Mickey Chandler's SpamSuite
A Document Repository for Spam-Related Legal Documents
Support the SiteLinks and Supporters |
Schmutz AffidavitThis is the Schmutz Affidavit. =========================== STATE OF WASHINGTON KENNETH A. SCHMUTZ, being first duly sworn on oath, deposes and says: 1. INTRODUCTION and BACKGROUND A. Warrants Requested 1. I make this affidavit in support of an application for a search warrant for: a) the property located at and in a residential apartment located at: 1200 Western Avenue, Apartment 17E As explained more fully below, this apartment is both the residence of Robert Alan Soloway, and the base of operations for "Newport Internet Marketing," a company that is solely owned by Robert Alan Soloway. As is also explained more fully below, there is probable cause to believe that evidence, fruits, and instrumentalities of violations of federal laws exist, and are present at the premises, and/or in computers located on the premises at 1200 Western Avenue, Apartment 17E, Seattle, Washington 98101. b) a storage unit, more specifically, As explained more fully below, this storage unit is rented by Robert Alan Soloway, and according to Soloway's own sworn statements, is used for the storage of business records for Soloway's business. As is further explained below, there is thus probable cause to believe that evidence, fruits, and instrumentalities of violations of federal laws exist, and are present at this storage unit. B. Agent Background 2. I am a Special Agent of the Federal Bureau of Investigation (FBI), and have been so employed since January 2004. I am currently assigned to the Seattle Office's Cyber Crime Squad, which investigates various computer-related crimes, including computer intrusions and Internet-related frauds. 3. I have both a Bachelors of Science, and a Masters of Science degree in Business Information Systems from Utah State University. Those degree programs involved, among other things, human computer interface, programming in three languages (C + +, COBOL, Pascal), and designing and creating Internet web pages. Prior to my work as a Special Agent, I worked for thirteen years in a variety of capacities in the computer technology field; holding positions, for example, in which I designed, implemented, and supported computer systems for credit unions, performed quality assurance testing for a leading network operating system company, and managed a group of software engineers in a high-paced technology company. I have also taught computer classes at the community college level, including courses on Windows NT Server, Networking Essentials, and Introduction to Programming. I recently obtained industry certification in CompTia's Net+ program. 4. As an FBI agent, I have received specialized training, and gained experience in interviewing and interrogation techniques, arrest procedures, search warrant applications, the execution of searches and seizures, federal computer crimes, computer evidence identification, computer evidence seizure and processing, and various other federal criminal laws and procedures. I have investigated dozens of cases involving the use of computers and the Internet to commit federal crimes, and have personally participated in the execution of multiple search warrants involving the search and seizure of computers and related equipment. C. Sources of Information D. Relevant Statutes 18 U.S.C. § 1028A (Aggravated Identity Theft) "Means of identification" is defined at 18 U.S.C. § 1028(d)(7), for purposes of § 1028 and 1028A, as follows: 18 U.S.C. § 1037 (Fraud and Related Activity in Connection with Electronic Mail) (b) (1) . . . [shall be punished with a fine, and imprisonment] for not more than 5 years, or both, - if 18 U.S.C. § 1341, (Mail Fraud) 18 U.S.C. § 1343 (Wire Fraud) 18 U.S.C. § 1956(a)(1) (Money Laundering) E. Location, and Items to Be Searched and Seized b) a storage unit leased by Soloway, located at Storage Unit A145, Public Storage Inc, 12465 Northrup Way, Bellevue, WA 98005, as well as any computers or other electronic storage media found therein. The storage locker is additionally described in Attachment A, attached hereto and incorporated by reference herein. 8. Based on the information set forth below, there is probable cause to believe that Soloway is engaged in criminal activities in violation of the statutes referenced above, and that he has done so, and continues to do so, using one or more computers located at the residential premises identified above, (or stored at the above referenced storage unit). The United States seeks authority to search and to seize, from those premises and/or those computers, items that constitute evidence, fruits and instrumentalities of violations of Title 18, United States Code, Sections 1028A(a)(1), 103(a)(2) and (a)(3), further specified in Attachment B, attached hereto and incorporated by reference herein. F. Background on Computer and Internet Technologies 10. Internet Protocol Address ("IP address") : An Internet Protocol (IP) address is a unique, 32 bit numeric address used to identify computers on the Internet. An IP address consists of four numbers, each from 0 to 255, separated by periods. Every computer connected to the Internet (or group of computers using the same account to access the Internet) must be assigned an IP address so that Internet traffic sent from and directed to that computer is directed properly from its source and to its destination. IP addresses are typically assigned by Internet service providers ("ISPs"), such as AOL, Earthlink, or Comcast. An ISP might assign a different IP address to a customer each time the customer makes an internet connection (so-called "dynamic IP addressing"), or it might assign an IP address to a customer permanently or for a fixed period of time (so-called "static IP addressing"). Even if an IP address is dynamically assigned, the computer will retain the originally assigned IP address if the computer never disconnects from the network after the initial IP address assignment or the user does not manually reset it. Regardless of whether it is dynamically assigned or static, the IP address used by a computer attached to the Internet must be unique for the duration of a particular session; that is, from connection to disconnection. ISPs typically log their customers' connections, including IP addresses. The ISP can thus identify which of their customers was assigned a specific IP address during a particular session. 11. Domain Name: In the context of the Internet, a domain name is the logical, text-based, equivalent of the numeric IP address. Because it is "logical," and text-based, a domain name - for example, "www.testname.com" - is more easily remembered by humans than is an exclusively numeric IP address, such as "23.45.35.100." Like an IP address, a domain name does consist of a sequence of characters, separated by periods. Domain names are organized hierarchically and read from right to left. The right-most component is the "top level domain." This includes the ".com," ".gov," and ".edu" domains, as well as many others. Top level domains are owned and managed by the Internet sanctioning organizations. The second part of the domain name is owned by the registrant who first registered the name with the sanctioning organizations. Domain name owners can then create sub-domains to provide access to resources they own and/or control. Numerous Internet companies offer free sub-domains to their customers. These companies typically have a collection of domain names that they have registered, and allow their customers to create sub-domains of the domain names and control the IP addresses to which those sub-domains resolve. 12. Domain Name Service ("DNS"): DNS is the Internet resource for converting the text-based domain names into IP addresses. DNS server computers maintain a database for resolving domain host names and IP addresses, allowing users of computers configured to query the DNS to specify remote computers by the easier-to-remember domain host names (in words), rather than by the difficult-to-remember numerical IP addresses. DNS also thus makes it possible to "move" a host on the Internet (which would entail a change in the underlying IP address), while still preserving the availability of the resource based on its text-based domain name. Users would still request the resource by its (text-based) domain name, and DNS would resolve the name to the new IP address. 13. Server: A computer that provides a service - such as e-mail or Web data - to other computers (known as "clients") via a network or the Internet. When a user accesses e-mail or Internet web pages, or accesses files stored on the network itself, those files are pulled electronically from the server where they are stored and are sent to the client's computer via the network or Internet. Notably, server computers can be physically located in any location; for example, it is not uncommon for a network's server to be located hundreds (or even thousands) of miles away from the client computers. 14. Proxy Server: A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other computers or network services. An open proxy is a computer that will accept client connections from any IP address and make connections to any Internet resource. A proxy server can be used to camouflage the originating source IP address of an e-mail communication, as the IP address of the originating source of the communication will be replaced in the header by the IP address of the proxy server. Use of multiple proxy servers adds to the difficulty of tracing a communication back to its true original IP address source. 15. Internet Service Provider ("ISP"): A business that provides connectivity to the Internet. ISPs typically provide the ability to send and receive e-mail, browse the World Wide Web and download (copy) files from Internet servers. Internet Service Providers often offer other Internet-related services such as hosting an Internet site on a web server. 16. Website: A location on the Internet at which an individual or organization provides information to others about itself. It may also provide links to other Internet sites with common interests or goals. 17. E-mail header: The beginning of an e-mail message, that contains detailed information (1P address and domain names) of the origin of the e-mail ("From"designation); the destination of the e-mail ("To" designation); as well as date, routing, and possibly subject matter information. 18. Forged e-mail header: A tactic used to hide the source address of an e-mail by placing false information in the "From:" field of the e-mail header. 19. Bounce back e-mail: Errors can occur at multiple places in e-mail delivery. A user may sometimes receive a bounce back message from their own e-mail server, and sometimes from a recipient's e-mail server. For example, imagine that Jack {jack@example.com) sends a message to Jill (fill@example.org) at a different site. Once Jack's e-mail server has accepted the message, it must either pass it along to Jill's e-mail server, or else deposit a bounce message in Jack's mailbox. However, problems arise if Jill's e-mail server receives a message with a forged From: field, e.g., if spammer@example.net sends an unsolicited bulk message claiming to be from jack@example.com. In this case, Jill's mail server would send the bounce message to Jack even though Jack never sent the original message to Jill. This is called a bounce back e-mail or backscatter. 20. Spam: bulk ("multiple"[1]) commercial e-mail messages. "Spamming" is the abuse of electronic messaging systems by sending multiple commercial e-mail messages. [1 As noted, infra, the term "multiple" is defined within 18 U.S.C. §1037 as "more than 100 electronic mail messages during a 24-hour period, more than 1,000 electronic mail messages during a 30-day period, or more than 10,000 electronic messages during a 1-year period.] 21. "Opt-in e-mail address": the e-mail address of an Internet user who has signaled his/her. consent to receive commercial e-mail communications. 22. "WHOIS" Lookup: A query/response protocol that is widely used for querying a database in order to determine the owner of a domain name, an IP address, or an autonomous system number on the Internet. II. THE INVESTIGATION A. Complaints Filed with FTC, BBB and Washington Attorney General's Office, and Statements of Victims of Spamming, Wire Fraud, Mail Fraud, and Identity Theft 23. On October 16, 2006, an investigator with the Federal Trade Commission (FTC) contacted the FBI in Seattle regarding a local resident who has been the subject of approximately 100 complaints of spamming, dating back to as early as 1999. I subsequently discussed the complaints with a representative of the FTC, reviewed many of the complaints, and also reviewed some of the summary data that had been gathered by the FTC with regard to the same. As a result, I learned that these 100 different complainants related very similar experiences, that typically included the following: a) The complainants reported that they had received multiple commercial e-mail messages (spam) that essentially consisted of an advertisement for a "bulk" or "broadcast" "e-mail service" business. In the body of the spammed message, recipients could "click" on a domain name contained in the message, in order to link to the website of the company that was making the e-mail advertisement. If they proceeded to the website, the visitor would see statements, including purported "quotes" from various sources, regarding the ability of the company to reach tens of millions of potential new customers with "broadcast e-mail," the relatively low cost of "broadcast e-mail" advertisement in relation to its "effectiveness," and the large sales benefits to be reaped from "broadcast e-mail" advertising. The company represented, on the website, that customers could achieve these positive sales results (e.g., a "500% increase in sales"), either through hiring the company to do broadcast e-mailing on their behalf (to "geographically targeted," "interest targeted," and "permission-based opt-in e-mail" addresses available to the company), or, that they could purchase a. "software kit" from the company that would enable the customer to send out their own "broadcast" e-mail advertisements. The website reportedly typically offered "lifetime 24/7 customer & technical support" to potential purchasers of either the e-mail "service" or the "software kit," as well as "money-back guarantees" if the promised sales gains did not materialize within 90 days. b) The complainants identified the name of the bulk e-mail business variously as Newport IM Corporation, NIM, Newport Internet Marketing, Newport Corp, NPR, or Broadcast Email Services. They also reported that a variety of domain names were used in the initial spammed advertisements. Although the name of the business and the domain names contained in the advertisements varied, each had some common connections, based on the content of the spam message and the content of the website reached through the. domain name. Many of the complainants also reported the name "Robert Soloway" as having a connection to the company, and/or often reported one or the other of two common physical addresses: PO Box 1259, Seattle, WA 98111, or 1200 Western Avenue, 17E, Seattle, Washington. These addresses were seen by the complainants, for example, as an address to which they could send payments to purchase the "broadcast e-mail" service or software. The addresses were also reportedly seen by some complainants after doing additional on-line research, including WHOIS lookups, in an attempt to identify who was responsible for the initial spam they had received, and in their attempts to contact the sender and request that the spamming to them be stopped. c) The complainants generally reported that they had difficulty in identifying the source of the initial spammed messages, because they uniformly contained false "From:" headers. The "From:" headers were either blank, contained the same e-mail address as the "To:" header, or contained an invalid e-mail address. Many of the complainants reported that they had attempted to contact the originator of the e-mail by clicking on the domain name listed in the body of the unsolicited e-mail, and then making a request, through the website, that their e-mail address be removed. Despite their attempts and requests to have their e-mail addresses removed from the list of recipients, however, none of the complainants was successful in doing so. Instead, the volume of spam to them from the company typically increased after they had communicated their request that it be stopped. d) Some of the complainants reported that they had paid for broadcast e-mail services from the company, or had purchased the broadcast e-mail software (typically at a cost of $149.00). These complainants commonly reported that neither the "broadcast service" or the software was what it was represented to be; that it resulted in spam to addresses that were neither targeted or "opt-in," and as a result of which they had received numerous complaints or been "black-listed" for spamming activity. The purchasers of the software often reported that the product simply did not work, at all. Purchasers of both the "service" and the software reported that the company refused to provide either support, responses to complaints, or the "guaranteed" refund. Many reported that after they had complained or reversed payment charges, they were threatened with additional fees and referral to collection. e) Other of the complainants reported that the company had spammed, fraudulently using e-mail addresses or domain names that belonged to them in the "From:" field in a forged header. These complainants reported that they, in turn, had been the target of complaints and adverse actions because they were falsely being blamed as the originators of spam. 24. After receiving the above referenced information from the FTC, I performed a search of business records for the State of Washington, and learned that Newport Internet Marketing Corporation, doing business as NIM Corporation, had been incorporated in California in 1998, and registered with the Washington State Secretary of State as a foreign corporation in December of 2004. The address of record for the corporation, in Washington, was 1200 Western Avenue, Suite 17E, Seattle, Washington, 98101. I next contacted an inspector from the United States Postal Service, who reported that the recipient of record for mail at 1200 Western Avenue, Suite 17E, Seattle, Washington, 98101 was Robert Soloway. The postal inspector also reported that the address of "PO Box 1259, Seattle, WA 98111 " was the address for a rented U.S. Postal mail box, at the downtown Seattle Post Office location (301 Union St., Seattle, WA). Postal records revealed that PO Box 1259 had been rented by "Robert Soloway/NIM Corporation" on March 26, 2004. Soloway also indicated, on that form, that the address for "NIM Corporation" was 1200 Western Ave., Ell, Seattle, Washington 98101. 25. On December 1, 2006, I interviewed AG, who was one of the victims who had complained to the FTC about spamming by Robert Soloway and NIM. AG reported to me, as follows: a) AG has owned a web-hosting business, in Minnesota, since 1996. As part of that business, he owns, designs, and maintains domains and websites for himself and other clients. Since 2003, he has owned his own servers that he has leased and managed for website hosting. In connection with his web-hosting business, AG owns over 400 domains, some of which are used by his clients. Because spam places a burden on the servers that he uses for web-hosting, AG has learned as much as possible about spam, including how to identify fraudulent "From:" information in e-mail headers, and how to track the actual locations of servers hosting websites. He has also worked with the Internet Corporation for Assigned Names and Numbers ("ICANN") as well as other registrars and hosting companies to report forged domain registration and improper use of websites, as well as other online security violations. b) AG stated that he began receiving spam from Newport Internet Marketing in August, 2005; first in his own business and personal e-mail accounts, and then, increasingly, in e-mail accounts that were created when he established new domain names for his clients.. AG was able to link the spam to a Robert Soloway through the use of a WHOIS lookup on the domain name that was included in the body of the spam messages. AG also clicked on the domain name listed in the body of the e-mail and was taken to a website that marketed mass e-mail services and products using the name "Broadcast Email Services" and "Newport Internet Marketing" ("NIM"). c) AG reported that he had never opted-in to any program offered by Robert Soloway or NIM. AG reported that he had attempted to contact Soloway over 2100 times by phone, e-mail, fax, and third party complaints, to request that Soloway discontinue sending spam to AG's domains. Soloway would not respond to AG's attempts to communicate, and had never stopped sending spam to domains used by AG or that AG had set up for his clients. In fact, Soloway was continuing to spam AG's domains in December of 2006, when I spoke with him. Often, after AG entered an e-mail address into the "removal" list on Soloway's websites, the account would begin receiving even more spam than before, including spam for generic Viagra, "sexual desire patches," prescription drugs, penis enlargement, pornographic material, stock market "pump and dump" schemes, online casinos, and diploma mill schemes. AG reported to me that he has [illegible] compelled to shut down e-mail addresses that he had established for his clients due to Soloway's unrelenting spam to them. d) Based on his own professional experience in the web-hosting field, AG was able to make some analysis of the spam he received from NIM Corporation/Broadcast Email Services. This included his assessment that the spam to communications from these companies contained headers that were forged. Some of the "From:" fields were blank, some had the same name in both the "From:" and the "To:" header field, and others had fake domain names in the "From" field. e) AG reported that on April 17, 2006, at around 11:00 pm, he received approximately 20 spam e-mails from e-mail addresses with the domain name "i-frane.com." AG did a look up on the domain name "i-frane.com" and found that it was not a registered domain, had not been registered in the previous six months, and was available for sale. AG then immediately purchased and registered the domain name "i-frane.com" and set up an e-mail server to capture e-mail that was bounced back to that server. AG did this to catch all the e-mails sent with the "From" address of i-frane.com that bounced back because they were not sent to a valid e-mail address. This information would, in turn, give an indication of how many spam messages were being sent out using "i.frane.com" as the "From:" address. On April 24, 2006, one week after AG had purchased the i.frane.com domain, the e-mail server had received 234,784 bounce back spam messages that had been sent out with a forged "i-frane.com" "From:" header. The number of bounce backs subsequently increased to 174,549 - 99% of which AG found to contain links to Soloway's web sites in the message body. f) From further analysis of the recorded bounce backs and other information provided to me by AG, it was determined that the spam that had been sent by NIM Corporation/Broadcast Email Services had been sent to thousands of domains using the standard prefixes of advertising@, billing@, feedback@, home@, help@, accounts@, contact@, admin@, guest@, administrator@, orders@, postmaster@, mail@, root@, support@, webmaster@, service@, test@, uucp@, info@, and sales@. (When an e-mail server is set up for the first time, the process used for that set-up automatically and by default creates a group of accounts with standard prefixes.) These default accounts appear to be among the ones that Soloway is routinely using for spamming activities. g) AG reported to me that the spam sent by Soloway has created substantial harm and loss to him both personally and professionally. Included in the costs to him are the need to devote from two to three hours, daily, to efforts to remove spam from his clients' accounts, or to take special precautions in establishing accounts in order to protect them from Soloway's spamming activity. a) GN stated that in September 2006 he had registered two domain names for his businesses. A few weeks later, GN began to receive spam with forged headers. The "From:" field in the header was either blank, or contained the same information as the "To:" field. That address was GN's e-mail address. The spammed message advertised the ability to mass e-mail "8,000,000 people". The domain contained in the body of the e-mail from which to find out more about the mass mailing system was "www.emailadvertisinginc.com. " b) When GN visited the website at the address of www.emailadvertisinginc.com it appeared to be a website for NPR Corporation, purportedly with an address of 1001 4th Ave - #1259, Seattle, WA, 98111. A second address, however, of NIM, Box 1259, Seattle, WA 98111 was provided. in the section of the website for placing software orders by mail. The website also contained a "Charity" section, (in which representations were made about charitable donations purportedly made by the company), that displayed a signature of "Rob Soloway." c) Over the following two months, GN received similar spam messages identifying either "www.emailadvertisinginc.com"., "www.newportcorp.cn", or "www.colidsilver.com" as the pertinent domain, in the body of the spam message. Although active at different periods of time, GN found that all three domain names appeared to link to what was essentially - or even exactly - the same website, in terms of its content. d) GN requested to be removed from Soloway's mailing list by using the removal option under the "Contact Us" tab on the website. After GN requested to be removed, however, GN received an increased amount of spam from Soloway. The 27. The address of 1001 4th Ave - # 1259, Seattle, WA, 98111, which was noted by GN to have been published as the purported address for NPR, was likewise reported by a number of other recipients of the common spam as the spamming company's address. As part of my investigation I researched that address, and learned that it had been an office space for a local bank in past years, but that it had not been occupied by any tenant in recent years. 28. On December 12, 2006, an FBI agent interviewed DM. In October, 2006, DM began receiving spam on the twelve domain names that he owned. The spam marketed advertisement of a way to mass e-mail "8,000,000 people." The domain listed in the body of the e-mail to take advantage of the offer was "www.emailadvertisinginc.com." DM realized the email was fraudulent because the header of the e-mail was forged. The "To:" field and the "From:" field were the same. One of the e-mails, for example, contained DM's own address of "sales@d...m....com in both the "From" field and the "To:" field in the header, and he knew he did not send the e-mail to himself. Nor had DM opted-in to any offers to receive unsolicited e-mail. DM did a WHOIS lookup on the Internet to see who was the owner of the domain emailadvertisinginc.com, and learned that it was registered to a Chinese name. 29. As part of my investigation in'this case, I have learned from the Postal Inspection Service that they have received and reviewed approximately 100 complaints that have been filed with the Better Business Bureau (BBB), against Robert Soloway doing business as Newport Internet Marketing Corporation, also know as Newport IM Corporation (NIM). These complaints were dated between October 2003 and April 2007. Like the complaints to the FTC, these included complaints from individuals who had received spam e-mails from NIM; people who had purchased "broadcast email" software from NIM that failed to function as advertised, and who were unable to receive a full refund as promised; people who had purchased a broadcast e-mail service from NIM to advertise their companies' services to "select, quality, opt-in e-mail addresses," only to discover that NIM had sent their information out as spam; and people whose e-mail addresses or domain names had been used without their permission and fraudulently inserted into forged "From:" headers in spammed e-mail messages. I have personally reviewed a number of these complaints, including the following: 30. I have reviewed the complaint of EO, residing in Floresville, TX. On July 6, 2004, EO received an unsolicited e-mail from NIM advertising a broadcast e-mail software package for $149.00. The advertisement represented that use of the software to send out e-mail advertisements would result in a minimum 400 % increase in sales, and that the user would receive a minimum of 750,000 website hits within 90 days or receive a full 100% refund. The advertisement further represented that the broadcast e-mail software would automatically create 10 super-fast mail servers on the user's computer that would provide the ability to send out unlimited, personalized and targeted broadcast e-mail advertisements to over 500,000,000 people on the internet at the rate of up to 1,000,000 daily, automatically and for free. The advertisement further represented that the software would provide millions of the newest and freshest general interest and regionally targeted e-mail addresses; that a purchaser would be guided through the entire process of installing and utilizing the entire broadcast e-mail package; and that a purchaser would receive unlimited lifetime customer and technical support. 31. EO has provided copies of credit card statements showing he purchased, the broadcast e-mail software from NIM on July 6, 2004; EO has provided a copy of a FedEx label that shows the broadcast e-mail package was shipped to him in Floresville, Texas on July 6, 2004. EO has provided copies of a-mails to NIM requesting information and assistance on the use of the software and complaining that the software 32. I have reviewed the complaint of A.H. residing in Cedarburg, WI. A.H. reported that she ordered the broadcast e-mail software from NIM on August 29, 2005, to and received the shipped package on August 31, 2005. A.H. reports that she was immediately dissatisfied with the software due to the difficult process that NIM required to register and activate the product. From that point forward A.H. was concerned about the quality of the product and wanted to return it, but NIM required they evaluate the product for 90 days before returning it. 33. A.H. sent an e-mail requesting instructions to return the software and referencing a charge back to their credit card for the purchase price. A.H. received the following response from NIM via e-mail explaining their guarantee, "If You Do Not Receive At Least a 400% Increase in Sales After Using Our Broadcast Email Package for 90 Days, Simply Return it to us for a Full 100% Refund, No Questions Asked. Any Dispute of this Charge with Your CC Will Automatically be Forwarded to Our Collection Agency With Their. Additional $250 Service Charge for a Total of $399 to be Owed." A.H. received another e-mail stating "If you dispute the charge your debt will be forwarded to our collection agency with an additional $250 service charge by them, which if not paid will be forwarded to the 3 US Credit Agencies, in turn negatively affecting your credit rating for the next 7 years not paying said debt owed, and will appear on your credit report indicating you refused to pay a $399 debt that you own. We do not stand for theft at our corporation." 34. A.H. reported. that after waiting the required 90 days she sent daily e-mails to NIM over a two week period trying to obtain an address for use in returning the broadcast e-mail software. It was only after posing as a new customer, and using a new e-mail address that A.H. was able to obtain the address of PO Box 1259, Seattle, Washington 98111 as an address for NIM Corporation. The BBB records associated with A.H.'s complaint indicate that NIM advised BBB that.it was refusing to refund the purchase price because, "[t]his customer is not entitled to a refund for opened software. We have over 10,000 customers currently using our software and it works PERFECTLY. This is customer to email customer service at nim@cyberservices.com and we will assist them with any questions or concerns they may have." 35. A.H. stated that NIM told her that they refused to pay the refund because A.H. did not return the broadcast e-mail software. A.H., however, reported that she did return the product and that she had a PS Form 3811, Domestic Return Receipt, signed by what appears to be Robin or Robert Soloway, indicating receipt. 36. As part of my investigation in this case, I learned that the Washington State Attorney General's Office has also received dozens of complaints about spamming and fraudulent activities related to Robert Soloway, Newport Internet Marketing Corporation, and/or Newport IM Corporation during the period from 2004 through and until the present. Like the complaints to the FTC and BBE, these included complaints from individuals who had received spam a-mails from NIM; people who had purchased internet mailing software from NIM that failed to function as advertised but who were nevertheless denied a full refund as promised; and people whose e-mail addresses or domain names had been used without their permission and fraudulently inserted into forged "From:" headers in spammed e-mail messages. 37. The complaints made to the Washington Attorney General's Office included a complaint made by J.N., who is a Senior Computer Systems Specialist with the Santa Barbara Department of Social Services, in Santa Maria, California. On April 9, 2007, I contacted J.N. by telephone, and he reported the following to me: a) Employees of the Santa Barbara Department of Social Services (DSS) began receiving unsolicited e-mail addressed to their individual work e-mail addresses in around February of 2007. The e-mail was fraudulent because it listed the same e-mail address in both the "To:" and "From:" fields in the header. The e-mail address that was used included the name of an individual DSS employee, and the domain name of DSS, ("ktc@ sdcsocialserv.org"). The employee had not sent this e-mail to himself. J.N. reported that four other employees were receiving the same e-mails, also with forged "From" headers that contained their own names in both the "From:" and "To:" fields. b) The message sent with the forged headers stated that:. "we email advertise your charity web site to 7,500,000 people. free", and contained a link to a website at domain: "emailmarketingassociates. com" . J.N. researched the website on the Internet and discovered that the mass e-mail marketing business belonged to Robert Soloway, and was purportedly located at 1001 4th Ave., #1259, Seattle, Washington, 198111.(As noted above, I have investigated that address, which has repeatedly been identified on Soloway's websites as the address for his company, and have determined that it is not a valid address.) c) J.N. further reported that the spamming of DDS employees had continued for about eight weeks at the time I spoke with him, and that the cost to Santa Barbara County DDS to deal with this spam that contained forged e-mail addresses of DDS employees was about $1,000.00 per week, based on the hours of IT employees that had been spent trying to put a stop to it. 38. Other complaints filed with the Washington Attorney General's Office from individuals who have had their own, or their company's e-mail address or domain name effectively stolen, and used fraudulently in a forged "From" header in spam include H.D., from Minnesota, J.A. from California, and M.H. of California. These complainants note that because their own e-mail addresses are being forged and inserted fraudulently into the "From" headers of spam, they are unable to stop the spam by any filter. M.H. reported that his company is losing revenue due to complaints that it is sending spam, because Broadcast Email Services is sending spam with his company's e-mail addresses and domain name in forged "From" headers. B. Technical and Other Evidence Corroborating Victim Claims 39. In January, 2007, an Internet Service Provider (ISP) provided three servers to the FBI. The ISP turned the servers over to the FBI because the customer who had leased them had violated the ISP's terms of service agreement by using them to transmit spam. An Agent from the Seattle FBI Cyber Squad, as well as an Agent from the FBI's Computer Analysis Response Team (CART) forensically examined the three servers. Based on that examination, they made the following findings: a) A software program called Dark Mailer had been installed on all three servers. Dark Mailer, (as defined by the online encyclopedia wikapedia), is a software program that has been under attack from anti-spam groups since its inception. The software taps into a network of zombie proxy computers and is able to send 50,000 pieces of e-mail per hour, from a regular cable modem connection. It affords near-total anonymity because of the zombie proxy network feature. Dark Mail proponents claim it can be used for legitimate "bulk-emailing" to opt-in subscribers, but the fact that it relies on zombie proxy computers to transmit the "bulk e-mails" is inconsistent with claims of legitimacy. It is widely believed within the Internet security industry that Dark Mailer is often used by spammers, who are able to conceal their connection to spamming activity because of the anonymity provided by Dark Mailer's zombie proxy network system. Dark Mailer does not currently does not have an official website for downloading; copies, however, can still be found. b) The Dark Mailer program installed on the three servers was configured to copy e-mail addresses from text files to a template, send the e-mail out using the template, and record the e-mail address of the sent e-mail in a file called C:\SENT\SENT.TXT. A review of the SENT.TXT files on two of the servers revealed that e-mail had been sent from server1 to 57 million e-mail addresses, and sent from server2 to 37 million e-mail addresses, in a three month period. The Dark Mailer software was also configured on all three servers to use a list of 2,023 proxy computers to resend the e-mail. This configuration, as noted above, would effectively disguise the the originating source of the e-mail. c) The body of the e-mail template -configured on the Dark Mailer software included the following text: "email advertise like this to 8,000,000 people... free.." d) A copy of the website that had been viewed by one of the spam complainants at "http://www.advertisingemailecorporation.com" was available, and was compared to the content of websites that had been copied from "www.emailadvertisinginc.com" , "www.newportcorp.cn" , and "www.colidsilver.com" . All of these websites had identical content, and all listed PO Box 1259, Seattle, WA (the PO Box registered by Soloway), as an address for receipt of orders and payments for the "broadcast e-mail" services and software that were offered for sale on each website. 40. The ISP that turned over the servers to the FBI identified the person who had leased them as "Rob Solowa," 1200 Western Avenue, Seattle, WA, 98101, telephone number 206-226-9558. The servers were leased by "Solowa" beginning in September, 2006 until the ISP took them offline on approximately December 15, 2006. 41. In April of 2007 I learned that spam potentially connected to Soloway was being transmitted from IP addresses 209.160.33.45, 209.160.41.77, and 209.160.41.78. Through WHOIS lookups, I learned that these IP addresses belonged to an ISP named Hopone Internet Corporation. On April 19, 2007, I contacted Hopone, and was referred to the abuse department. The head of the department reported that the servers with those IP addresses had been taken offline due to a violation of Hopone's terms of use policy. He stated that Hopone had learned about this when it was contacted by another ISP, which had informed Hopone that the three IP addresses were sending out spam. He further advised that the three servers containing the hard drives using the above IP addresses had not been touched after they were powered off. Because the contract had been violated by the customer, the abuse manager for Hopone Internet Corporation agreed to provide the hard drives to the FBI. After a "Consent to Search" document was signed by management officials at Hopone Internet Corporation, I took possession of the hard drives on April 20, 2007. 42. An Agent from the Seattle FBI Cyber squad, as well as an Agent from the FBI's CART team analyzed these three servers. Based on that examination, they made the following findings: a) The Dark Mailer program was installed on all three servers. Dark Mailer was configured to copy sent e-mail messages in text files beginning with the letters "em", in a directory called "sent." A review of the "em" text files on the hard drives revealed that 120,000,000 e-mails had been sent to 79,610,868 unique e-mail addresses. b) The hard drives all contained text files beginning with "list", followed by a number. For example, on one server the first "list" file started with "list0001.txt" and ended with "list0136. txt. " Together these files contained 135,579,118 unique e-mail addresses. The majority of the e-mail addresses used the names "accounting", "admin", "billing", "contact", "feedback", "help", "info", "mail", "sales", "service", "support", and "webmaster", with different domain names. c) A file named "doms" was present that contained 3,177,034 unique domain names. d) Dark Mailer was configured to use proxy IP addresses to resend the e-mail to the ultimate recipient. A review of the proxy text files revealed that 3,148 unique IP addresses were included in this proxy network. 43. According to Hopone records, the person paying for the three servers with the IP addresses of 209.160.33.45, 209.160.41.77, and 209.160.41.78. was identified as "Robert Solowa," 1200 Western Avenue - 17E, Seattle, Washington, 198101, telephone number 206-226-9558, e-mail address: powerseller2003@mailshack.com. "Robert Solowa" had begun paying for these servers on December 29, 2006, and continued to do so until they were taken offline in mid-April of 2007. Hopone records also indicated that these servers had been managed on April 3, 2007 and April 4, 2007 by someone who was originating their communication from an IP address of 24.143.67.229. 44. I did a WHOIS look up on IP address 24.143.67.229, and learned that it belonged to an ISP named Millennium Digital Media Systems. Millennium Digital subsequently provided records that identified the subscriber to whom IP address 24.143.67.229 was assigned from March 8, 2007 to April 6, 2007 as Robert Soloway, 1200 Western Avenue, Apt. 17E, Seattle, Washington, 98101-2964, telephone number 206-226-9558. 45. During the course of this investigation, I have received and reviewed information and records that show a connection to, and indicate that Robert Soloway has used as many as 50 different domain names, over a two year period, as the hosting address for the website to advertise his spamming services and software. Many of these were used prior to the start of my investigation, and I have not been able to obtain records with respect to the registrations for them. Three of the domain names that were utilized in 2004 were reportedly registered to "Robert Alan" or "Bob Alan. " Since approximately March of 2006, the domains connected to the scheme have typically been registered through an ISP in China. 46. One of the domain names that has been used in Soloway's scheme - colidsilver.com, was registered and paid for with the stolen identity of C.W., from Texas. I interviewed C.W. in December, 2006, and he reported to me as follows: a) In mid-September of 200640.W. noted four odd charges on his credit card statement. One of these was for the registration of the www.colidsilver.com domain. C.W. had never registered a domain, or given any one else permission to do so C.W. contacted his bank, which reversed the charge. b) C.W. also accessed the website www.colidsilver.com to see what it was C.W. observed that it was a website for "Broadcast Email Corporation." C.W. looked through the website and noted that the "owner" was listed as "Bob Soloway." C.W. does not know Bob Soloway and did not authorize him to use his credit card information to register the domain www.colidsilver.com. C. Money Laundering Activity 47. As part of this investigation, SA Sylvia Reyes, IRS-CI, has obtained and reviewed numerous banking, credit card, and on-line financial account records for Soloway and NIM. SA Reyes has shared her findings with me. 48. SA Reyes has determined from the records she has reviewed that Soloway is the sole shareholder of NIM, and he alone holds ownership, financial interests, and control of the corporate assets. She also found that Soloway routinely commingles personal and corporate assets and liabilities. 49. SA Reyes has identified multiple banking, credit card, and on-line financial accounts that have been used by Soloway and NIM as accounts for deposits of proceeds from the mail and wire fraud and spam scheme activites. Specific accounts used for this purpose by Soloway and NIM are further specifically identified in the Affidavit of SA Silvia Reyes in Support of Seizure Warrants that is attached hereto and fully incorporated. by reference herein. 50. SA Reyes has also identified numerous payments made by Soloway and NIM from accounts containing proceeds of the scheme, that have been made to continue and promote the carrying on of the scheme. These include payments, for example, to rent servers, to pay for hosting servers, to pay for ISP services, to pay for money transmitting services, to pay for package delivery services, and to pay the rent on Soloway's apartment, which is also his place of business. 51. Consistent with, and based on the findings of SA Reyes as more fully set forth in her Affidavit in Support of Seizure Warrants, attached hereto and fully incorporated by reference herein, there is probable cause to believe that any and all business records of NIM corporation and any and all financial records of either Soloway or NIM are, or contain, fruits, instrumentalities and evidence of violations of Title 18 U.S.C. Sections 1037(a)(2) and(a)(3) (Fraud in Electronic Mail), Title 1 U.S.C. Section 1341 (Mail Fraud), Title 18 U.S.C. Section 1343 (Wire Fraud), Title 18 U.S.C. Section 1028(A) (Aggravated ID Theft), and Title 18 U.S.C. Section 1956(a)(1) (Money Laundering). D. Other Investigative Information 52. As part of this investigation, I learned that Robert Soloway and Newport Internet Marketing were named as defendants in a civil action filed by the Microsoft Corporation, in King County Superior Court, in December, 2003. (Case No. 03-2-12648-9 SEA). Plaintiff alleged violations of Washington State, and federal law based on Soloway's spamming activities. During the course of that litigation, Soloway responded to questions, under oath, in a proceeding on October 26, 2005. I have reviewed portions of the transcript from that proceeding. Included within the information Soloway provided under oath was the following: a) Soloway "established residency for tax purposes" in Washington State in January of 2004, although he had come to the state and "set things up" in his apartment prior to that time. b) Soloway started the Newport Internet Marketing company in 1996, and he is the sole employee and the sole company officer. Soloway's employment with NIM has been the "only employment [he's] had in [his] life." c) Soloway works and runs his company from his one bedroom apartment in Seattle, Washington, at 1200 Western Avenue, Apartment 17E, Seattle, Washington 198101. d) Soloway has and uses a computer and related supporting equipment at his apartment at 1200 Western Avenue to run his business. e) Soloway rents a storage facility at a Public Storage facility on Northup Way in Bellevue, Washington, and keeps his business records there. 53. As part of this investigation, I have obtained records from Public Storage, which confirm that Robert Soloway leased Storage Unit A145, at the Public Storage facility located at 12465 Northup Way, Bellevue, WA 98005 on April 18, 2005, and that he has continuously leased that storage unit ever since. 54. As part of this investigation, I have confirmed with the management of the Harbor Steps Apartment Complex that Robert Soloway has rented Apartment 17E, at the Harbor Steps Complex, located at 1200 Western Avenue, Seattle, Washington 98101, since November 28, 2003, and that he has continued to rent and occupy that same apartment ever since. III. COMPUTER and ELECTRONIC EVIDENCE 55. Based on the information in this affidavit, I believe that one or more computer systems are located at 1200 Western Avenue, Apartment 17E, Seattle, Washington, 98101, and that the computer system(s) located at the premises are instrumentalities of crime and constitute the means by which violations of Title 1 U.S.C. Sections 1037(a)(2) and(a)(3) (Fraud in Electronic Mail), Title 18 U.S.C. Section 1341 (Mail Fraud), Title 18 U.S.C. Section 1343 (Wire Fraud), Title 1 U.S.C. Section 1028(A) (Aggravated ID Theft), and Title 18 U.S.C. Section 195(a)(1) (Money Laundering) have been committed. Therefore, I believe that there is probable cause to seize the computer system(s) as instrumentalities of criminal activity. 56. In addition, it has been my experience that it is common for those engaging in computer fraud and e-mail fraud to use computers or other electronic media to store information such as passwords, account numbers, identification documents or means of identification, and correspondence with banks or other institutions regarding accounts they may have accessed. It is my belief that any number of the items sought in this affidavit may be found stored electronically. Based on my experience and my consultation with Special Agent CART examiner Russell E. Fox, Seattle FBI, (who has nine years of computer forensics experience and specialized training and experience in searching for electronic evidence), I also know that electronic evidence can be moved easily from one computer or electronic storage medium to another. As a result, I believe that electronic evidence may be stored on any computer or electronic storage medium present at the search sites. 57. In addition, based on my training and experience and that of Russell Fox, I know that in most cases it is impossible to successfully conduct a complete, accurate, and reliable search for electronic evidence stored on a computer or other electronic storage media during the physical search of a search site. This is true for a number of reasons, including but not limited to the following: a. Technical Requirements: Searching computers and other electronic storage media for criminal evidence is a highly technical process requiring specific expertise and a properly controlled environment. The vast array of computer hardware and software available requires even computer experts to specialize in particular systems and applications, so it is difficult to know before a search which expert is qualified to analyze the particular system(s) and electronic evidence found at a search site. As a result, it is impossible to bring to the search site all of the necessary personnel, technical manuals, and specialized equipment to conduct a thorough search of every possible computer system. In addition, electronic evidence search protocols are exacting scientific procedures designed to protect the integrity of the evidence and to recover even hidden, erased, compressed, password-protected, or encrypted files. Since computer evidence is extremely vulnerable to inadvertent or intentional modification or destruction (both from external sources or from destructive code embedded in the system such as a "booby trap"), a controlled environment is essential to ensure its complete and accurate analysis. b. Volume of Evidence. The volume of data stored on many computers and other electronic storage media is typically so large that it is impossible to search criminal evidence in a reasonable period of time during the execution of the physical search of a search site. A single megabyte of storage space is the equivalent of 500 double-spaced pages of text. A single gigabyte of storage space, or 1,000 megabytes, is the equivalent of 500,000 double-spaced pages of text. A fifteen gigabyte storage device would, therefore, contain the equivalent of 7.5 million pages of data, which, if printed out, would completely fill a 10' x 12' x 10' room to the ceiling. Computer hard drive capacities of hundreds of gigabytes are now commonplace. Consequently, the volume of data within a typical non-networked computer system is equivalent to many millions, and possibly billions, of printed pages. c. Hidden or Obfuscated Evidence. Computer users can conceal data within computers and electronic storage media through a number of methods, including the use of innocuous or misleading filenames and extensions. For example, files with the extension ".jpg" often are image files; however, a user can easily change the extension to ".txt" to conceal the image and make it appear as though the file contains text. Similarly, computer users can.encode communications to avoid using key words that would be consistent with the criminal activity. Computer users also can attempt to conceal electronic evidence by using encryption technologies. For example, some encryption systems require that a password or device, such as a "dongle" or "keycard," be used to obtain a readable form of the data. In addition, computer users can conceal electronic evidence within another seemingly unrelated and innocuous file using a process known as "steganography." For example, by using steganography, a computer user can conceal text in an image file in such a way that it cannot be read when the image file is opened using ordinary means. As a result, law enforcement personnel may have to search all the stored data to determine which particular file contain items that may be seized pursuant to the warrant. This sorting process can take a substantial amount of time, depending on the volume of data stored and other factors. d. Deleted or Downloaded Files. Computers and other electronic storage media allow suspects to delete files to attempt to evade detection or to take other steps designed to frustrate law enforcement searches for information. However, searching authorities can recover computer files or remnants of such files months or even years after they have been downloaded onto a hard drive, deleted, or viewed via the Internet. When a person "deletes" a file on a home computer, the data contained in the file do not actually disappear; rather, the data remain on the hard drive until they are overwritten by new data. As a result, deleted files, or remnants of deleted files, may reside in free or "slack" space (i.e., in space on the hard drive that is not allocated to an active file or that is unused after a file has been allocated to a set block of storage space) for long periods of time before they are overwritten. A computer's operating system may also keep a record of deleted data in a "swap" or "recovery" file. Similarly, files that have been viewed via the Internet are automatically downloaded into a temporary Internet directory or "cache." The browser typically maintains a fixed amount of hard drive space devoted to these files, and the files are only overwritten as they are replaced with more recently viewed Internet pages. Thus, the ability to retrieve the residue of an electronic file from a hard drive depends less on when the file was downloaded or viewed than on a particular user's operating system, storage capacity, and computer habits. 58. In accordance with the information in this affidavit, law enforcement personnel will execute the search of computers systems seized pursuant to this warrant as follows: a. Upon securing the search site, law enforcement personnel will seize the computer systems and transport them to an appropriate law enforcement laboratory for review. The computer systems will be reviewed by appropriately trained personnel to extract and seize any data that falls within the list of items to be seized pursuant to the warrant. b. In order to search fully for the items identified in the warrant, law enforcement personnel may examine all of the data contained in the computer systems to view their precise contents and determine whether the data fall within the list of items to be seized pursuant to the warrant. Because of the above-described technical requirements, volume of evidence, and the ability of suspects to delete, download, hide and/or obfuscate evidence, the analysis of electronically stored data may entail any or all of several different computer forensics techniques. Such techniques may include, but are not limited to, surveying various file "directories" and the individual files they contain (analogous to looking at the outside of a file cabinet for the pertinent files in order to locate the evidence and instrumentalities authorized for seizure by the warrant); "opening" or reading the first few "pages" of such files in order to determine their precise contents; "scanning" storage areas to discover and possibly recover recently deleted data; scanning storage areas for deliberately hidden files; and performing electronic "keyword" searches through all electronic storage areas to determine whether occurrences of language contained in such storage areas exist that are related to the subject matter of the investigation. 59. In order to search for data that fall within the list of items to be seized pursuant to the warrant, law enforcement personnel will seize and search the following items (heretofore and hereinafter referred to as "computer systems"), subject to the procedures set forth above: a. Any computer equipment and storage device capable of being used to commit, further, or store evidence of the offense listed above; b. Any computer equipment used to facilitate the transmission, creation, display, encoding or storage of data, including word processing equipment, modems, docking stations, monitors, printers, plotters, encryption devices, and optical scanners; c. Any magnetic, electronic or optical storage device capable of storing data, such as floppy disks, hard disks, tapes, CD-ROMs, CD-R, CD-RWs, calculators, electronic dialers, electronic notebooks, and personal digital assistants; d. Any documentation, operating logs and reference manuals regarding the operation of the computer equipment, storage devices or software; e. Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the computer hardware, storage devices, or data to be searched; f. Any physical keys, encryption devices, dongles and similar physical items that are necessary to gain access to the computer equipment, storage devices or data; and g. Any passwords, password files, test keys, encryption codes or other information necessary to access the computer equipment, storage devices or data. IV. CONCLUSION 60. Based on the facts and evidence presented in this affidavit, I believe there is probable cause to believe that fruits, instrumentalities and evidence of violations of Title 18 U.S.C. Sections 1037(a)(2) and(a)(3) (Fraud in Electronic Mail), Title 1 U. S.C. Section 1341 (Mail Fraud), Title 18 U.S.C. Section 1343 (Wire Fraud), Title 18 U.S.C. Section 1028(A) (Aggravated ID Theft), and Title 18 U.S.C. Section 195(a)(1) (Money Laundering) as set forth in Attachment B, exist at: 1200 Western Avenue, Apartment 17E, Seattle, WA, 98101, and in computers and/or other electronic storage devices located therein, and at Storage Unit A145, Public Storage Inc., 12465 Northup Way, Bellevue, WA 98005, and in computers and/or other electronic storage devices located therein. KENNETH A. SCHMUTZ, Special Agent Subscribed to and Sworn to before me this 23 day of May, 2007.
|
Shameless Self-Promotion
Subscribe to SpamsuiteUpcoming DatesNavigationUser loginRecent comments
Read Our Feed |
![[file]](http://spamsuite.com/icons//pdf.gif "Download SearchWarrantSchmutzAffidavit1.pdf"){kind=icon}
Post new comment