Sanford Wallace, also known as the Spam King, Spamford, and David Frederix, turned himself in to the FBI after being indicted by a federal grand jury in San Jose for spamming Facebook. The US Department of Justice (DOJ) confirmed that the 43-year-old had been indicted by a federal grand jury on multiple counts of fraud, intentional damage to a protected computer, and criminal contempt.
"We applaud the efforts of the US Attorney's Office and the FBI to bring spammers to justice," Chris Sonderby, Facebook Lead Security and Investigations Counsel, said in a statement. "Two years ago, Facebook sued Wallace and a federal court ordered him to pay a $711 million judgment for sending unwanted messages and wall posts to people on Facebook. Now Wallace also faces serious jail time for this illegal conduct. We will continue to pursue and support both civil and criminal consequences for spammers or others who attempt to harm Facebook or the people who use our service."
After a two-year FBI investigation, a July 6, 2011 indictment concluded that Wallace accessed Facebook's computer network in three separate attacks (November 2008, December 2008, and February 2009). He managed to compromise 500,000 Facebook accounts and fill the social networking website's servers with 27 million spam messages. Facebook officials claimed they spent a lot of time and money fixing the vulnerabilities the Spam King exploited in order to prevent future attacks.
Wallace wrote a script that automatically logged in to the accounts he had compromised and retrieve a list of all the users' friends so that he could post spam messages to their Walls, after figuring out how to bypass the site's spam filters. The messages looked fishy, but as we still see today, many clicked the included link anyway and entered their email addresses and passwords. Spamford then used their login credentials and to repeat the process, and got paid each time he drove traffic to a given spam site.
Wallace made his initial court appearance yesterday, was released on $100,000 unsecured bond, and was ordered not to access Facebook or MySpace. He faces six counts of electronic mail fraud, three counts of intentional damage to a protected computer, and two counts of criminal contempt. Spamford has been ordered to return to court in San Jose on August 22, 2011. If convicted on all counts, he faces a maximum sentence of 16 years in prison and more than $2 million in fines.
Facebook originally sued Wallace two years ago, alleging that he had hijacked legitimate Facebook accounts and used them to distribute spam messages. In March 2009, a judge banned Wallace from using Facebook. He could not stay away though, and logged onto an account while aboard a Virgin Airlines flight from Las Vegas to New York just a month later. In January 2011, he registered a new Facebook account under the name David Sinful-Saturdays Fredericks, again violating the judge's orders.
In October 2009, Facebook was awarded $711 million for a default judgment against Wallace because he violated the Can-Spam Act. Spamford filed for bankruptcy not long after. He was also found to have "willfully violated" a temporary restraining order and preliminary injunction issued in the case, and was thus referred to the US Attorney's Office for prosecution of criminal contempt.
In May 2008, MySpace won statutory damages of more than $230 million against him and his friend. Those that have been reading ZDNet for even longer, here are two articles from 1998 that show Wallace was spamming in the days before social networking even existed (he pretty much invented junk faxes and junk emails): 'Spamford' Wallace builds new marketing site and Sanford Wallace: Life after spam.