|
![]() |
|||||||
![]()
![]()
![]() |
![]() Yair Shalev is a high volume snowshoe spammer living in the Miami, Florida area. He also uses the names Yair Szlaifer, Yair Shalev-Szlaifer, Yair Szlaifer-Shalev, and many other aliases that are not related to his real name at all. Like many snowshoe spammers [1], Shalev has a number of partners and employees involved in his spam operation, some related to him. He's also strongly connected to ROKSO spammer Darrin Wohl, although recent evidence suggests that he is spamming independently of Wohl now. In the past, he has worked with ROKSO spammer Eddy Marin. Shalev normally spams from small numbers of IPs, often a /28 or /29 allocation, sometimes an unaligned set of IPs that cross allocation boundaries. We rarely find SWIP or ARIN allocation information for his blocks, suggesting that he tries to avoid having his IPs swipped to him. He may also deliberately ask for unaligned IPs in hopes that nearby innocent bystanders will prevent or delay listings of his IPs on blocklists. Shalev has a practice of sending high volumes of spam through one or two IPs within a snowshoe range for anywhere from a few hours to a couple of days, while leaving the other IPs quiet, even for months. When the emitting IPs are listed, he simply moves to other IPs in the range. He (or his partners) rarely set rDNS for their netblocks. The HELO and sender domains used by his emitters usually follow a pattern like $RANDOM.$NONSENSEDOMAIN, within different TLDs but mostly .com. A typical example could be the following: que.yourinstantloansdirect.com cua.backroundchecktoday.com ptr.aaacreditreporthelp.com api.yourappelbeesreward.com zbd.rewardssurverycostco.com par.loantodayrepaylater.com bog.backroundreportsafety.com trip.surverygroupinc.com doub.simplesurvercostco.com bird.creditsupportandfix.com Particularly when using .com, the preferred registrar seems to be ENOM, with rare excursions outside this habit. His spamming domains are usually registered with a Whois cloaking service, most often Whois Privacy Protection Service. Some of those domains are also registered in other names but are used by him. Same for SWIP data and IDs provided to ISPs in order to purchase the machines he needs. These names include, but are not limited to: Kobe Dash <accounting@joobla.com> Charles Bingham <cb@marketgenesis.com> Christian Gomez <info@kbadver.com> <miaventurecs@gmail.com> Carlos Monastirsky <carlosmonas@live.com> Gabriela Rascovsky <gabyrasc@hotmail.com> Alex Reiter <accounting@joobla.com> Avi Reiter <abuse@joobla.com> Howard Ruthstein <hwruthstein@yahoo.com> Lyssette Anaya <lyssetteanaya@yahoo.com> Teresa Soris <tania@miamicapitalpartners.net> Leandro Gomez <leo@leandrogomez.net> Sorina Simeon <sorinasimeon@aol.com> Rolando Villafana <rolando.villafana@yahoo.com> Armando Soris <modernconcepts3@gmail.com> Jonas Grabarnick <jonascfnmb@gmail.com> Alejandro Vidal <alexvidal@hermangroup.net> Jason Bourdeau <jason@tango-host.com> Jose Alfonzo <info@miamisportsstudio.com> Vicki Mendoza <vickimendoza4@gmail.com> Arialis Gonzalez <ari@yourweddinggotogirl.com> Mariano Szlaifer <mariano@beamsupporthealth.com> Jenita Griffin <pepper@chiloutmusicbox.com> Maurice Drai <maurice@mauricetrainer.com> Many of these are verified to be owned by real persons. In several cases, the ID provided belonged to people with a history of minor crimes amongst the Latin community around Miami, suggesting that Shalev or his partners may pay the ID owners in order to use their names to purchase the resources they need in order to send spam. Several of the identities provided, though, seem to be loosely related with Shalev, suggesting they belong to partners-in-spam or maybe affiliates providing him with technical resources. Amongst these, recurring names are: EMH Global Inc. - Edward Heys Robust-Life.com - Orane Mangaroo All-in-trading - Lance Taylor Tech City Reviews - Mark Ward Media World Tech - Stephanie Romero Gigalink Hosting - Valerie Pollock CeciTechStart - Cecilia Valdes Tech Talk City - Rishi Moonilal HE Develope Design - Hector Estrella All3Triathlon - Mike Jacobs Hakala Sports - Anthony Hakala MidwestWebhost / RewardHosting / [...] - Mike Boehm (sometimes "Mike Boem" and "Mike Bohem") [This is a separate spammer with his own ROKSO.] Bryan G Crossfit - Bryan Gonzalez Dog Walking Tara - Tara Favors Barderro Host - April Thomas DCaryDesigns - David Cary ND Landscape Design - Nestor Diaz Colbert Water Excursion - Carlton Colbert Riverview Car Sales - Michael Magnant EatNaturalForLife.com / BestVeggieMeals.com / [...] - Edward Sidney (sometimes "Sidney Edwards") VPLendingCo.com - Harry Jakobs CoreTech Networks - Christina Quiroz Dade County Pool - Anell Gonzalez Patricia's Bakery Co - Patricia King StanSoftware Design - Kenneth Stanford CrossFire-Hosting, LLC - Kris Eicher Repair Laptops Now - Henok Tekie Aweke's WebDesing - Endalkachew Aweke Brown File Productions - Dynita Brown On the technical side, we've observed two main types of setups. In the first one, a machine (usually a VPS) downloads and mounts a TrueCrypt image containing all the programs, scripts etc. needed for the spam campaign. In the other one, a machine (usually Linux) is configured to terminate an GRE tunnel with a "mothership" somewhere else; then all the IPs -except the one used to terminate the tunnel- are routed toward the other tunnel endpoint, allowing the remote system to use these addresses as spam source, either pumping it out through the tunnel or directly from the remote network provider using asymmetric routing. Shalev is founder of or partner in a number of companies. Kobeni Solutions <http://www.kobeni.com/> appears most involved with his spam activities, as well as Mia Venture. These two appear to be the ones directly involved in running the snowshoe operation: Kobeni Inc. Phone: (877) 525-5644 2410 Hollywood Blvd., Hollywood, FL 33020 http://kobeni.com/ Mia Venture Corp. Phone: (954) 926-5644 Fax: (305) 397-1155 1835 E Hallandale Beach Blvd # 312, Hallandale Beach, FL 33009-4619 http://www.miaventure.com In both, Shalev appears with the role of president. Shalev has personally used the email addresses <ron@kobeni.com> and <dan@kobeni.com> repeatedly, although both of these email addresses appear to belong to other individuals associated with him. Other company names, individual names, and affiliations are documented in the rest of this ROKSO record. ________________ Mike Jacobs (All3Triathlon) 20750 NE 30th Place Aventura, Florida, 33180 United States ________________ Name: Mr Edward Heys Address: 7291 Via Luria City: Lake Worth State: FL Country: US ZIP: 33467 Phone: 9545120633 Email: ed@emhglobalinc.com ____________ Domain Name: EMHGLOBALINC.COM Registrar: MONIKER ONLINE SERVICES LLC Whois Server: whois.moniker.com Referral URL: http://www.moniker.com Name Server: NS1453.HOSTGATOR.COM Name Server: NS1454.HOSTGATOR.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 15-aug-2013 Creation Date: 04-sep-2011 Expiration Date: 04-sep-2014 Domain Name: EMHGLOBALINC.COM Registrar: MONIKER Registrant [3682082]: Edward Heys edwardheys@yahoo.com 7291 Via Luria Lake Worth FL 33467 US Administrative Contact [3682082]: Edward Heys edwardheys@yahoo.com 7291 Via Luria Lake Worth FL 33467 US Phone: +1.7542143718 Billing Contact [3682082]: Edward Heys edwardheys@yahoo.com 7291 Via Luria Lake Worth FL 33467 US Phone: +1.7542143718 Technical Contact [3682082]: Edward Heys edwardheys@yahoo.com 7291 Via Luria Lake Worth FL 33467 US Phone: +1.7542143718 Domain servers in listed order: NS1453.HOSTGATOR.COM NS1454.HOSTGATOR.COM Record created on: 2011-09-04 15:06:57.0 Database last updated on: 2013-08-15 06:47:28.34 Domain Expires on: 2014-09-04 15:06:58.0 ![]() Yair Shalev is son-in-law of another spammer, Dan Abramovich.
[1] Glossary: Snowshoe Spamming |
||||||
![]() The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies. |
![]() |
|