How the FBI Nabbed the "Spam King"By Deborah Gage | Posted 2007-08-03 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
A 27-year-old Seattle resident, arrested for mail fraud, wire fraud and identity theft, pled not guilty to the charges. Learn how the feds built their case.When the FBI raided Robert Soloway's apartment, on the 17th floor of a luxury building in Seattle that overlooks Puget Sound, they found evidence of a man who lived a very comfortable life. There were 18 coats, 30 jackets and 24 pairs of shoes. There were several pairs of designer sunglasses, an Armani watch and lots of electronicscell phones, iPods, computer monitors.
The government claims these are the fruits of a business built on spam. Between November 2003 and May of this year, Soloway's company, Newport Internet Marketing, sent millions, possibly billions, of e-mails and earned $250,000, according to a lawsuit filed in federal court in Seattle. Those earnings are "conservative," says Assistant U.S. Attorney Kathryn Warma, and will likely go up. She says Soloway collected money for both services and software that sent spam.
Soloway, 27, pleaded not guilty to the government's chargeswhich include mail fraud, wire fraud, money laundering and identity theftand sits in prison while his case moves through court. His attorney, Richard Troberman, had no comment.
Warma believes Soloway had been spamming for 10 years, since he was a teenager. The Federal Trade Commission, the Better Business Bureau and U.S. Attorney's offices in Seattle and Portland, Ore., all have complaints about spam traced to Soloway, some dating back to 1999. He was sued in 2004 by Microsoft in Washington state for violating federal and state anti-spam laws. In 2005, similar charges were filed against him in Oklahoma by Robert H. Braver, who provided Internet services for various businesses and individuals. Both won multimillion-dollar judgments against Soloway, although neither has received any payment. When Soloway was arrested by the FBI on May 30, Warma says, he'd been ignoring a permanent injunction against spamming from the federal judge in the Oklahoma case for 18 months.
"He would brag on forums, 'No one can ever touch me,'" she says.
Soloway's company, which he ran out of his apartment, advertised "broadcast e-mail" that would boost customers' sales by up to 500%. The software that he sold didn't work as promised, according to the government; when it did, it sent spam.
Warma says the government has evidence that Soloway rented botnetsnetworks of hijacked computersto send spam, although it's not clear how he acquired e-mail addresses or the 50 domain names he used (some registered with Chinese ISPs) to set up Web pages and advertise his company. Some e-mail addresses and domain names belonged to other people, who got blacklisted as spammers themselves because Soloway apparently forged the headers on his e-mails to make them look like the senders.
Critical evidence came to the FBI from some of Soloway's victims, according to Warma, who spent months tracking him down. An ISP in Minnesota, identified in court documents by the initials AG, noticed spam coming from an unregistered domain. To get a handle on the amount of spam being distributed, the ISP bought the domain, registered it himself, and began collecting e-mails that bounced back to the domain's server from invalid addresses. Over a week, AG collected 34,784 e-mails. After a while, there were 174,549 e-mails, and 99% of them included links to Soloway's Web sites, according to court documents. AG claimed to be spending two or three hours a day protecting his own customers from the spam.
Several FBI agents worked overtime for several weeks to build a case against Soloway, Warma says. She believes more spammers would be caught if the federal CAN-SPAM Act made it easier for the government to meet the law's definition of volume, which ranges from more than 2,500 messages over 24 hours to more than 250,000 during a year. Because many people don't know where to complain, she says, few do, so evidence in spam cases can be scarce.