First Prosecution Under CAN-SPAM Act Returns Guilty Verdict

Two men have been found guilty for their part in an international spam gang which bombarded innocent Internet users with graphic pornographic images.

A federal jury has convicted James R. Schaffer, of Paradise Valley, Arizona, and Jeffrey A. Kilbride, of Venice, California, on charges including conspiracy, money laundering, fraud and transportation of obscene materials.

The trial, which began on June 5, 2007, was the first to include charges under the Controlling the Assault of Non-solicited Pornography and Marketing (CAN-SPAM) Act of 2003. The law created by the CAN-SPAM Act was designed to crack down on the transmission of pornography in commercial bulk unsolicited electronic mail messages.

"Through their international spamming operation, these defendants made millions of dollars by sending unwanted sexually explicit e-mails to hundreds of thousands of innocent people, including families and children, while simultaneously using sophisticated Internet technology to try to conceal their identity," said Assistant Attorney Alice S. General Fisher. "This prosecution, the first of its kind under the CAN-SPAM Act, demonstrates the Department of Justice's commitment to protect American families from receiving unsolicited spam e-mail."

In 2003, Kilbride and Schaffer established a spamming operation that grossed over two million dollars over the course of its operation. Their business model consisted of sending millions of unsolicited e-mail messages which advertised commercial Internet pornography Web sites. For each person directed to one of these Web sites, Kilbride and Schaffer earned a commission. Hard-core pornographic images were embedded in each e-mail, and were visible to any person who opened the e-mail.

Kilbride and Schaffer were convicted of two violations of the CAN-SPAM Act. One of the counts charged that Kilbride and Schaffer sent multiple electronic commercial mail messages containing falsified header information. The other count stemmed from the fact that Kilbride and Schaffer sent e-mail messages using domain names that had been registered using materially false information.

Kilbride and Schaffer were also convicted on one count of conspiring to commit fraud in connection with electronic mail and four counts of felony obscenity charges for transporting hard-core pornographic images of adults. Finally, Kilbride and Schaffer were convicted on a federal money laundering charge for moving funds inside and out of the United States to conceal or disguise the nature, location, source, ownership or control of the proceeds from those materials.

When the CAN-SPAM Act went into effect on Jan. 1, 2004, Kilbride and Schaffer arranged to remotely log on to servers in Amsterdam, to make it look like their spam messages were being sent from abroad, when in reality Kilbride and Schaffer were operating their business from inside the United States. The "From" names and e-mail addresses used to send the spam messages differed from the "Reply to" addresses, making it impossible for recipients to identify the actual sender of the messages or to reply to the e-mail. In addition, the domain names used to send the spam were registered in the name of a fictitious employee at a shell corporation Kilbride and Schaffer established in the Republic of Mauritius. Further, Kilbride and Schaffer used bank accounts in the Republic of Mauritius and the Isle of Man to receive and funnel the proceeds from the operation and to further insulate themselves from detection by U.S. law enforcement.

Witnesses from AOL and the FTC confirmed that over 660,000 complaints were received about Kilbride and Schaffer's pornographic spam, including some who had set parental controls to protect their children from accessing graphic sexual content.

"This dirty duo used a variety of tricks to try and hide their whereabouts from the US authorities. These includes logging into remotely to servers based in Amsterdam to try and make their spam messages look like they originated from outside the USA, and using bank accounts in Mauritius and the Isle of Man," said Graham Cluley, senior technology consultant for Sophos. "The spammers worked hard to protect themselves and disguise their identities, but didn't lose any sleep over the hundreds of thousands innocent families and children who were receiving their unwanted explicit e-mails."