Risk
10/30/2009
01:52 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Wins $711 Million From Spammer

In addition to financial damages, Sanford Wallace, among the first to be crowned "Spam King," may face jail time.

Facebook has won yet another massive judgment against a spammer who already owes $234 million to MySpace.

A California federal judge on Thursday granted Facebook's request for a default judgment against Sanford Wallace, who is known to have been involved with spamming since the mid-1990s and with junk faxing before that.

Court documents indicate that Wallace and an associate who was later dropped from the case spammed Facebook users with phishing messages. Those who clicked on the links and submitted login information to phishing sites allowed Wallace and his associate to then spam the phishing victim's friends, in turn generating more potential phishing victims. Facebook claims that Wallace also received payment for redirecting some spam recipients to Web sites that pay for referrals.

Facebook sought damages of more than $7 billion dollars, as allowed under the CAN-SPAM Act and the California business code.

Expressing skepticism in his ruling that such a figure would be proportionate to Wallace's offences, Judge Jeremy Fogel instead awarded Facebook $710,737,650.

"The record demonstrates that Wallace willfully violated the statutes in question with blatant disregard for the rights of Facebook and the thousands of Facebook users whose accounts were compromised by his conduct," Fogel said in his ruling.

Fogel also said that because of Wallace's willful violation of a temporary restraining order and injunction, the Court has referred the case to the U.S. Attorney's Office with a request that Wallace be prosecuted for criminal contempt.

Facebook won't have an easy time collecting its award. Wallace already owes MySpace $234 million from a judgment rendered in May, 2008.

Last November, Facebook won $873 million in damages -- the largest award to date under the 2003 Can-Spam Act -- from spammer Adam Guerbuez and his company, Atlantis Blue Capital.

Asked to specify how much of that award Facebook has been able to collect, a company spokesperson responded, "We continue to work on collecting as much as possible from Guerbuez and Atlantis Blue (likely far less than the full amount) and have hired a firm to help with this."

InformationWeek's Informed CIO series lays out 10 questions to ask about identity management. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.