The Weekend IBM.NET Almost Died

By , January 20, 1997

How A Revenge Spammer Abused IBM.NET — The “El Cheepo” / “Thinning Hair” (Yuri Rutman) Spams

By Mark J. Welch – updated January 20, 1997

This is a story about an angry junk email vendor and the damage he did in one week. But maybe it is really a story about how not to run an internet service business.

On January 1, 3, 4, and 5, 1997, someone sent huge volumes of junk email “spam” using an IBM.NET access account. Two different spams were sent: one promoted a baldness cure (the “Minoxydil” / “Thinning Hair” message) and the other appeared to promote an “adult” web service (the “El Cheepo” message).

The “Thinning Hair” message was extremely long, and was sent repeatedly, each time accompanied by a huge list of the email addresses to which that specific message was sent (the same message was sent to many different lists of email addresses). The “El Cheepo” spam was also sent multiple times, also accompanied by a list of email addresses; the “El Cheepo” message text was was shorter but deliberately more offensive than the “Thinning Hair” spam.

The “El Cheepo” spam was forged to show a return address of “JOES@JOES.COM” and was intended to sound as if it promoted a web site (hosted at a domain called HE.NET), but in fact it was sent in order to harass the owner of the “Joe’s” web site — apparently because JOES.COM had terminated the “baldness cure” web page of Yuri Rutman, after Mr. Rutman repeatedly sent unsolicited commercial email (the “Thinning Hair” spam). The “El Cheepo” message ended with a specific statement that the sender would not remove names from his list, but would continue to spam with impunity.

The “El Cheepo” email appears to have been sent deliberately to provoke an aggressive response. And that’s exactly what happened. Huge numbers of complaints were sent to JOES.COM and HE.NET (Hurricane Electric), and as a result, the JOES.COM domain was completely cut off to prevent tens of thousands of “mailbombs” from completely stopping all traffic at the HE.NET site..

But many web-literate recipients immediately reported that the “El Cheepo” message was suspicious, because it looked more like “flame-bait” than solicitation. And a quick review of the message showed that it was broadcast entirely through the IBM.NET network, and not from any computers associated with JOES.COM or HE.NET. One suspicious sign: the “El Cheepo” and “Thinning Hair” spams were both sent from exactly the same IBM network nodes (at ny.us.ibm.net, which serves the entire eastern US).

IBM As Villain: Some users — including me — submitted multiple reports of these abuses to IBM.NET — and were ignored. I even called IBM.NET (IBM Global Network) and asked to speak to the network operations center or security department, but I was repeatedly told I could not do so.

At one point, Jim Howle (“jhowle@ibm.net”) posted a message stating that the user originating these spams had been “warned,” which was clearly not an appropriate action since the spam was continually and repeatedly being broadcast to the same people. (He later wrote to report that the offending account had been terminated, but by mid-week, his email address was disabled, probably due to angry mailbombing after the original inadequate reply.)

Later in the week, I received the following explanation from ReneBoer@IBM.Net: “The bad thing is that this spam hit just before the weekend. During the weekend the legal department is closed, and they are the only once that are allowed to investigate SPAMS and close the accounts used by offenders. Jim Howle you are referring to on your Web page is one of the people in the leagal depertment.” [sic]

Earlier, on Saturday and Sunday, the lack of any response or action by IBM — and the continuing re-broadcast of these same offensive messages from the same IBM.NET nodes — fueled a sense of outrage in many webmasters. Some Internet Service Providers (ISPs) began adding filters to block all incoming mail from IBM.NET — beginning the process of cutting IBM’s internet customers from email access to the internet.

I called IBM for the third time on Sunday evening and again was told there was no way I could speak with anyone in security or in the network operations center. I had forwarded about 50 copies of the “El Cheepo” and “Thinning Hair” spams to IBM.NET, and I also forwarded copies of many reports suggesting the source of the spam (see below) to IBM.NET, but I received no response at all, even to the earliest complaints submitted more than 48 hours earlier.

By Sunday evening, the consensus among those who were victimized by these spams was that IBM.NET was taking no action whatsoever, and the spams would continue. And many ISPs reported adding filters to block these spams, either by automatically deleting all email routed from any IBM.NET server, or by deleting every message that was routed through IBM’s “ny.us.ibm.net” server (which apparent serves the entire eastern US).

And thus, IBM.NET gradually began to be cut off from the Internet. IBM’s reaction in the next week will probably determine whether its customers will retain even partial access to the internet during the coming months. If IBM.NET continues to stonewall, I expect that even companies like Netcom, AOL, MSN, Prodigy, and CompuServe will begin filtering out any email from IBM.NET customers, in order to protect their customers from spam attacks.

Update: On Sunday evening, after I called and demanded to speak to a supervisor, from whom I demanded immediate action from IBM.NET treating this as an emergency, I received a return call from “Jason” at IBM.NET, and he worked diligently throughout the evening to resolve the issue; he called back later that evening to report that two accounts for this spammer had been terminated — one earlier that morning after the most recent spam was sent, and the other after discovering it was an account for the same user. He said IBM.NET would look into further action (perhaps even legal action) on Monday.

In a January 10 article in Network World Fusion, the damage done by this spam is discussed by Mike Leber, owner of Hurricane Electric (HE.NET) (which hosts JOES.COM).


Yuri Rutman (aka Bela Rutman): At the same time that anger was being poured at IBM.NET for failing to stop the spam, many users were trying to track down the source of the spam. The webmaster for JOES.COM (the victim of the “El Cheepo” spam) quickly released copies of two email messages he received after disabling a web page created by Yuri Rutman (reductase@msn.com) after that user repeatedly broadcast illegal unsolicited commercial email messages promoting his “baldness cure” web site at JOES.COM.

Who Is Yuri Rutman/Bela Rutman? He has been posting newsgroup messages and classified ads, using his email address reductase@msn.com for nearly a year, promoting several quite different “business enterprises.” One of them, not surprisingly, is a baldness cure. Another set of email messages seek investors to contribute funding for a variety of Chicago-area and “international” movie projects. Another group of newsgroup postings asked writers to submit works to a “literary agency.” And a recent set of messages posted in “hacker” newsgroups sought assistance in cracking SMTP gateways and software codes. Earlier, he posted messages seeking independent contractors to design web sites and related work.

Yuri Rutman does use one address consistently for his varied enterprises: 6829 N. Lincoln-Suite 135, Lincolnwood, IL 60646,USA, telephone (847) 679-3916 (this is a recently-changed area code; some older messages still refer to the 708 area code). He also uses the address: 6421 St. Louis, Lincolnwood, IL 60645.

As of 1/9/96, it appears that all known email addresses for Yuri Rutman have been deactivated. Rutman had created two separate IBM.NET accounts, nicm@ibm.net and brutman@ibm.net (both were terminated by IBM.NET on 1/5/96). Earlier, in December 1996, he had used two forged IBM.NET email addresses when posting messages in newsgroups (dragon@ibm.net and noci@ibm.net) but specified the return address of “reductase@msn.com” in all those messages (“reductase” was his address throughout 1996 and is the name of the baldness cure he promotes). Rutman also operates an “autoresponder” mailbox at mailto:noci@answerme.com, one of many junk-email servers run by Sanford Wallace’s Cyber Promotions.

Try searching DejaNews (both the “current” and “old” datbases) for “reductase@msn.com”.

Are You Sure? At first, I worried that Yuri Rutman might not actually be responsible for these spams, but both in a phone call to me and in a January 9 interview by Network World Fusion reporter Todd Wallack, Rutman admitted that he sent the “thinning hair” spams, and he claimed that “former employees” had sent the “El Cheepo Web Site” spam. He said he fired those employees, yet he also said that there was nothing wrong with his spams. (I doubt that an “operator” like Rutman ever had employees, and from the information I have — which is all posted on this site — I personally believe that Yuri Rutman personally sent all the spams.) Rutman also acknowledged to me that he wrote the email reproduced below.

So, What Should I Do? If you received one of these spams, be sure to forward copies (with complete headers) to postmaster@ibm.net or notify@ibm.net — and if you have suffered damage or loss, file a complaint with law enforcement officials. To expedite processing of your complaint, wait until IBM sends you a “ticket number” for your complaint, and then call IBM at 800-821-4612 or 800-727-2222 and ask to have your complaint upgraded to “severity one.”

Who Is the Villian? Clearly, Yuri Rutman is the chief “villain” behind this harassment campaign — and he told Network World that he would be happy to talk to people who are upset with him, if they call him at (847) 679-3916.

But another villain has been clearly identified: IBM.NET, which allowed this spam to continue to flow for 3 days without taking any meaningful action, and which continues to stonewall any complaints. IBM must take immediate action to provide prompt response to internet abuse complaints, or else its customers will find themselves shut off from the rest of the internet. IBM needs to post a public apology and provide detailed information on how to complain about internet abuses by its users, and it must train its staff to be responsive to severe abuses.


Yuri Rutman replies!

After the above information was distributed in the “net-abuse” newsgroups (news.admin.net-abuse.email and news.admin.net-abuse.misc), on January 6 a lengthy series of offensive email messages were posted from Yuri Rutman (reductase@msn.com). Most of the messages were filled with expletives and challenges to the “manhood” of other posters; I do not think those messages need repeating here (you can find them using DejaNews and searching for “reductase@msn.com”.

Here is one of Mr. Rutman’s “tamer” email messages, which I think was intended to blame an unnamed former employee for sending all the spam using one or more of Mr. Rutman’s accounts. I note that the writing style appears identical to the author of the threatening letter to “joe@joes.com” attributed to Mr. Rutman on Friday, January 3 (see http://www.ca-probate.com/yuri_hd.htm).


Subject: To Don Juneau/Dave Cooley
From: reductase@msn.com (yuri rutman)
Date: 1997/01/06
Message-Id: < 00005ca7+00011bc6@msn.com >
References: < 32cbf80f.651740@news-S01.ny.us.ibm.net > < 5ah5f9$eb@frodo.bagend.org > < 32d1b903.181324612@frackit.com >
< Pine.BSI.3.95.970104020702.1064Q-100000@xanadu.io.com >
Organization: The Microsoft Network (msn.com)
Newsgroups: news.admin.net-Abuse.misc

Dear Don:

all these posts have recently come to my attention as well as your “investigation” of me. In a way I hope you read the posts I posted to the other freaks, but I can say that I thank you for researching the “other” posts apparently made by me. Since I indicated my involvement with this whole matter should be absolved, allow me to respond to your KOOKA KABAl or whatever.

Case in point: I have had numerous employees over the last year and a half who had unrestricted access to my email account, most of them were indeed part time college students. The research that you came up with which originated from my account was virginal when I saw it several minutes ago. I have no idea about any posts to the groups you described except for a solicitation of literary materials. Because of legal reasons, I cannot give out the names of the individuals responsible for those posts, but at the same time, aside from them no longer working for me, as I have changed all my email passwords, sans a few people who are partners in the firm, I can only say that these were humurous things, but I thank you for bringing everything to my attention.

I was on vacation for the last several weeks and when I opened my mailbox and discovered the unmanly accusations from David Cooley, I had absolutely no idea what was going on until I traced the etiological source of the responsible party from my organizations who took it upon themselves to do whatever they may have pleased. I have no idea what this entire Joe;s thing is about, but I have subsequently dismissed the two individuals who I believe were responsible.

Nonetheless, even though you approached this matter with a bit of intelligence and informed me of posts that originated from my account, I can only say that I am not going to take these matters seriously. That’s the point of my emails to Cooley and Sahlavee, which they weren’t man enough to post on these groups, besuase I was sick of the harassing and immature way they and about a hundred others who emailed me dealt with the situation, which I subsequently posted. You have been nothing short of a gentleman with your investigation, as I am further conducting an in-house matter regarding all that has come to my attention.

Best.

Y

p.s.—In regards to all the harassment I’ve been receiving by David “GQ MODEL” Cooley, who is extremely distraught at his admittance of not being a real man, my offer still stands that if anyone, anyone, has any doubts as to my responsibility for any of this crap, i will meet them in a designated location in Chicago and they can confront me with the matter to my face, instead of assuming untruths behind my back like socially inept freaks like Dvaid Cooley or Sahlavea who are nothing more than Freud’s definition of having an Electra complex. Sans that, i am leaving town for several days and if you have any mor einfo as to the origination of what actually happened, please let me know. thanks don

____________________

Below, I have reproduced portions of email (spam) apparently sent by Yuri Rutman.


The “El Cheepo” Spam

Received: from smtp-gw01.ny.us.ibm.net (smtp-gw01.ny.us.ibm.net [165.87.194.252]) by value.net (8.8.4/8.7.3) with SMTP id OAA06892 for < markwelch@ca-probate.com >; Fri, 3 Jan 1997 14:02:37 -0800 (PST)
From: joe@joes.com
Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id VAA305740; Fri, 3 Jan 1997 21:30:57 GMT
Date: Fri, 3 Jan 1997 21:30:57 GMT
Message-Id: < 199701032130.VAA305740@smtp-gw01.ny.us.ibm.net >
Received: from slip129-37-233-146.mi.us.ibm.net(129.37.233.146) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr)
id smag1fz2l; Fri Jan 3 21:10:37 1997
Subject: EL Cheepo Web pages–Very hot and very discrete!
Apparently-To: < list deleted >

< text of spam deleted >

If you wish to be removed from my email list, Sorry,
no can do. The net is a free for all and if you don’t
like this email, simply delete it from your inbox.


The “Thinning Hair” Spam

Return-Path: < nicmrk@orchid.com >
From: nicmrk@orchid.com
server3.voicenet.com (8.7.6/8.7.3) with ESMTP id FAA17097 for
< billd@voicenet.com > ; Sun, 5 Jan 1997 05:04:59 -0500 (EST)
Received: from smtp-gw01.ny.us.ibm.net (smtp-gw01.ny.us.ibm.net
165.87.194.252) by mail2.voicenet.com (8.7.6/8.7.3) with SMTP id FAA19684
for < billd@voicenet.com > ; Sun, 5 Jan 1997 05:17:24 -0500 (EST)
Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id
JAA169181; Sun, 5 Jan 1997 09:54:16 GMT
Received: from slip129-37-233-94.mi.us.ibm.net(129.37.233.94) by
smtp-gw01.ny.us.ibm.net via smap (V1.3mjr)
id smampZq_J; Sun Jan 5 08:55:14 1997
Date: Sun, 5 Jan 1997 09:54:16 GMT
Message-Id: < 199701050954.JAA169181@smtp-gw01.ny.us.ibm.net >
Subject: THINNING HAIR? MINOXIDIL USERS? (UPDATED)

< names deleted >

Content-Type: text
X-UIDL: 140884e7736a5dffb99714e48874a948

< spam text deleted >


Yuri Rutman’s Angry Email

“Joe Doll” forwarded a copy of the following message which he reported receiving from Yuri Rutman after Joe Doll disabled Mr. Rutman’s web site after repeated spamming complaints:

Return-Path: reductase@msn.com
Received: from upsmot03.msn.com (upsmot03.msn.com [204.95.110.85]) by he.net (8.6.12/8.6.9) with ESMTP id WAA32525 for < joe@joes.com > ; Thu, 2 Jan 1997 22:35:10 -0800
Received: from upmajb02.msn.com (upmajb02.msn.com [204.95.110.74]) by upsmot03.msn.com (8.6.8.1/Configuration 4) with SMTP id WAA05148; Thu, 2 Jan 1997 22:34:20 -0800
Date: Fri, 3 Jan 97 06:36:54 UT
From: “yuri rutman” < reductase@msn.com >
Message-Id: < UPMAIL07.199701030639080175@msn.com >
To: “Joe Doll” < joe@joes.com >
Cc: dyhard5@aol.com
Subject: RE: World’s Leading Treatments For Thinning Hair

Dear Joe:

I have just informed my attorney of your decision to remove my account. Even though my site is on a private site owned by you, your removal will constitute interference with commercial activity under various UCC laws in my state as well as yours. Further, any lost business that I will acumulate as a result of this–and I am estimating an aggregate of $45,000 per month, will result in a civil suit against you. I will also file an emergency petition for an injunctive relief for you to (i) reactivate my account, and (ii)such wil prevent you from canceling it until the hearing date. You can consult with your own counsel regarding this matter. $250 for the filing Joe and 50 bucks for a sheriff’s notice is peanuts to me.

Regarding, you “educating”, I have saved all your emails where you “instruct” on where to post to newsgroups and this contradicts with your current message.

Regarding, your loss of money, I question your honesty and integrity because you cannot possibly lose one dime.

Regarding my emails, my marketing company specifically asks that if people want to be removed, they should reply. If they want more information, they should respond to an autoresponder and then and only then is the web site location given, not before. So, if there are socially inept hate mongols out there, it is not my fault.

I am not trying to make an enemy with you, I want to work with you and you will not listen to me and will not coopearate.

The choice is yours, Joe. Not only will I file an injunctive relief, a civil suit for monetary damages, but I will publicly make an issue out of this utilizing the best P.R. firms I can hire, and aside from my web site disappearing, i can assure you, so will yours, including your “trading-partner”–ADGRAFIX. I do not like headaches, but if I am given them for unjust reasons, I will pursue all remedies available at law and in equity.

I was the gentleman here, Joe.

I look forward to continued business with you. I await your reply.

sincerely yours,

Yuri Rutman


“Here It Comes”

Less than one hour after Yuri Rutman sent the above message, the following message was sent from a throw-away AOL account, announcing the revenge spam:

Return-Path: Hotgy656@aol.com
Received: from emout15.mail.aol.com (emout15.mx.aol.com [198.81.11.41]) by he.net (8.6.12/8.6.9) with ESMTP id AAA06364 for < joe@joes.com > ; Fri, 3 Jan 1997 00:07:40 -0800
From: Hotgy656@aol.com
Received: by emout15.mail.aol.com (8.6.12/8.6.12) id DAA06359 for joe@joes.com; Fri, 3 Jan 1997 03:07:09 -0500
Date: Fri, 3 Jan 1997 03:07:09 -0500
Message-ID: < 970103030708_745158854@emout15.mail.aol.com >

To: joe@joes.com
Subject: Dear Joe:

I understand youve disconnected Yuris account, The spam king rides again well hit 1,000,000 million E mails next time Motherf—er.

Comments are closed

OfficeFolders theme by Themocracy