[ISN] Warspammer guilty under new federal law

InfoSec News isn at c4i.org
Thu Sep 30 06:25:13 EDT 2004


By Kevin Poulsen
Sept 29 2004 

A Los Angeles man who used other people's wi-fi networks to send
thousands of unsolicited adult-themed e-mails from his car pleaded
guilty to a single felony Monday, in what prosecutors say is the first
criminal conviction under the federal CAN-SPAM Act.

In a plea agreement with prosecutors, Nicholas Tombros, 37, faces a
likely sentencing range stretching from probation to six months in
custody, assuming he has no prior criminal convictions. Sentencing is
set for December 27th.

Tombros drove around the Los Angeles beachfront suburb of Venice with
a laptop and a wi-fi antenna sniffing out unsecured residential access
points, which he then used to send thousands of untraceable spam
messages advertising pornography sites.

An FBI spokesperson said earlier this month that Tombros obtained the
e-mail addresses from a credit card aggregation company where he used
to work, but officials have not revealed how they caught the spammer.

The CAN-SPAM Act, which took effect January 1st, doesn't criminalize
unsolicited bulk commercial e-mail, but it does prohibit most of the
deceptive practices used by spammers. Tombros was charged under a
provision that prohibits breaking into someone else's computer to send
spam. Also outlawed is the practice of deliberately crafting spammy
messages to disguise the origin; materially falsifying the headers in
spam; spamming from five or more e-mail accounts established under
fake names; or hijacking five or more IP addresses and spamming from

A first-time violator face up to one year in federal stir for a
small-time operation-- three years if he or she meets one of several
minimum standards of bad behavior, like leading a spam gang of at
least three people, sending over 2,500 messages in one day, or using
10 or more falsely-registered domain names.

Assistant U.S. attorney Wesley Hsu, who prosecuted Tombros, says he
believes the spammer is the first to be convicted under CAN SPAM. "It
is my understanding that it is, in fact, the first," said Hsu.

But even without the spam-fighting legislation, Tombros' drive-by
spamming technique would likely have put him afoul of existing
computer crime laws, said David Sorkin, an associate professor at the
John Marshall Law School. "It sound to me like this could very well
have been prosecuted under other statutes."

The Tombros case is one of a handful of wireless hacking convictions
federal prosecutors reeled in this year. In June, a Maryland man with
a grudge against a Connecticut-based patent firm pleaded guilty to
using unsecured wireless networks at homes and businesses in the
Washington D.C. area to penetrate the company's computers and deliver
anonymous threats and extortion demands.

The same month, two Michigan men, Brian Salcedo and Adam Botbyl,
pleaded guilty to conspiracy charges stemming from a scheme to steal
credit card numbers from the Lowe's home improvement chain through an
unsecured wi-fi network at a suburban Detroit store. A third man later
pleaded guilty to a misdemeanor for using the same access point to
check his e-mail.

More information about the ISN mailing list