Four Indicted in Giant College Spam Operation

A federal grand jury in Missouri has indicted two brothers and two other people on charges related to an alleged e-mail spamming case that targeted more than 2,000 U.S. colleges and sold more than US$4.1 million worth of products to students, the U.S. Department of Justice announced.

Indicted were Amir Ahmad Shah, age 28, of St. Louis; his brother, Osmaan Ahmad Shah, age 25, of Columbia, Missouri; Liu Guang Ming, a citizen of China; and Paul Zucker, age 55, of Wayne, New Jersey, the DOJ said. Also named in the indictment, unsealed Wednesday in U.S. District Court for the Western District of Missouri, was the Shahs' business, I2O.

"Nearly every college and university in the United States was impacted by this scheme," Matt Whitworth, acting U.S. attorney for the Western District of Missouri, said in a statement. "Illegal hacking and e-mail spamming wreaks havoc on computer networks. These schools spent significant funds to repair the damage and to implement costly preventive measures to defend themselves against future intrusions."

The Shahs allegedly developed e-mail extracting programs, which they used to illegally harvest more than 8 million student e-mail addresses from more than 2,000 colleges and universities, the DOJ said. They allegedly used this database of e-mail addresses to send targeted spam e-mails selling various products and services, including digital cameras, spring break travel offers and pepper spray, the DOJ said.

The Shahs conducted at least 31 of these spam e-mail marketing campaigns directed at students, the indictment says.

The Shahs used false and misleading information in the spam e-mails, suggesting they had an association with the university or college that the student receiving the spam attended, the DOJ said. They allegedly used fictitious names and purported to be "campus representatives." They also falsely claimed that the businesses that sold the products in the spam e-mail were "alumni-owned" companies, the DOJ said.

The Shahs earned referral fees for sending spam for products and services sold by others, and they also made money by buying products in bulk and reselling them, the DOJ alleged.

The Shahs hired several employees -- who are not named in the indictment -- to help develop the e-mail extraction program and create the Web sites to market and sell the products and services advertised in their spam e-mails. The Shahs allegedly used mass-mailing software programs to falsify e-mail header information and to avoid spam filters by rotating subject lines, reply addresses, message content and URLs, and other information in the e-mail header and e-mail body content, the DOJ said.

The Shahs allegedly created dozens of identical Web sites for each campaign to conceal the source of the spam e-mails, and to attempt to keep the source of their spam e-mails from being blocked by spam filters. The Web sites sold products such as MP3 players, magazine subscriptions and teeth whiteners. More recently, the Shahs began sending spam e-mails soliciting students to subscribe to their social-networking site, Noog.com, the DOJ said.

The brothers initially set up hosting in China, which provided them anonymity, the DOJ said. Ming allegedly partnered with the Shahs as early as 2002 and rented them access to a network of 40 servers under his control in China for hosting Web sites and sending spam.

Ming also provided hosting and mailing services to other spammers, the indictment alleges, with the Shahs acting as the middlemen. The Shahs solicited customers for what was advertised as "offshore bullet-proof hosting" and collected the money, which they sent to Ming.

The Shahs modified their practices after learning of a criminal investigation into their activities in 2005, the DOJ said. Officials at the University of Missouri had identified them as the source of the spam, so the Shahs allegedly removed the e-mail addresses of students of the university from their database and continued to send their spam to other universities.

Zucker, allegedly a spammer promoting his own products, partnered with the Shahs when they were leasing space on Ming's servers in China, the DOJ said. Zucker allegedly bought and sold proxy servers with the Shahs.

Each of the defendants is charged with participating in the conspiracy to engage in an unlawful spam e-mail operation since January 2004. In addition to the conspiracy charge, the defendants face multiple charges of fraud in connection with computers and with e-mail.

The Shahs and I2O are also charged in each of 26 counts of aiding and abetting each other to access a protected computer without authorization and transmit commercial e-mails with the intent to deceive or mislead the recipients about the origin of the messages.

The indictment asks for forfeitures of more than $4.1 million from the defendants as well as two residential properties in St. Louis and a 2001 BMW belonging to Amir Shah, and a residential property in Columbia and a 2002 Lexus sedan belonging to Osmaan Shah.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon