CircleID

The country's first criminal trial about spam ended in Leesburg, Virginia earlier this month with a conviction of Jeremy Jaynes, better known under his nom de spam of Gavin Stubberfield. I was an expert witness for the prosecution, the Commonwealth of Virginia.

The case was brought under Virginia's state anti-spam law, not the weaker Federal CAN-SPAM act. Virginia's law makes it a crime to send unsolicited bulk mail using forgery, so the Commonwealth had to show first that Jaynes sent lots of unsolicited mail and second that it was sent using forgery.  The mail in question was sent on three days in October to AOL, which is why the case was heard in Leesburg, the county seat of Loudon county in which AOL's mail servers are located.

The first few days of the trial, which I didn't attend, largely consisted of AOL employees documenting the volume of mail they'd received from Jaynes' networks on those days (millions), and the number of user complaints (20,000.) Then MCI confirmed that the networks were Jaynes'.  The prosecution showed some CD-ROMs found in Jaynes' house, full of vast lists e-mail addresses, as many as 30 million on one of them, and a nearly full set of AOL addresses on another. The trial went slower than the prosecutor expected, mostly because of a lot of procedural skirmishing with the defense, so I spent the day on which I'd expected to testify waiting outside in the hall reading a book.

They were finally ready for me about 10 AM on the next day. The prosecution asked me to testify as an expert on e-mail technology, specifically to explain why it was utterly implausible that the people on Jaynes' lists could have asked to be on them.  The prosecutor had collected some summary numbers about the mail that Jaynes had sent to AOL, showing the IP addresses and the HELO domains he'd used.

I explained that legitimate bulk mailers send mail from a consistent place using consistent names and formats, so that recipients can recognize the mail they've asked for.  Jaynes, to put it mildly, didn't do that.

The HELO domains his mail hosts used were obvious forgeries, several being in .bz which I explained was Belize, a nice place to visit but an unlikely place to run an ISP.  He sent mail from hundreds of different IP addresses, a good idea if you're trying to disguise the nature of a spam run, but unlike what legitimate mailers do.  We repeated this for subsequent spam runs.  Then the prosecutor asked whether it was likely that mail sent to all of AOL's addresses was legitimate.  "Only if it was AOL who sent it."

Then Jaynes' lawyer cross-examined me, to try to discredit what I'd said.  We went off on a detour through click-wrap licenses, in which I agreed with him that few people read them and it was easy to imagine that on page 17 of a license that people hadn't read, there was small print agreeing to receive bulk mail.  He then asked what I'd do if I mailed to a list like that.  After thinking for about two seconds, I said that since he was talking about a list collected by deceiving people I wouldn't use a list like that, so I couldn't speculate about how someone might use it.  Hmmn.  Next question.

Then we fenced about the Belize issue.  He argued that country domains can be cheap, wasn't that a reason to use them?  Since normal domains cost only about $15, I agreed that if someone's business was in such dire shape that five bucks made a big difference, I suppose maybe. (I later checked and found that .bz domains cost $35, which is more than normal .com or .biz.) Since they'd previously established that Jaynes had about $20 million in assets, hmmn, next question.  We went through a few more exchanges like that, then the defendant's other lawyer asked whether I ran the ASRG, which I said I did, and we were done.

That was Friday afternoon, so I went home.  The case went to the jury early the next week and as has been widely reported in the papers, they sentenced Jaynes to nine years, and gave his sister the largest fine they could under the charge that the judge gave them.  Since the court agreed with the prosecution that Jaynes was a flight risk, they put him in jail until they worked out a bail agreement of $1M bail, and confined him to Loudon county wearing a GPS ankle bracelet until final sentencing. The defense lawyers are making brave noises, but the conviction seems quite solid to me, and the first amendment issues that they want to raise have all been rejected in other cases about spam and junk fax.

While it's certainly satisfying that such a major spamming crook got the jail time he deserves, this case cost the Commonwealth of Virginia a whole lot of time and money money for preparation, staff work, and expenses.  (We experts don't work for free, we wouldn't be credible if we did.) Going to this level of effort to knock out the top 10 or top 20 spammers is plausible, but going after 100 or a thousand just isn't going to happen.  That tells me that we still need more effective civil remedies that individuals or small networks can afford to pursue.

By John Levine, Author, Consultant & Speaker. Visit the blog maintained by John Levine here.

Related topics: Cybercrime, IP Addressing, Law, Spam