has a practice of sending high volumes of spam through one or two IPs within a snowshoe range for anywhere from a few hours to a couple of days, while leaving the other IPs quiet, even for months. When the emitting IPs are listed, he simply moves to other IPs in the range. He (or his partners) rarely set rDNS for their netblocks. The HELO and sender domains used by his emitters usually follow a pattern like $RANDOM.$NONSENSEDOMAIN, within different TLDs but mostly .com.

A typical example could be the following:

que.yourinstantloansdirect.com
cua.backroundchecktoday.com
ptr.aaacreditreporthelp.com
api.yourappelbeesreward.com
zbd.rewardssurverycostco.com
par.loantodayrepaylater.com
bog.backroundreportsafety.com
trip.surverygroupinc.com
doub.simplesurvercostco.com
bird.creditsupportandfix.com

Particularly when using .com, the preferred registrar seems to be ENOM, with rare excursions outside this habit.

His spamming domains are usually registered with a Whois cloaking service, most often Whois Privacy Protection Service. Some of those domains are also registered in other names but are used by him. Same for SWIP data and IDs provided to ISPs in order to purchase the machines he needs. These names include, but are not limited to:

Kobe Dash <accounting@joobla.com>
Charles Bingham <cb@marketgenesis.com>
Christian Gomez <info@kbadver.com> <miaventurecs@gmail.com>
Carlos Monastirsky <carlosmonas@live.com>
Gabriela Rascovsky <gabyrasc@hotmail.com>
Alex Reiter <accounting@joobla.com>
Avi Reiter <abuse@joobla.com>
Howard Ruthstein <hwruthstein@yahoo.com>
Lyssette Anaya <lyssetteanaya@yahoo.com>
Teresa Soris <tania@miamicapitalpartners.net>
Leandro Gomez <leo@leandrogomez.net>
Sorina Simeon <sorinasimeon@aol.com>
Rolando Villafana <rolando.villafana@yahoo.com>
Armando Soris <modernconcepts3@gmail.com>
Jonas Grabarnick <jonascfnmb@gmail.com>
Alejandro Vidal <alexvidal@hermangroup.net>
Jason Bourdeau <jason@tango-host.com>
Jose Alfonzo <info@miamisportsstudio.com>
Vicki Mendoza <vickimendoza4@gmail.com>
Arialis Gonzalez <ari@yourweddinggotogirl.com>
Mariano Szlaifer <mariano@beamsupporthealth.com>
Jenita Griffin <pepper@chiloutmusicbox.com>
Maurice Drai <maurice@mauricetrainer.com>

Many of these are verified to be owned by real persons. In several cases, the ID provided belonged to people with a history of minor crimes amongst the Latin community around Miami, suggesting that Shalev or his partners may pay the ID owners in order to use their names to purchase the resources they need in order to send spam.

Several of the identities provided, though, seem to be loosely related with Shalev, suggesting they belong to partners-in-spam or maybe affiliates providing him with technical resources.

Amongst these, recurring names are:

EMH Global Inc. - Edward Heys
Robust-Life.com - Orane Mangaroo
All-in-trading - Lance Taylor
Tech City Reviews - Mark Ward
Media World Tech - Stephanie Romero
Gigalink Hosting - Valerie Pollock
CeciTechStart - Cecilia Valdes
Tech Talk City - Rishi Moonilal
HE Develope Design - Hector Estrella
All3Triathlon - Mike Jacobs
Hakala Sports - Anthony Hakala
MidwestWebhost / RewardHosting / [...]
- Mike Boehm (sometimes "Mike Boem" and "Mike Bohem")
[This is a separate spammer with his own ROKSO.]
Bryan G Crossfit - Bryan Gonzalez
Dog Walking Tara - Tara Favors
Barderro Host - April Thomas
DCaryDesigns - David Cary
ND Landscape Design - Nestor Diaz
Colbert Water Excursion - Carlton Colbert
Riverview Car Sales - Michael Magnant
EatNaturalForLife.com / BestVeggieMeals.com / [...] - Edward Sidney (sometimes "Sidney Edwards")
VPLendingCo.com - Harry Jakobs
CoreTech Networks - Christina Quiroz
Dade County Pool - Anell Gonzalez
Patricia's Bakery Co - Patricia King
StanSoftware Design - Kenneth Stanford
CrossFire-Hosting, LLC - Kris Eicher
Repair Laptops Now - Henok Tekie
Aweke's WebDesing - Endalkachew Aweke
Brown File Productions - Dynita Brown

On the technical side, we've observed two main types of setups.
In the first one, a machine (usually a VPS) downloads and mounts a TrueCrypt image containing all the programs, scripts etc. needed for the spam campaign.
In the other one, a machine (usually Linux) is configured to terminate an GRE tunnel with a "mothership" somewhere else; then all the IPs -except the one used to terminate the tunnel- are routed toward the other tunnel endpoint, allowing the remote system to use these addresses as spam source, either pumping it out through the tunnel or directly from the remote network provider using asymmetric routing.

Shalev is founder of or partner in a number of companies. Kobeni Solutions <http://www.kobeni.com/> appears most involved with his spam activities, as well as Mia Venture. These two appear to be the ones directly involved in running the snowshoe operation:

Kobeni Inc.
Phone: (877) 525-5644
2410 Hollywood Blvd., Hollywood, FL 33020
http://kobeni.com/

Mia Venture Corp.
Phone: (954) 926-5644
Fax: (305) 397-1155
1835 E Hallandale Beach Blvd # 312, Hallandale Beach, FL 33009-4619
http://www.miaventure.com

In both, Shalev appears with the role of president.

Shalev has personally used the email addresses <ron@kobeni.com> and <dan@kobeni.com> repeatedly, although both of these email addresses appear to belong to other individuals associated with him. Other company names, individual names, and affiliations are documented in the rest of this ROKSO record.
________________

Mike Jacobs (All3Triathlon)
20750 NE 30th Place
Aventura, Florida, 33180
United States
________________

Name: Mr Edward Heys
Address: 7291 Via Luria
City: Lake Worth
State: FL
Country: US
ZIP: 33467
Phone: 9545120633
Email: ed@emhglobalinc.com
____________

Domain Name: EMHGLOBALINC.COM
Registrar: MONIKER ONLINE SERVICES LLC
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com
Name Server: NS1453.HOSTGATOR.COM
Name Server: NS1454.HOSTGATOR.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 15-aug-2013
Creation Date: 04-sep-2011
Expiration Date: 04-sep-2014


Domain Name: EMHGLOBALINC.COM
Registrar: MONIKER

Registrant [3682082]:
Edward Heys edwardheys@yahoo.com
7291 Via Luria
Lake Worth
FL
33467
US


Administrative Contact [3682082]:
Edward Heys edwardheys@yahoo.com
7291 Via Luria
Lake Worth
FL
33467
US
Phone: +1.7542143718


Billing Contact [3682082]:
Edward Heys edwardheys@yahoo.com
7291 Via Luria
Lake Worth
FL
33467
US
Phone: +1.7542143718


Technical Contact [3682082]:
Edward Heys edwardheys@yahoo.com
7291 Via Luria
Lake Worth
FL
33467
US
Phone: +1.7542143718


Domain servers in listed order:

NS1453.HOSTGATOR.COM
NS1454.HOSTGATOR.COM

Record created on: 2011-09-04 15:06:57.0
Database last updated on: 2013-08-15 06:47:28.34
Domain Expires on: 2014-09-04 15:06:58.0

Related URLs

Yair Shalev is son-in-law of another spammer, Dan Abramovich.

[1] Glossary: Snowshoe Spamming


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK8847/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2023 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy