Legal Cases Against Spammers

Over 100 cases have been brought forward by private sector companies since the CAN-SPAM Act came into effect earlier this year. Each case aims to seek financial retribution for the damages a spammer has allegedly caused. Each lawsuit seeks an astronomical amount of damages from spammers who have supposedly abused and exploited the networks, infrastructures, and servers of large ISPs and free e-mail providers. One thing is certain: Judging by the result of these cases, spammers are without a legal leg to stand on in court. There are no excuses, plea bargains, or insanity defenses for the accused. So far, all defendants have been fined large amounts in damages, although only the very prolific or most criminal of spammers have received jail time. Currently, however, there are over 100 cases in court, so these facts may quickly change, and we could see the majority of spammers sent to jail.

On June 17, 2003, Microsoft launched an assault of lawsuits against spammers, targeting 15 known spammers who have previously abused or exploited services Microsoft offers, such as Hotmail and MSN. The majority of these cases were brought forward because spammers spoofed the reply address of @hotmail.com or @msn.com in the spam they sent, causing any replies or bounced messages to be sent to Microsoft’s networks, thus overloading their servers with millions of bounced messages. One such legal case involved Microsoft suing Philip Adelberg of InterWeb Hosting LLC of Pennsylvania, who was tried in court in late 2003. Since the CAN-SPAM Act was not in effect when the case was tried, Microsoft sued the spammer under different legal statutes available in the state of Washington. Adelberg was tried under a combination of the Washington Commercial Electronic Mail Act, the Washington Consumer Protection Act, and the federal Computer Fraud and Abuse Act. Microsoft’s court case (which can be seen in full at http://news.findlaw.com/hdocs/docs/cyberlaw/msintrwb61703cmp.pdf) shows how Microsoft sought relief for damages from Adelberg as the spammer for “unauthorized use of Microsoft computers and computer systems to send millions of misleading and deceptive spam messages.” Adelberg had been sending large volumes of spam with spoofed reply addresses including hotmail.com, msn.com, aol.com, yahoo.com, ibm.com, and juno.com, although of these only Microsoft sought financial retribution through the courts. The spam included deceptive subject lines, such as “Re: Your response,” indicating that the recipient had previous business with the spammer. This deceptive tactic was taken into account when Adelberg was sentenced, since it showed that he was not only sending spam but being deceptive and underhanded in how he sent it. Spam that Adelberg sent promoted various products, from stop-smoking supplies to training services and corporate promotion services. He had around 50 known spam domains that his spam linked to; each domain registered to a different address in Pittsburgh, Pennsylvania, but all were run by his own Web-hosting company, InterWeb Hosting.

Perhaps the largest mistake Adelberg made in his domain registration and company creation was to register all domains to addresses within Pittsburgh and place all under control of InterWeb Hosting, except for one. One domain name listed under ns1.interwebhosting.com was registered to:

Adelberg, Philip

PO Box XXXX

Swissvale, PA 15218

The fact that all his spam domains are linked to InterWeb Hosting LLC in some form or another is bad enough, but using his own personal, legitimate information to register one of those domains sealed his fate. It was a mistake that no spammer should follow.

Adelberg ran a major operation and used this to his advantage. In early 2003, when one of his domains (finalsmoke.com) was blacklisted in several RBLs, Adelberg sent angry e-mails to RBL owners, claming to be a legitimate product vendor who was exploited and abused by a spammer, claiming innocence and in no way supporting the spammers’ actions. This split personality gave Adelberg a very strong edge—if you are able to be the product vendor that a spammer exploits while at the same time being the spammer, you can draw a lot of sympathy to your cause when the product vendor is blacklisted. In this case, Adelberg was both producing and promoting the product while trying to keep the two fictitious roles separate. When RBLs blacklisted the domain of the product vendor, Adelberg simply cried wolf, claming to have no involvement with the spammer and begging the antispam community to not blacklist his domain. After all, Adelberg had no involvement with the spam, it all originated from his alter ego.

“We are in the e-mail business, but no, we do not send spam,” responded Philip Adelberg, when asked for a comment about the court summons. Later that year, Adelberg had his day in court and was found guilty of sending deviant spam with fake reply addresses and illegally claming that the e-mail came from Microsoft networks. He was ordered to pay $33,870,000 in damages to Microsoft under Washington’s data protection and antispam laws. Microsoft has not yet received a penny of these damages, and Adelberg’s doors are still open for business, although this time operating out of a different city.

It’s not just spammers who face legal danger from the CAN-SPAM Act, since the act states that any company that profits from spam is also liable for prosecution. This includes spam-friendly Web hosting providers and software developers who create software used to send out spam. The game is up; anyone who makes money directly or indirectly from spam is now fully accountable for his or her part in the spam game.

Just recently, Microsoft launched a lawsuit against popular spam Web-hosting company Cheapbulletproof.com. Cheapbulletproof.com offers a spam-friendly service and actively promotes spammers linking to its Web servers from spam. The company itself is located in China, where there are no antispam laws and very few electronic laws in place. Legally, cheapbulletproof.com does not break Chinese law; it simply acts as an “open-minded” Web-hosting provider. You can rent space and bandwidth on one of the company’s servers for as little as $159 a month, with guaranteed reliability and stability, while ensuring that the company will not close down your Web site if you promote it within bulk e-mail. However, under the CAN-SPAM Act, cheapbulletproof.com is actively aiding spam sent to U.S.-based e-mail accounts and is indirectly profiteering from said spam, which makes the company fully liable under U.S. law.

According to Levon Gillespie, a partner in the Web-hosting company:

I cater my services to professional bulk e-mail marketers. If we find out such e-mail marketing was done illegally, we make every effort to warn users. Then, if they do it again, they get kicked off our network.

Microsoft is using its excess disposable income to attempt to squash any company or individual that not only sends spam but also aids the work of spammers. Bill Gates recently predicted that Microsoft would effectively shut down all spam operations in two years from its own legal and software advancements. However, it’s just not Microsoft that is trying to track down spammers. Recently, ISP EarthLink tracked down one of the largest spammers in the United States, accused of sending approximately 825 million unsolicited spam e-mails in the course of a single year. Howard Carmack’s story and how EarthLink eventually tracked him down has become one of the most highly publicized stories in the history of spam. Carmack’s spam-sending method was highly unique: He would open accounts with ISP EarthLink in the masses, using stolen identities and credit cards to fund the accounts. From each account he would send as much spam as possible, until the account was noticed as being suspicious and then closed down. In the period of a single year, Carmack opened 343 accounts for sending his spam, most of which promoted herbal sex stimulants, get-rich-quick schemes, bulk-mailing software, and mailing lists. Many of his spam operations promoted scams such as “mule-making” systems (as previously discussed in this book).

Howard Carmack was very devious in his style. Since you can open an account with EarthLink over the phone, Carmack would simply call the ISP from public places, such as libraries and payphones. On average, the spammer opened a new account with the ISP each day and used a different identity for each account. This wealth of stolen information made catching Carmack highly challenging, but it was eventually his downfall when he ran out of information and resorted to using identities of friends and family to open the accounts.

EarthLink claims that Carmack cost the ISP over $1 million in bandwidth charges. To date, Carmack is the most prolific spammer the ISP has ever encountered. EarthLink actively tracks and will punish any large or prolific spammer who is found abusing its network; the company even has a full-time team dedicated to catching these people, led by Ms. Jones (a pseudonym for purposes of this book). Ms. Jones leads a team of 12 who track spammers and hackers within their network. The team’s main purpose is to track the offender to his or her real account, disable the account, and if the offense was large, file legal action against the account holder. In the case of Carmack, Jones was well aware of the spammer’s activity and had been following his tracks for over a year, and since there was a great deal of similarity between the spams he sent, his spam was fairly easy to track. Such common phrases as “The Cadillac” and 716 area codes kept reappearing in the spam, and soon it became evident that the spammer was located in the 716 (Buffalo, NY) area. Many accounts from this county popped up; all sent the same spam and all were located in Buffalo. As each account was deleted, another was created.

The battle was relentless, but Jones was set on catching the spammer. She quickly noticed that one common element all the accounts shared was the password. The spammer was not very creative about the passwords he used in creating the accounts, and there were four very distinct passwords shared between all accounts. These passwords included Buffalo, football, baseball, and 123456. Jones informed the sales team that if anyone called from the Buffalo region to open up a new account and gave the password Buffalo, they were to write down the phone number from Caller ID and contact her as soon as possible. This method was unsuccessful, though, since Carmack made all phone calls from public places and there was not a drop of personal information in the originating phone number.

Carmack knew that EarthLink monitored the amount of e-mail each account sent out, so he sent just below the required threshold each day, allowing him to slip in just below the radar and avoid obvious detection.

EarthLink decided that the only avenue left was to sue the spammer; only then could the company legally requisition information that could lead to the spammer’s capture. A private consultant, Mr. Samson, was appointed to the case. He systematically tracked every piece of information he could find in the spam and account holder details, including phone numbers and listed addresses. This tedious task led him first to Joseph Carmack, who admitted he was the spammer and refused to stop his actions, although he would not give any information about the spam or how he was sending it, making him seem highly suspect. Further investigation led to a client of Howard Carmack who was being used as a mule by Howard for a small monthly fee. He admitted that he was working for a Carmack, but not Joseph Carmack—Howard Carmack. Joseph, Howard’s uncle, was attempting to throw Samson off the case by acting as a red herring.

With the spammer now identified, EarthLink launched a $16.4 million lawsuit against Howard Carmack and won, claiming that the spammer had caused irreparable damage not only to the ISP’s networks and servers but also to its reputation as an upstanding service provider.

EarthLink is so dedicated to tracking down a spammer that the company admits that it does not make sense financially to do so, since a team of 12 professionals, lawyers, and associated court costs are more than the toll the spammer takes on its network. Even more ironic is that EarthLink knows it will never receive a settlement from spammers if the lawsuit is successful, since spammers don’t pay up, so there is no compensation for the company’s losses.

Once the Carmack lawsuit was closed, another legal action was brought against the spammer for identity thief, credit card fraud, and forgery, based on his actions of opening up accounts with EarthLink under false information or with stolen credit cards. Carmack was found guilty of the criminal act and sentenced to three-and-a-third to seven years in a state penitentiary. EarthLink has not seen a dollar of the $16.4 million lawsuit and doubts it ever will.