Facebook was awarded $711 million in damages from a convicted spammer on Thursday, but the social networking site is hoping a separate criminal action will eventually send him to jail.
Sanford Wallace was sued by Facebook in February along with Adam Arzoomanian and Scott Shaw for allegedly obtaining the login credentials for accounts. The accounts were then used to send spam to those users’ friends starting around November 2008.
Related stories:
Five formidable Facebook frauds and how to protect yourself
Seven social network security mistakes you can’t afford to make
Conservatives oppose making exceptions to anti-spam bill
The spam either linked to other phishing sites that sought to collect more Facebook account credentials or linked to other commercial Web sites that paid spammers for referrals.
Facebook “doesn’t expect to receive the vast majority of the award,” according to a company blog. According to court filings, Wallace filed a bankruptcy petition in U.S. Bankruptcy Court for the District of Nevada earlier this year, although the petition was eventually dismissed.
However, the U.S. District Court for the Northern District of California has sent a request to the U.S. Attorney’s Office to prosecute Wallace for criminal contempt.
The court came up with the $711 million figure by awarding $50.00 per violation of the CAN-SPAM Act.
Wallace is alleged to have violated a temporary restraining order issued on March 2 as well as a preliminary injunction granted on March 24.
The orders banned Wallace, Arzoomanian and Shaw from phishing and spamming on Facebook.
“In addition to the judgment, he now faces possible jail time,” wrote Sam O’Rourke of Facebook’s legal team. “This is another important victory in our fight against spam.”
Facebook is not pursuing claims against Arzoomanian and Shaw. The company may choose to close the file once the default judgment is entered against Wallace, the court filing said.
In May 2008, Wallace was found guilty of violating the CAN-SPAM act and was ordered to pay $230 million for spamming and phishing on MySpace. The spam led to gambling, ringtone and pornography sites.
Esther Schindler on 5 super ways to battle spam
To learn what’s really happening in the technical trenches, we asked several e-mail administrators to tell us about the key items-the single key item, in fact-that they wish their IT management understood.
If you read through their wish list, you may be able to understand the nature of their challenges and, perhaps, help them clean out your Inbox.
In brief, says Keith Brooks, vice president at Vanessa Brooks, “Stopping spam is a mixture of luck, intelligence, alcohol and planning.” With luck, he says, your CEO never hears about spam. “But without it, the CIO never stops hearing about this issue.”
1. Lose No Mail.
The primary directive, for e-mail admins, is “lose no mail.”
If that means that an occasional spam message wends its merry way into users’ mailboxes, so be it. E-mail administrators would prefer that users encounter a few annoyances than miss an important business message.
Dr. Ken Olum, a research assistant professor in the Tufts Institute of Cosmology, also maintains the institute’s computers.
Olum explains, “The most important thing is never to silently drop an important e-mail. If you just drop it, your correspondent thinks you aren’t answering on purpose or forgets all about you. So suspected spam should always be rejected and never dropped. Sequestering it is only slightly better than dropping it, because you have to look through the sequestered spam, and most people don’t bother.”
Nonetheless, many CIOs ask their IT department to keep the e-mail boxes clear of anything offensive. Yet, according to Scott Kitterman of ControlledMail.com, “I want zero spam and I want to never ever miss a legitimate message” isn’t feasible. Kitterman explains,
“This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can’t have both, no matter how loudly you scream.”
Tom Limoncelli, author of The Practice of System and Network Administration (Addison-Wesley) and Time Management for System Administrators (O’Reilly), stresses that because fighting spam is not an exact science, there always will be false positives and false negatives. The IT department has to cope with this.
Limoncelli had a CTO complain when he missed an important message because it was caught in the spam filter.
Says Limoncelli, “This system sent him e-mail once a day with a list of his messages that had been blocked; clicking on any of them ‘releases’ it from the quarantine. … He wanted a report for every message that was blocked. At least that was his initial request; he then realized that he had asked for an e-mail to warn him of every e-mail!”
2. There’s No Silver Bullet.
In many areas of IT, the long-term solution is a simple one: Adopt the single right methodology, hire the right consultant, buy the most appropriate product.
But your IT staff wants you to understand that spam isn’t a problem that can be solved with a single technology, a single product or any one answer.
Vendors of spam-fighting hardware and software will tell you different-but they’re wrong. Bill Cole, senior technical specialist at T-Systems North America, has been fighting spam for more than a decade. Everyone involved in that fight, he says, dreams of the “Final Ultimate Solution to the Spam Problem.”
But, he cautions, people who yearn for a single answer may fall prey to a vendor’s magical “answer,” but “in a year or so, the magic is gone and the spammers have adapted.” Then, he notes, “managers get upset, a new ‘solution’ gets deployed, and the cycle goes around again.”
Brad Knowles, a consultant, author, and former senior Internet mail systems administrator for AOL, adds, “In almost all cases, the so-called ‘simple’ answers are the ones that don’t work. In fact, they’re almost always the ones that make the problem much worse than it already was. Since we’ve been fighting spam for over a decade, pretty much all the good simple ideas have already been thought of and implemented, and the spammers have already worked around them.”
Unfortunately, the result is that fighting spam is a complex endeavor. Says Knowles, “You’re probably going to have to use multiple solutions from multiple sources.
You’re going to have to keep a constant eye on things to make sure that, when they blow up, you find out as quickly as possible. And you [need] multiple layers of business continuity plans in place to handle the situation.”
3. It’s a Continuous Battle. Budget Accordingly.
Spammers succeed only when they get messages to user inboxes, so they are motivated to counter any barrier between them and their intended recipient. As a result, your IT department will never be done implementing solutions.
Points out David Linn, computer systems analyst III at Vanderbilt, “Spam pushers update their tools as fast as the spam defenders work out a defense to yesterday’s attack type.
This seems to be the thing that those who want to buy an off-the-shelf solution and then forget about it least understand and least want to understand. The very speed of innovation that makes ‘Internet time’ so attractive in other contexts is the enemy here.”
Cole describes spam as mail that evolves and adapts and thus requires an adaptive and evolutionary approach to defense.
S
pam cannot be handled as a discrete project with a list of deliverables and a three-month project plan. While you may initially have success by doing so, he says, “Expect to repeat the exercise again next year, and the year after that, and on infinitely.”
This is a major nuisance to managers, because they have to pay a staff of high-skill people (either directly or indirectly) for ongoing open-ended work. As Cole notes, “Like many other areas of security, it is a potential bottomless pit for computing resources and the best technical staff and hence for money, so drawing the lines on it are a managerial challenge.”
4. Understand the Basics of E-mail Technology.
Administrator Micheal Espinola Jr. says his primary wish is for “top management to understand the mechanics of how e-mail works. Then, and I believe only then, would they be able to grasp the concepts that elude most users of e-mail.”
When management has the right information, Espinola believes, it can make excellent decisions, but a lack of understanding can severely hinder that ability.
“If the admin is wasting time troubleshooting or improvising because of subpar technology, it takes away from time spent for the productivity issues of others.”
This doesn’t mean you have to become a guru on the subject; just learn enough to understand what your e-mail administrator is telling you.
Michael Silver, network administrator at Parkland Regional Library, emphasizes, “A great deal of difficulty arises when trying to address spam-and e-mail problems in general-if the people involved don’t have a good understanding of how the mail system works, including a basic understanding of the different protocols, services, etc. I don’t expect [CIOs] to know the ins and outs of configuring sendmail, but [they] should have a basic understanding of terms like POP, SMTP, IMAP, MTA and MUA.”
5. People are Making Money on Spam. Respond Appropriately.
Most of e-mail administrators’ time is spent dealing with technology issues or trying to explain it to you in business terms. But for some, the issue is a larger one: someone else’s business model.
They want you to understand that spam is sent by an intelligent, adaptable and well-funded enemy. Some admins believe that with corporate budgets and legal resources, it’s even possible to fight back.
Brent Jones, network technician at Smarsh Financial Technologies, wants IT management to understand that someone is working very hard to destroy the spam barriers administrators put in place. “There is a large financial incentive [for spammers] to get their spam into your mailbox,” he says. “They will fight to get your eyes, and it costs them nothing to try everything in the book.”
Nor are spammers ordinary businessmen. Alessandro Vesely, a freelance programmer and service provider in Milano, Italy, points out that “much spam is the result of criminal actions, such as infecting IT systems and using false identities.
Technically, spam can be stopped if everybody else wants to be responsible for what they send. What lacks is the political will to do so.”
