Spamlore
Benchmark Print Supply
A paper trail of complaints regarding spam email received from Benchmark Print Supply. The U. S. District Court of Georgia, North District, has established an order that any spam received by ANY Internet user from Benchmark is unlawful. Remedy: $1,000.00 payable to each recipient of the spam.
Amount Currently Due To This Recipient: $12,000.00
Background
According to The London Register, "Sam Khuri (also known as Benchmark Print Supply) has to pay BiblioTech an undisclosed sum in damages and will have to pay $1000 to any individual affected by future spamming activities." The decision was rendered in US District Court on or about March 30, 2000.
Bibliotech has posted details of the court order to the web for ease of reference (it has also been mirrored by the Spamhunter's Resource). If Mr. Khuri violates any one of the following provisions, he owes the recipient of his spam email $1,000.00:
- he sends or assists others to send unsolicited commercial e-mails that do not bear the true originating e-mail address
- he sends or assists others to send unsolicited commercial e-mails that do not allow recipients to opt-out from further marketing e-mails
- he sends or assists others to send unsolicited commercial e-mails to individuals that have opted-out from marketing e-mails
- he disguises or eliminates the actual originating address of an unsolicited commercial e-mail to make impossible or difficult the identification of the actual sender
- he sells or distributes e-mail addresses of Internet users that have not expressly requested to receive unlimited commercial e-mails.
The case is also mentioned in an online article by Boardwatch, which alludes to the variety of business names used by Khuri in his spamming activities:
Recently spammers, such as Khuri, seem to have returned to the shadows, like counts and barons who preferred dark castles to open communities. Khuri's companies possess the names Benchmark Print Supply and Static Systems Inc., which provide no obvious connection to cyberspace promotions. So it was difficult to track Khuri down after he spoofed postmaster.co.uk with 300,000 e-mails one afternoon and shut down the system for more than two days. Then he detached himself from the rotting tapestry of drapes he made, turned into a bat and noiselessly flew into the role of representing himself in the case. Wellborn said the judge allowed Khuri as bat, wolf or vampire every opportunity possible for defense. The case dragged out for more than two years.
There is a website for the presiding court -- the US District Court, Northern District of Georgia at <http://www.gand.uscourts.gov/>. The decision was apparently rendered on April 17, 2000 by Judge Hunt in case number 98cv1344 (verification in progress).
The prevailing attorney in the case was "Pete" Wellborn, III of the law firm Arnell Golden Gregory, and may be contacted via email at <pete.wellborn@AGG.com>.
Since the initial decision, it was necessary for Mr. Wellborn to return to court to protect another innocent victim, Friendly Email.
Ultimately, it may be necessary to petition the court yet again for additional relief if violation of the court order continues. This overview page (plus connected pages in "Complaint History" below) form a body of evidence to justify a claim of violation of the court order.
In a hurry? Want to go straight to the bottom line? Check out the Recap of Extracts at the bottom of the page where you'll find a table of key information about the Benchmark Print Supply spam, including an indication of the "apparent" violation of the court order.
Complaint History
The first Benchmark spam email received after the decision by U. S. District Court. Complete details (complaints, headers, followups, etc.) are available by clicking on the headline (above).
The return address <hill@linuxmail.org> is hosted on a machine owned by Outblaze, located at 3 burrows street in Hong Kong. Hong Kong is nowhere near Benchmark's place of business in Atlanta, Georgia, USA. The return address certainly does not match the email's point of origin, which is Performance Systems International (psi.net).
Received: from unknown (ip38.atlanta14.ga.pub-ip.psi.net [38.30.162.38])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id NAA08578;
Sat, 15 Apr 2000 13:20:33 -0700 (PDT)
From: hill@linuxmail.org
Subject: laser printer toner advertisement
Date: Sun, 16 Apr 2000 00:44:38
This complaint was probably incorporated into #nab-2072187, the previous complaint for the same day. Note the different points of origin (ip38 vs. ip158) and the different origination times (13:20:33 vs. 22:17:45). That may explain the lack of action by PSI-Net on this complaint.
The return address <hill@linuxmail.org> is hosted on a machine owned by Outblaze, located at 3 burrows street in Hong Kong. Hong Kong is nowhere near Benchmark's place of business in Atlanta, Georgia, USA. The return address certainly does not match the email's point of origin, which is Performance Systems International (psi.net).
Received: from unknown (ip158.atlanta14.ga.pub-ip.psi.net [38.30.162.158])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id WAA19776;
Sat, 15 Apr 2000 22:17:45 -0700 (PDT)
From: hill@linuxmail.org
Subject: laser printer toner advertisement
Date: Sun, 16 Apr 2000 09:41:48
Benchmark waited a week before sending this one. According to accounts published in the Usenet news group news.admin.net-abuse.email, a weekly "spam run" appears to be normal for Benchmark.
Note the "From:" address of <benchmark@conok.com> is hosted by Connect Oklahoma, which has a listed technical contact of Commtouch in Santa Clara, California. It is not the same as the origin of this email message, which is Performance Systems International (psi.net).
Received: from unknown (ip161.atlanta14.ga.pub-ip.psi.net [38.30.162.161])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id PAA29144;
Sun, 23 Apr 2000 15:11:42 -0700 (PDT)
From: benchmark@conok.com
Subject: laser printer toner advertisement
Date: Sun, 25 Apr 1999 14:37:43
After a two-month hiatus, Benchmark spams again. Others in the newsgroup note they have been receiving weekly spams since January, 2000.
The sender's address of <bench1@parsmail.com> is hosted by Sinasoft Network Corp in Irvine, California, which is nowhere near the sender's place of business of Atlanta, Georgia. It is not the same as the origin of this email, which is rasserver.net
Received: from unknown (atv-ga3c-64.rasserver.net [206.214.148.64])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id DAA26034;
Wed, 21 Jun 2000 03:24:22 -0700 (PDT)
From: bench1@parsmail.com
Subject: your imaging supplies
Date: Sun, 21 May 2000 14:49:35
Not content with Wednesday's spam, Benchmark sends again on Friday! Although the machine of origin is not shown in the "Received:" header, it is traced to ICG Netcom by the IP number of 206.215.214.133.
ICG Netcom's machines do not self-identify in the headers (i.e., notice the blank space between the opening parenthesis and the opening bracket: ( [), a desirable feature used by dedicated spammers to avoid the inevitable complaints that occur. A casual viewer would truly believe the source of the message was not determinable, when the truth is that unknown is the name of the machine chosen by the sender of the spam.
The sender's email address of <bench1@parsmail.com> is hosted by Sinasoft Network Corp in Irvine, California, which is nowhere near the sender's place of business of Atlanta, Georgia. It is different from the email's point of origin, which is ICG Netcom.
Received: from unknown ([206.215.214.133])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id FAA17406;
Fri, 23 Jun 2000 05:40:15 -0700 (PDT)
From: bench1@parsmail.com
Subject: your imaging supplies
Date: Tue, 23 May 2000 17:05:26
Back to Performance Systems International (PSI Net) again, this time assuming a new company name of D & J Printing Corporation and featuring a highly suspicious "Reply-To:" address of Whihomr6drts@aol.com. Especially note the "From" address is not the same as the "Reply-To:" address. PSI Net has been explicitly asked to determine if Sam Khuri is associated with this spam email, but it is doubtful they will.
Received: from unknown (ip236.atlanta11.ga.pub-ip.psi.net [38.30.188.236])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id QAA29739
for ; Fri, 30 Jun 2000 16:08:08 -0700 (PDT)
From: <vhjdty809y67853@aol.com>
Subject: Best Toner Cartridge Prices
Date: Fri, 30 Jun 2000 19:09:41
Reply-To: Whihomr6drts@aol.com
Looks like he's bounced back to another ICG division, this time NetAhead in San Jose, California. Either that, or Netcom has changed it's name.
Observe that NetAhead's machines do not self-identify (i.e., notice the blank space between the opening parenthesis and the opening bracket: ( [), a feature that is highly prized by spammers. A casual viewer would truly believe the source of the message was not determinable, when the truth is that unknown is the name of the machine used to send the spam.
It is intriguing to note that the return address <bench1@lakmail.com> is hosted on a machine operated by Lanka Online - Internet Solutions. This computer is located in Sri Lanka (near India), which is nowhere near Benchmark's place of business in Atlanta, Georgia, USA. It is also not the same as the point of origin of this email, which was with ICG NetAhead.
Received: from unknown ([206.215.222.11])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id VAA02586;
Sat, 26 Aug 2000 21:37:09 -0700 (PDT)
From: bench1@lakmail.com
Subject: toner cartridges
Date: Sun, 27 Aug 2000 02:58:17
Message-Id: <480.568452.531023@>
X-UIDL: 8e4919a07f292c49a6537208b8fc7696
Oh, yes, nothing like the Labor Day Weekend to provide cover for the dedicated spammer! Most <abuse> personnel are likely away on a well-deserved vacation, which means enforcement of the Terms Of Service for the sender's account is likely to be delayed by several "days" instead of the usual "hours".
Big changes in this particular spam -- he's now masquerading as "Static Systems" and is using a new service provider of <bitter.net>, not to mention a new throwaway email address of <bench1@techspot.com>.
It's no surprise that <abuse@bitter.net> bounces, so the upstream providers (Roadrunner and -- possibly -- MindSpring) are also notified. After all, the "abuse" address is functional at both upstream providers, and both are identified by the registry information: Roadrunner is the upsteam, and Mindspring hosts the email address of <bitter.net>'s administrative and technical contact.
Note that <techspot.com> is not the origin of this spam message, as suggested in the "From:" line of the message header (below) -- the point of origin is actually <bitter.net>.
Received: from unknown (lemon.bitter.net [209.208.45.34])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id NAA16051;
Sun, 3 Sep 2000 13:31:19 -0700 (PDT)
From: bench1@techspot.com
Subject: your imaging supplies
Date: Sun, 3 Sep 2000 00:55:19
Message-Id: <0.407768.322051@>
X-UIDL: 978d90f4f956d0429cd1725d805cff4e
Just when I thought he'd given up and left me alone, here comes another one, this time through one of the Georgia dialups available from Concentric Networks masquerading as "Vortex Supplies". Note the bogus return address of "bettergolf.net" includes the trademark "1" in the email name and does not point to the actual origin of "concentric.net"
Received: from unknown (ts008d34.atl-ga.concentric.net [64.1.55.142])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with SMTP id UAA25866
for <strads@tmisnet.com>; Sun, 3 Dec 2000 20:59:55 -0800 (PST)
From: <redial1@bettergolf.net>
To: <strads@tmisnet.com>
Date: Mon, 4 Dec 2000 03:34:03
Message-Id: <832.194011.310763@>
Subject: updated pricing
X-UIDL: 4eacd146058dfcaf3dba565e25b881bb
The well-known (ha!) "Vortex Supplies" fictitious business name shows up again ... this time using enhanced software that directly connects to a "promiscuous relay" (this one in Korea) to hide the true point of origin. Note the bogus return address of "toner11@ignmail.com" includes the trademark digit(s) ("11") in the email name and does not point to the actual origin of "Korea Telecom".
Received: from sigRnD ([203.236.43.65])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with ESMTP id WAA00611
for <strads@tmisnet.com>; Tue, 9 Jan 2001 22:30:33 -0800 (PST)
From: toner11@ignmail.com
Received: by sigRnD id PAA0000003369; Wed, 10 Jan 2001 15:04:42 +0900 (KST)
Message-Id: <200101100604.PAA0000003369@sigRnD>
To: Friend@public.com
Date: Tue, 09 Jan 01 12:45:01 EST
Subject: L.P.T.C.
X-UIDL: d857412e625cc86c2038352dc6d84b06
D&J Printing rears it's ugly head again ... except it has moved from Alpharetta to Acworth, Georgia. Given the massive similarity between this spam and the previous spam from June 30, 2000, it looks like Sam Khuri lent his "expertise" to this venture in violation of the existing court order. In addition to the amazing correlation between the formatting this spam and previous Sam Khuri spams, note the machine name is "unknown", just as it is in most of the previous spams.
Regarding the requirements of the court order, neither of the email addresses shown <felipodelacasa@latinmail.com> or <DPRINT2000@AOL.COM> accurately reflect the point of origin, which is a promiscuous relay operated by the Beijing Telecommunication Administration in China.
Received: from ds20.viewcn.com ([202.108.221.16])
by thunder.tmisnet.com (8.9.3/8.9.0.Beta5) with ESMTP id PAA07353
for <strads@tmisnet.com>; Fri, 9 Mar 2001 15:36:49 -0800 (PST)
From: felipodelacasa@latinmail.com
Received: from unknown by ds20.viewcn.com (8.8.8/1.1.22.3/14Oct00-0317PM)
id HAA0000015937; Sat, 10 Mar 2001 07:36:06 +0800 (CST)
To: strads@tmisnet.com
Subject: Best Cartridge Prices
Date: Fri, 9 Mar 2001 18:45:42
Message-Id: <183.623942.162552@unknown>
Reply-To: dprint2000@aol.com
X-UIDL: 3b811961194122a58ea185ac9f9644c7
D&J Printing waits a month, then spams again. This time, they're bouncing off an unsecured relay operated by the E-Education Department on Mainland China. The beauty of such an arrangement is that the point of origin of this email is completely masked, since the relay does not authenticate the source of the messages it relays. This, of course, is a typical procedure for a spammer to follow to prevent complaints from being received.
From: suhousede89365748@hotmail.com
Received: from unknown by sun3000. (SMI-8.6/SMI-SVR4)
id AAA17900; Wed, 4 Apr 2001 00:52:47 +0800
To: strads@tmisnet.com
Subject: Check the Best Prices For Your Toner Cartridges
Date: Tue, 3 Apr 2001 13:20:16
Message-Id: <296.495006.130891@unknown>
Reply-To: dprint2000@aol.com
Recap of Extracts
| Spam Ident |
Claimed Email Address |
Actual Point of Origin |
Probable Violation |
| PSI-Net #nab-2072187 4/15/2000 13:20:33 |
hill@
linuxmail.org |
ip38.atlanta14.ga.pub-ip.psi.net [38.30.162.38] |
Untrue Originating Email Address |
| PSI-Net Unassigned 4/15/2000 22:17:45 |
hill@
linuxmail.org |
ip158.atlanta14.ga.pub-ip.psi.net [38.30.162.158] |
Untrue Originating Email Address |
| PSI-Net #nab-2114168 4/23/2000 |
benchmark@
conok.com |
ip161.atlanta14.ga.pub-ip.psi.net [38.30.162.161] |
Untrue Originating Email Address |
| RAS Server Net 06/21/2000 |
bench1@
parsmail.com |
atv-ga3c-64.rasserver.net [206.214.148.64] |
Untrue Originating Email Address |
| ICG Netcom 6/23/2000 |
bench1@
parsmail.com |
[206.215.214.133]
(ICG Netcom) |
Untrue Originating Email Address |
| PSI Net #nab-2394001 6/30/2000 |
vhjdty809y67853@
aol.com
Whihomr6drts@
aol.com |
ip236.atlanta11.ga.pub-ip.psi.net [38.30.188.236] |
Untrue Originating Email Address
Untrue company name of D and J Printing |
| ICG NetAhead 8/27/2000 |
bench1@
lakmail.com |
[206.215.222.11]
(ICG NetAhead) |
Untrue Originating Email Address |
| Bitter Net 9/03/2000 |
bench1@
techspot.com |
lemon.bitter.net
[209.208.45.34] |
Untrue Originating Email Address
Untrue company name of Static Systems |
| Concentric Net 12/03/2000 |
redial1@
bettergolf.ne |
(ts008d34.atl-ga..concentric.net
[64.1.55.142] |
Untrue Originating Email Address
Untrue company name of Vortex Supplies |
| Korea Telecom 01/10/2001 |
toner11@
ignmail.com |
Hijacked Relay
Korea Telecom |
Untrue Originating Email Address
Untrue company name of Vortex Supplies |
Beijing Telecommunication Administration
03/09/2001 |
felipodelacasa@
latinmail.com dprint2000@
aol.com |
Hijacked Relay
Beijing Telecommunication Administration |
Untrue Originating Email Address
Untrue company name of D&J Printing |
Changchun E-Education Department, China
04/ 03/2001 |
suhousede89365748@
hotmail.com dprint2000@
aol.com |
Hijacked Relay
Changchun E-Education Department |
Untrue Originating Email Address
Untrue company name of D&J Printing |
|
|
|
|
Contents Copyright © 1998, 1999, 2000, 2001, 2002 by George Crissman. All rights reserved worldwide. Page design by George Crissman, strads@tmisnet.com, updated 05/12/2002.