The story of one of the most persistant MMF Spammers
since Dave Rhodes himself.

This is the page where the story of the Steve Boltinghouse chain letters is expounded. These chain letters were posted from one of the most persistant MMF spammers ever encountered, hiding behind an open NNTP port at the uunet server. Whoever was spamming this stuff "bloody well knew what he was about" as the British might say.

Where to start, where to start.... well, I suppose, at the beginning. No, not of time, you idiot! Of the Boltinghouse spams. As I have stated, I don't really believe that this was perpetrated by Steve Boltinghouse - partially because there are no archived posts of him anywhere or other evidence of him on the 'net before the chain letter started spewing - so throughout here, I will call the perpetrator "Mr. B."

Speaking to the administrative contact at NEMOnet.com, I learned that there actually was a Steve Boltinghouse there, and the first 20 or so posts were his (this would probably be the posts of 17 October - 18 October). None of the rest of the concerted MMF attack was actually his, according to NEMOnet, and there is no reason to suppose that that is not the case: Points in favor of this view: 1) His ISP caught him at it, and warned him about the illegality of what he was doing and the violations of netiquette, and he promised to stop, was very apologetic, and appeared genuinely surprised that it was continuing when called about it the second time. 2) He was fairly new on the net at that time (only about three weeks), and like many newbies, made a silly mistake of falling for one of these chain letters he saw somewhere. 3) Being new, he probably did not have the technical know-how to do what the later spewer of articles purportedly from Steve did to avoid tracing.

Let me add here that I truly believe that the adminstrators at NEMOnet.com did everything in their power to stop this, but since it wasn't actually coming through their site, they couldn't do much. They are not the bad guys here, the forger is. The administrator told me he was literally tearing his hair out - every morning when he came in, he would have thousands of complaints.

One good by-product of this spammer, though, is that it forced uunet to make a decision to close that open port where lots of this kind of garbage, not to mention other kinds of spam and abuse, were being injected. This should happen (according to uunet) sometime near the end of December. Until that time, they are now appending the host IP and host name of the machine injecting anything into that port. [Note: It's now the end of January, and the port has still not been closed!]

The number of posts listed by date below only reflect one count per batch of crossposts. These were retrieved with DejaNews, and they may not all be accounted for. Because of the huge amount of crossposting he did, 1 hit for a massively crossposted article might be actually 2 dozen groups (he averaged about 20 groups per crosspost). Here's one example of crossposted groups for "a" post counted via DejaNews retrieval:

The first Mr. B spam I can find record of was on October 17, 1996. Indeed, that is the first evidence of any activity on usenet by anyone using the name Steve Boltinghouse. However, Mr. B soon took to it with a vengence, spamming mainly on weekends or Friday nights, apparently hoping to catch the cancellers napping. No such luck.

Comments in blue are from J Porter Clark, a news administrator at a NASA site who got heavily involved in cancelling Mr. B's articles. I'll let him tell his own story as we go along. Miscellaneous comments from others involved in trying to track and stop him are in red.

Thursday, 17 October 1996 - Mr. B posts his first article entitled "RE: $$$$Fast Cash, Legal, Easy," which is actually a quote of another article, including the standard reply quote characters. It was quoted from an article by "Chadli Rat" <brainwav@calweb.com> (who alphabet spammed his article "opportunity" to 5col.forsale, 5col.personals, a.bsu.programming, a.bsu.religion, a.bsu.talk, ab.jobs, abg.amiga, abg.atari, abg.ms-Dos, abg.tip-Info, abg.unix, abg.uucp, acadia.bulletin-Board, ailab.bmw, ailab.cyberia, ailab.cypherpunks, ak.config,ak.forsale, & ak.test.), so I guess he could actually be said to be the progenitor of the whole spamfest.

However, he soon switched to a text document with a formatted version of his standard Boltinghouse spam, and titled it "$$$$Fast Cash, Legal, Easy - money.txt [01/01]." These, and the articles through 18 October were probably the only posts from the real Mr. B.
3 articles multi-posted

Friday, 18 October 1996 - He tried one uuencoded file, but apparently didn't like doing that. Switches to the title "$$$$Make Money Fast, Easy, Legal money.txt [01/01]." Gearing up for a 3 day minor (compared to [the forger's] later) spamfest...
10 articles multi-/cross-posted

Saturday, 19 October 1996 - Only one post today. Continues with the same article title. However, there was a change in his headers today - this may be where we lose the real Steve and pick up the forger, sending through a mail to news gateway (Although it may have been on 18 October, because of a change in pattern from multi-posting to crossposting on about half of the articles that day. DejaNews doesn't record the time of the article, so I can't see if there is a pattern to that pattern):

Subject:      $$$Make Money Fast, Easy, Legal$$$ - money.txt [01/01]
From:         sbolting@nemonet.com (Stephen Boltinghouse)
Date:         1996/10/19
Message-Id:   <54C3RT$8L0_015@NEWS.NEMONET.COM.845779753>
Distribution: world
Sender:       daemon@eff.org
Organization: EFF mail-News gateway
Newsgroups:   alt.comp.acad-Freedom.talk

Monday, 21 October 1996 - Continues with the same article title, although some were misspelled as "$$$Make Monery Fast." A strange thing, though - there was one article on the 18th that was misspelled identically. More suspicion added that it was on that date the forger took over from the real Steve. Now hitting the alt.sex.* hierarchy. Here is where I am sure we pick up the forger (note the change to using posting software named "Multi-Post 1.1" which is, as far as I have been able to determine, nothing but a spam engine designed to spoof headers and forge massive crossposts. As far as I can tell, the real Steve always used multi-posting instead of crossposting, as well:

Subject:      $$$Make Monery Fast, Easy, Legal$$$ - money.txt [01/01]
From:         sbolting@nemonet.com (Stephen Boltinghouse)
Date:         1996/10/21
Message-Id:   <13.5176076535136@NEWS.MEMONET.COM>
X-Software:   Multipost 1.1
Newsgroups:   alt.sex.supersize,alt.sex.swinger,alt.sex.swingers,
alt.sex.swingers.thedavid,alt.sex.tastel,alt.sex.tasteless,
alt.sex.teddy-Ruxpin,alt.sex.teens,alt.sex.telephon,alt.sex.telephone,
alt.sex.telephones,alt.sex.toons,alt.sex.toupee,alt.sex.trans,
alt.sex.ugly,alt.sex.uncut,alt.sex.unnatural-Acts,alt.sex.unnatural-Acts.jesse-Helms,
alt.sex.video-Swap,alt.sex.voxmeet,alt.sex.voye,alt.sex.voyerism,alt.sex.voyeur,
alt.sex.voyeurism,alt.sex.want,alt.sex.wanted,alt.sex.wanted.escorts,
alt.sex.wanted.escorts.ads

Also, notice the change in the formatting of the message ID of the post from the original format of Steve's real posts: <544ldr$99c_002@news.nemonet.com>. This is from the spoofing software making up its own message ID numbers. More on that later (towards the end of the page).
12 articles crossposted.

Tuesday, 22 October 1996 - Mr. B Switches his article title for some of his posts to "Something Very Interesting", then switches to the infamous "Just Try This - It Will Work" title that he stuck with for the rest of his spamming days... From here on out, his headers don't change, with the exception of adding other sites into the path: header to try to alias out the sites that were cancelling the articles (see the note from J Porter Clark, below), and the individual message IDs. One of his rare non-weekend posting sprees. Still hitting alt.sex.*
17 articles crossposted

Saturday, 26 October 1996 - Big day for Mr. B - alphabet spamming his way through part of the alt.* hierarchy.
120 articles crossposted

Tuesday, 29 October 1996 - Mr. B - now working his way through the comp.*, rec.*, and soc.* hierarchies.
38 articles crossposted

Saturday, 2 November 1996 - One of Mr. B's biggest spamming days. Alt.atheism.satire had 21 cancel messages issued in alone it by various people - I guess they have a lot of experience cancelling stuff there. Note that there weren't that many spams there (only the usual one), it just got jumped on by a whole bunch of people.
173 articles crossposted.

---

JPC: I'm not sure when it actually started. Probably 2-3 Nov 1996; most of the Boltinghouse activity was on weekends. At first, SB (or whoever it really was) sent out a bunch of "Just try this, it will work" MMFs. These were easily clobbered by the regular despammers such as Robert Braver and Benjamin Franz, and I also canceled ~200, or so I recall. (I didn't start sending out reports of my MMF cancellations until late in 1996, so you won't find anything that says what I did.)

---

Subject:      test
From:         sbolting@nemonet.com (Stephen Boltinghouse)
Date:         1996/11/04
Message-Id:   <55JRRR$HJ9@RINGER.CS.UTSA.EDU>
References:   <273.654193326831@NEWS.NEMONET.COM>
Supersedes:   <273.654193326831@NEWS.NEMONET.COM>
X-Software:   Multipost 1.1
Organization: The University of Texas at San Antonio
Newsgroups:   alt.test,misc.test,soc.test,rec.test,comp.test


Try this...see how well it works?  So, tell me, Stephen,
have you ever thought what someone could do with your REAL
address?  Hmmm?

Wednesday, 5 November 1996 - A huge day in the spam mines for Mr. B, even though it is not one of his usual weekend spews. Back to the alphabet spamming, but this time starts skipping large chunks, going from alt.* & aus.* to de.* & comp.* to soc.* to znet.* groups (and many in between) and spamming happily away.
304 articles posted crossposted

---

JPC: SB started adding Robert Braver's site and Benjamin Franz's to the Path: header, and eventually he added mine. A typical Path: header was:

Path: ...in1.uu.net!xmission!wilbur.ohww.norman.ok.us! news.msfc.nasa.gov!mail.nemonet.com!sbolting

These Path headers started appearing about 6 Nov 1996. I noticed that SB's MMF's were disappearing, and as it turns out, they were merely never arriving at my site because of pathhost exclusion.

However, a lot of other people were noticing these articles, and I (as postmaster@news.msfc.nasa.gov) started receiving angry e-mail from various sites, particularly European ones. It took me a little while to figure out why they were sending me all of this mail. The Path: headers made it appear that news.msfc.nasa.gov was a newsfeeding peer with mail.nemonet.com, whom I had never heard of until this incident.

If we were being hit with complaints, NEMOnet must have been seeing it a hundred times worse. A typical response from NEMOnet's beleaguered postmaster was "We ARE working on it weather [sic] you believe me or not!" SB was certainly making every effort to pin these MMF's on NEMOnet; besides the Path: forgery, he also forged From: and NNTP-Posting-Host:, and he also knew how to inject articles at UUNET's open transfer port. From this, it was apparent that we were probably dealing with someone who was not a typical clueless believer in the MMF philosophy but someone determined to frame NEMOnet and/or the real Stephen Boltinghouse, whoever he is.

---

Subject:      posting test
From:         sbolting@nemonet.com (Stephen Boltinghouse)
Date:         1996/11/06
Message-Id:   <55OV2V$3JB@NEXP.CRL.COM>
References:   <583.051093963906@NEWS.NEMONET.COM>
Supersedes:   <583.051093963906@NEWS.NEMONET.COM>
X-Software:   Multipost 1.1
Organization: CRL Dialup Internet Access
Newsgroups:   alt.test,misc.test,sci.test,soc.test,rec.test


    REMEMBER....NAZISM IS THE BEST POLICY.YOU DON'T
    NEED TO CHANGE THE BASIC IDEA TO MAKE THE DIFFERENCE!
    GOOD LUCK TO ALL, AND KEEP FIGHTING AND YOU WILL
    WIN AND MAKE THE WORLD RACIALLY PURE!    SEIG HEIL!!

FOLLOW THE FUHRER AND YOU'LL BE HAPPY!!!  :o) !!!!!!!!!!

Friday, 8 November 1996 -Mr. B is hard at it again - this sharing the wealth thingie is tougher than he thought, huh? So many unbelievers out there trying to stop him. All over the place with his posts, in almost every part of the hierarchies.
110 articles crossposted, so just an average day's work at the spamfice.

---

JPC: By 8 Nov, NEMOnet's standard reply implicated spector@cybertron.com as a possible source of the spam.

---

---

JPC: SB's articles dwindled somewhat in the next few days, but then they came back with a vengeance on the weekend of 16-17 Nov. Same Path: forgery.

---

---

JPC: On 18 Nov., I sent a note to tale@uunet.uu.net complaining about misuse of the open UUNET port. tale replied that this spam was coming from hydro1.sci.fau.edu (Florida Atlantic U., Boca Raton, FL), and that the reason it had gone on for so long was that he had made a typo entering the name of the host in an access list. He also said that this same party was responsible for a rash of forged cancels about a month before. This would have been about the same time as one of the 'geekcancel,' 'dotheadcancel,' etc., cancel wars, but at the time I didn't think to ask if there was a connection, and there might not have been.

I tried contacting fau.edu, but I never got a response.

By 19 Nov, various postmasters at NASA were complaining to me about these articles because of complaints from all over the world. I was told that they were 'inundated' with complaints and was asked to PLEASE (caps theirs) take whatever actions were necessary. Of course, I told them that the source of the problem had probably gone away, but that wasn't quite good enough; at this point, I was told to cancel them to the best of my ability.

By the time that I had the cancelbot fired up to cancel SB's MMF's, they were almost completely gone. This would have been the afternoon of 19 Nov.

---

Sunday, 30 November 1996 through Wednesday, 5 December 1996 - No more articles appeared, and what appears to be the last of Mr. B's posts is finally cancelled on 12/6.

In news.admin.net-abuse.usenet on 1 December Lee Jackson Beauregard pointed out a pattern in the Multi-post software's Message ID numbers which could have been used in the future to help kill his spam faster:

You said you were "autocancelling all you could find"; if SB hits us again (heaven forbid), this pattern should help find *all* of the posts.

---

JPC closes his story: This was an unusually widespread MMF spam, numbering in the thousands of articles altogether, and often widely crossposted. It was probably the most widespread MMF spam ever.

There were two unexpected consequences of the SB spam.

First, the flood of complaints to tale@uu.net forced UUNET to schedule closing of their open NNTP port. This hasn't happened yet, as far as I know. On the INN-workers' mailing list, I suggested a possible solution to the problem of INN servers running with the '-a' option, which allows any host to transfer. Here's part of that discussion:

Date: Wed, 27 Nov 1996 15:06:13 -0500 (EST)
Message-Id: <QQBRRK10529.199611272006@RODAN.UU.NET>
From: tale@UU.NET (David C Lawrence)
Subject: Re: Path header validation.
In-Reply-To: <199611271413.IAA02934@DRUM.MSFC.NASA.GOV>
References: <199611270143.CAA25800@VELO.PP.VIX.COM>
<199611271413.IAA02934@DRUM.MSFC.NASA.GOV>

J. Porter Clark writes:
> If innd is run with "-a" (any host can transfer), the default
> Path should be something like this:
>
> Path: [pathhost]![client's IP address]![client's supplied Path]

UUNET is now doing this until we are no longer running innd -a.

I can't take credit for the suggestion, because somebody else thought of it, only I can't remember who. However, this was the beginning of UUNET adding the IP address of its feeding peer to the Path.

The other consequence was that my MMF detector "turned pro."

---

Return to the MMF Myth Page

All comments within these pages are expressed as personal opinions only.

  © 1997 Ken Lucke - all rights reserved