Dissecting The M.O. Of A Convicted Spammer

Convicted spammer got lists of e-mail addresses -- millions of them -- through a stolen database of America Online customers. He pumped out at least 10 million e-mails a day

November 16, 2004

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

As one of the world's most prolific spammers, Jeremy Jaynes pumped out at least 10 million e-mails a day with the help of 16 high-speed lines, the kind of Internet capacity a 1,000-employee company would need.

Jaynes' business was remarkably lucrative; prosecutors say he grossed up to $750,000 per month. If you have an e-mail account, chances are Jaynes tried to get your attention, pitching software, pornography and work-at-home schemes.

The eight-day trial that ended in his conviction this month shed light on the operations of a 30-year-old former purveyor of physical junk mail who worked with minimal assistance out of a nondescript house in Raleigh, N.C.

A state jury in Leesburg has recommended a nine-year prison term in the nation's first felony trial of spam purveyors. Sentencing is set for February.

During the trial, prosecutors focused on three products that Jaynes hawked: software that promises to clean computers of private information; a service for choosing penny stocks to invest in; and a ``FedEx refund processor'' that promised $75-an-hour work but did little more than give buyers access to a Web site of delinquent FedEx accounts.Jaynes, going by Gaven Stubberfield and other aliases, had established a niche as a pornography purveyor, said Assistant Attorney General Russell McGuire, who prosecuted the case. But Jaynes was constantly tweaking and rotating products.

Relatively few people actually responded to Jaynes' pitches. In a typical month, prosecutors said during the trial, Jaynes might receive 10,000 to 17,000 credit card orders, thus making money on perhaps only one of every 30,000 e-mails he sent out.

But he earned $40 a pop, and the undertaking was so vast that Jaynes could still pull in $400,000 to $750,000 a month, while spending perhaps $50,000 on bandwidth and other overhead, McGuire said.

``When you're marketing to the world, there are enough idiots out there'' who will be suckered in, McGuire said in an interview.

Prosecutors believe Jaynes had a net worth of up to $24 million, and they described one of his homes as a mansion, though the e-mail came from a house described as average.Jaynes got lists of e-mail addresses -- millions of them -- through a stolen database of America Online customers. He also illegally obtained e-mail addresses of users of the online auction site eBay.

Prosecutors don't know how he got the lists, though McGuire said the AOL names matched a list of 92 million addresses an AOL software engineer has been charged with stealing. However Jaynes got them, they were particularly valuable because AOL customers and eBay users by their very nature have already shown a willingness to engage in e-commerce.

Under Virginia law, like a federal anti-spam measure that took effect months later, sending out commercial pitches, even on a massive scale, is not itself illegal. The e-mail must be unsolicited and contain false information as to its origin or transmission.

Jaynes did that in several ways.

He provided bogus contact information and company names when registering for Web sites, making it almost impossible for recipients to track him down. He also falsified routing information within message headers and used software to generate phony domain names identifying the e-mail server used to send messages.``He would do that to circumvent the spam filters,'' said Lisa Hicks-Thomas, section chief for the Virginia attorney general's computer crimes unit.

Jaynes honed his techniques a decade ago as a distributor of regular, old-fashioned junk mail hawking a ``mortgage refund processor,'' similar to the FedEx refund processor he pitched in his spam, McGuire said.

But the ability to set up shop in cyberspace allowed Jaynes to take his fraud to a whole new level, McGuire said.

A videotape prosecutors were barred from showing at trial shows Jaynes sitting amid his array of computer equipment, bragging about sitting at ``spam headquarters.'' It appears, though, that Jaynes was sending out e-mails 24 hours a day, so he could frequently leave those headquarters unstaffed.

And it appears he had little assistance.Jaynes' sister, Jessica DeGroot, was convicted of identical charges but given no jail time. A third defendant was acquitted.

Prosecutors would not discuss the investigative techniques that led to Jaynes' capture. But John Levine, author of ``The Internet for Dummies'' and an expert witness for the prosecution in Jaynes' trial, said Jaynes was relatively unsophisticated compared to spammers who use ``zombie servers'' in foreign countries -- akin to ``e-mail laundering'' -- to hide the e-mail's true origin. Such zombies are often innocent Internet users whose computers, through a virus or other malicious code, become relays for spam.

``I was surprised at how simple his operation was,'' Levine said. ``If he were more clever, it would have been much harder to catch him.''

Jaynes' defense attorney, David Oblon, never disputed that his client was a bulk e-mail distributor. But he argued that the law was poorly crafted and that prosecutors never proved the e-mail was unsolicited. He also argued before the trial that the law is an unconstitutional infringement of free speech.

Jaynes can raise the free-speech issue on appeal, and Oblon said both he and Jaynes are confident the conviction will eventually be overturned. Oblon also took issue with the recommended nine-year sentence, calling it exceptionally harsh.Virginia is investigating similar cases, and McGuire said a lengthy sentence would serve as a deterrent -- not only in Virginia, where prosecutors brought the case given that AOL's headquarters is there.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights