Sanford Wallace has been sending spam for over 20 years. Despite losing innumerable lawsuits, he's managed to stay out of jail until now. His luck finally ran out, in a case where he was convicted of contempt of court and hacking many Facebook users.

Laura at Word to the Wise wrote about how Spamford's mail got her into spam fighting in the 1990s.

Article at The Register

My anti-spam community friends were all abuzz today with the news that Spamford Wallace had pleaded guilty in a Las Vegas court to "compromising approximately 500,000 Facebook accounts" in order to deliver "more than 27 million spam messages."

What might amaze the General Reader is that this is the SAME Spamford Wallace case that began with an indictment on July 6, 2011.

According to the Indictment, Wallace created an account on November 4, 2008 under the name "David Frederix" and then tested posting spam messages to his 'real' wall "Sanford MasterWeb Wallace" experimenting with which posts would best evade Facebook's filters.

 He then made a script that would automate the process of logging in to a Facebook account, obtaining a list of all of the Friends of that account, and then posting his advertising message to each of those friends' walls.  Spamford then created a domain registrar account at Moniker Online and another at Dynadot (using the name Laura Frederix) and between the two created 2,500 domain names that would be used in these spamming attacks against Facebook users.

 On November 5 and 6, 2008, Sanford sent approximately 125,000 spam messages to Facebook users using this method.  On December 28, 2008, another run was made, posting nearly 300,000 spam messages, by logging in through 143 different IP addresses that were used as proxies to disguise his origins.  On February 17, 2009, another 125,000 messages were posted.

 At this point, a civil injunction was served on Sanford Wallace in the case of Facebook Inc v. Sanford Wallace (Northern District of California No 09-00798 JF) where Judge Jeremy Fogel ordered Sanford Wallace to no longer access Facebook's computer network.  (Orders issued on March 2, 2009 and March 24, 2009).  Sanford logged in on April 17, 2009, in violation of this order, while flying on a Virgin Airlines flight  from Las Vegas to New York.

 In 2011, Sanford was back on Facebook, using a profile called "David Sinful-Saturdays Fredericks"

 Counts 1,3, 7 - Fraud and Related Activity in Connection with Electronic Mail, carry a possibility of 3 years imprisonment.

 2, 6, and 9 - Intentional Damage to a Protected Computer, carries a maximum sentence of 10 years imprisonment.

 4, 5 and 8 - Fraud and Related Activity in Connection with Electronic Mail, carries a 3 year imprisonment possibility, and a possible $250,000 fine.

 Counts 10 and 11  - Criminal Contempt, have unspecified potential penalties.

 What's Happened Since?

Lots and lots of lawyering. . . behold the process of a Fair and Speedy Trial!!!!

• 04AUG2011 - the indictment was unsealed
• 04AUG2011 - notice of related cases was received.  These included:

1. the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act.  That case describes:  "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s.  Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million."  Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)
2. This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009. 

• 22AUG2011 - bail hearing
• 28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)
• 30SEP2011 - Order to Waive Appearance proposed )amd gramted_
• 03OCT2011 - Status hearing held
• 04OCT2011 - case reassigned to Judge Edward J. Davila
• 31OCT2011 - Pretrial services form 8 submitted.
• 28NOV2011 - Status hearing held
• 09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.
• 02APR2012 - extended to 07MAY2012 by mutual consent.
• and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012
• Status hearings held 14JAN2013, 11MAR2013
• 11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.
•  More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.
• 02NOV2013 - Sanford's attorney (K.C. Maxwell) files a sealed document asking to be relieved from the case 09DEC2013.
• Extension granted to 03FEB2014
• 17MAR2014 set as the date to hear the Motion to Withdraw as Counsel.
• Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.
• 25JUN2014 new counsel asks for more time to prepare
• 18JUL2014 William Burns petitions the court to withdraw as counsel
• 21JUL2014 Burns Relieved
• 21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace
• 01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)
• 19AUG2014 - time extended to allow Whelan to prepare
• 22SEP2014 Status conference held, Jury Trial date set for 05MAY2015 through 22MAY2015.
• 29SEP2014 Whelan petitions the court that drug testing no longer be required since Sanford has never tested positive. (Granted 15OCT2014)
• 02MAR2015, status hearing extends case until an 08JUN2015 status hearing
• 12JUN2015 - new financial affidavit entered under seal
• 30JUN2015 - a change of plea hearing is requested for 27JUL2015
• 24AUG2015 - Sanford Wallace pleas guilty to a single count - Count 3.  Sentencing scheduled for 07DEC2015 at 1:30 PM

 Guilty of Count Three

So, if we go back to the indictment, what does this mean that Sanford has plead guilty to?

 COUNT THREE: (18 U.S.C.  §§1037(a)(1) and (b)(2)(A) - Fraud and Related Activity in Connection with Electronic Mail.

 22. The factual allegations contained in Paragraphs One through Eleven above are realleged and incorporated herein as if set forth in full.

 23.  On or about December 28, 2008, in the Northern of California and elsewhere, the defendant, SANFORD WALLACE, knowingly accessed a protected computer without authorization, and intentionally initiated the transmission of multiple commercial electronic mail messages from or through such computer, in and affecting interstate and foreign commerce, to wit: the defendant accessed Facebook's computer network in order to initate the transmission of program that resulted in nearly 300,000 spam messages being sent to Facebook users.

 What were 1 through 11?  The only really important paragraph is number 5:

 5. From approximately November 2008 through March 2009, WALLACE developed and executed a scheme to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook's servers.)

Post by Gary Warner, originally appeared on his Cybercrime & Doing Time Blog