More big-time spammers may find themselves doing longer stretches behind bars -- and wouldn't that be swell -- if a federal judge's first-of-its-kind sentencing decision in a Denver case becomes widely applied.
At issue in this case, which featured testimony fromMicrosoft antispam experts, was the thorny matter of determining the actual financial harm to ISPs done by a particular spammer over a particular period of time. When the US Congress enacted the CAN-SPAM Act of 2003 it anticipated this difficulty and included language allowing for a spammer's profits to be considered in sentencing when financial damages caused by his crimes could not reasonably be calculated.
Last month, U.S. District Judge Lewis Babcock accepted a Colorado prosecutor's contention that this case, the United States vs. Min Kim, represented just such a situation. Microsoft says this is the first time a judge has applied CAN-SPAM sentencing guidelines in this manner.
If not for the use of Kim's profits -- an admitted US$250,000 -- as a sentencing determinant, the 24-year-old spammer would have faced a prison stint of 24 to 30 months instead of 30 to 37 months. Citing Kim's first-time offender status, Babcock sentenced him to the minimum 30 months called for in the more punitive range. While that may appear generous, it likely represented a 20% stiffer penalty over what Kim would have received absent the profit-based calculation; and, it could have opened the door for as much as 13 months additional time had he been a recidivist.
"We're excited by the court's ruling," says Aaron Kornblum, senior attorney with Microsoft's Internet Safety Enforcement Team. "In cases where there's a large amount of profit being realized, there is now the potential for a significant increase in sentences."
Investigators found 7.5 million e-mail addresses on Kim's computer, and he acknowledged having bought another 200 million back in 2004. Drawing particular attention from the prosecutor and judge were Kim's sophisticated measures employed to avoid first-line spam defenses, including proxy servers, falsified subject lines and the use of DarkMailer, all of which increase the level of countermeasures that ISPs must deploy and the expenses they incur.
Kim's attorney, Virginia Grady, attempted to persuade the judge that his hands were tied by the inability to put an exact figure on the damage caused by her client and the inevitability of ISPs having to spend to fight spam.
"What evidence is there that this spam that was sent by this defendant caused loss?" Grady asked the judge, according to a 28-page transcript of the sentencing hearing. "And to answer that question we have to know whether the money spent for the new servers and the filters, and the like ... would have been spent regardless of the spam encountered here. And I think the answer is pretty plainly, yes. Companies that sponsor e-mail will invest in building a better spam trap. And that I think amounts to the cost of doing business in this industry."
Babcock wasn't buying the cost-of-doing-business nonsense.
"The combination of the stipulated facts and the evidence that I received reflects that Mr. Kim is sophisticated with regard to the economic gain to himself through spamming," he said. "Sophisticated to the extent that when he became blacklisted, he went to a proxy server, DarkMailer, and rendered his messages anonymous. Why? So as to beat the ISPs' protective measures." That combination makes it reasonable to presume that he knew he was causing financial harm, the judge said.
From that starting point, Kim's own bookkeeping provided the numbers needed to put his sentence in a higher range.
Kim will begin serving his sentence by Jan. 7.