Skip to content
Naked Security Naked Security

Facebook “Spam King” gets 2.5 years in the slammer

Sanford Wallace was also fined $310,628 for sending over 27 million spams and ripping off half a million Facebook account logins.

Notorious “Spam King” Sanford Wallace – he who clogged up Facebook with over 27 million unsolicited messages, sent through about half a million ripped-off Facebook accounts – has received his comeuppance.

The US Attorney’s Office on Tuesday announced that the spammer’s getting 2.5 years in the slammer.

Wallace is also going to be $310,628.55 lighter after he pays court-ordered restitution for sending all that spam and thereby disobeying a court order not to access Facebook.

In August 2015, Wallace, 47, of Las Vegas, pled guilty to two charges: one count of fraud and criminal contempt in connection with misusing electronic mail and related activity and one count of criminal contempt.

He practiced his cloggery and fraud between about November 2008 and March 2009.

Wallace admitted to opening up a bogus Facebook account under the name “David Frederix.” From there, he tested the spam messages that made him money by redirecting Facebook users to other sites.

He also created an automated process that signed into a Facebook user’s account, stole a list of their friends, and then sent a message to those friends’ Facebook accounts.

The messages looked like they came from a Facebook friend, but of course they didn’t: they came from the Spam King, and they contained a link to a site that phished away a Facebook user’s credentials.

After Wallace’s victims typed in their email addresses and passwords, they’d be whisked off to an affiliate site that paid the spammer for the traffic. Wallace would save their email addresses and passwords so he could keep sending spam, of course.

He’d been ordered – repeatedly – to knock it off.

The Spam King has quite the history: it includes a $4 million fine for infecting computers with spyware in 2006, a restraining order issued in 2004 after it was alleged that his companies were selling the cure to the spyware he installed, and a judgment of $234 million handed out in 2008 after he and his business partner were found to have stolen MySpace passwords before sending 700,000 junk emails.

Facebook had dragged him into court, filing a lawsuit alleging violations of the CAN-SPAM Act of 2003, the Computer Fraud and Abuse Act, and California’s Anti-Phishing and Computer Data Access and Fraud Acts.

On March 2 2009, March 24 2009, and September 18 2009, US District Court Judge Jeremy Fogel ordered Wallace to stay off Facebook: don’t access the network, don’t create an account, don’t maintain an account.

That order didn’t stick: Wallace admitted he was back on in April 2009, logging into his Facebook account while aboard a flight from Las Vegas to New York.

An FBI investigation led to Wallace’s prosecution after he turned himself in, in 2011.

He left a whole lot of victims in his wake: people who should get some satisfaction out of Wallace’s having gotten this comeuppance.

You’d hope that 2.5 years in prison would interrupt the spam onslaught, but let’s not get too comfy with that notion. First of all, Wallace has obviously found a way to earn a living that he really likes. Second, there are plenty of other fraudsters out there, sniffing at the money they can illegally make, and more than happy to step into Wallace’s shoes.

Therefore, here, once again, are the tips for protecting yourself from spam that we gave out when Wallace pled guilty last year:

  • Install security software that can scan all of your incoming email, not only for junk, but malware too.
  • Use disposable email addresses, especially for sites you’ll likely only visit once.
  • Unsubscribe from unwanted newsletters and alerts.
  • Be careful who you give your email address to. Think carefully before publishing it on a public website that can be scraped by an email-harvesting bot.
  • Ignore emails and Facebook messages from people you don’t recognize, and read messages carefully from friends – if it doesn’t sound like them, they could have had their account compromised.
  • Think carefully before clicking any links found in emails, especially those sent by people or companies you’re not familiar with – who knows where the links will take you or what might be installed on your computer when you get there?
  • Be careful even if the sender looks legit: spearphishers are very, very good at imitating the look and feel of familiar names and companies.
  • Mark spam as spam – this helps email clients and content management systems improve their algorithms to better detect junk mail in the future.

7 Comments

My favorite throwaway email addresses:
root@localhost
root@127.0.0.1

or for those really picky JavaScript “smart” forms
root@localhost.com
or simply
a@b.c

Just inspect element them or something :)

I really like where Laurence was headed, tricking a spammer into bombing himself.

However I meant when the page refuses input until given an address in the format
NAME@DOMAIN.EXAMPLE

Ignoring for a moment my massive influence on the legal system, I propose a slight modification:

For the repeat offender whose cumulative fines are approaching a quarter of a BILLION dollars with still no appreciable deterrent to his undesirable behavior, let’s reduce his sentence to a mere minute

…per unsolicited message he’s sent.

This guys has wasted hours of my time as a system admin. Is all that time at $100+ per hour for thousands of tech considered in his punishment?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?