Hacker News new | past | comments | ask | show | jobs | submit login
Facebook ‘Spam King’ Guilty for Sending 27M Messages (bloomberg.com)
102 points by denzil_correa on Aug 25, 2015 | hide | past | web | favorite | 86 comments

Now we need to go after the robocall spammers. They waste so much time of so many people -- worse that email spammers. I swear they are doing +1B of spam calls per month in North America.

Many robocall spammers are located abroad. They use VoIP endpoints to connect with US phone numbers for pennies on the dollar (relative to international calling prices).

But that's not even the biggest problem, the biggest problem is that it is trivial to spoof caller IDs in the US, and many of those operators do just that.

So tracking down who actually called can be tricky, then even if you could you still need to either get them extradited for robocalls (which isn't happening) or get them prosecuted abroad for breaking US law (which, again, isn't happening).

I personally feel like it can be solved however it has to be solved like this:

- Eliminated caller ID spoofing through technical means.

- Once caller ID is accurate, you can both have apps/databases with known bad callers or callers from VoIP providers, and or you could fine the VoIP providers facilitating this type of activity in the US (i.e. give them a motivation to stop abusive behaviour on their services).

I mean heck, if a VoIP limited each account to just ten calls per minute, it would massively decrease the volume of robocalls overnight. But none do because they have a financial motivation to keep allowing these companies to operate on their services and zero motivation to stop them (since it is almost untraceable anyway).

Isn't this what the FCC is for? Can't they require providers to update their standards for the public?

It would be interesting if they could implement a system where you could dial (555-555-5555) or something after receiving a robocall, which would log your last received call as being fraudulent and flag it for providers to shadow ban it. Would that work for spoofing caller ID?


The FTC had a competition called "Robocalls, Humanity Strikes Back" and two guys implemented a very similar idea.

Hopefully the FTC will follow through and make this widely available.

Wow, that's actually really cool. Interesting to see the FTC getting involved with the community like that.

>For the second year in a row, the FTC traveled to DEF CON

Bloody hell, for some reason this sentence just fills me with glee. I'm not even American, but it's so good to see government agencies get involved like this.

For reference, you can currently make a complaint to the FTC on this site https://www.ftccomplaintassistant.gov/#crnt&panel1-1

Someone at FTC apparently did not grasp the concept of hierarchical domain system. That URL looks like a phishing attempt.

That's a great suggest, I would love to see this. That's how it should work. Just like the flag button on this website. If enough people "flag" a number then it gets effectively disabled.

As you say, it would have to happen at the FCC level as individual telephone networks don't actually know for real where a call originated from.

Whitepages caller Id app for Android does this. But it only blocks rather than reporting to fcc.

Wouldn't that be subject to caller ID spoofing? For example we get calls from randomly generated local area code numbers (according to caller ID) but they actually originate out of state.

It works fairly well -- it identifies +75% of spammers correctly and I believe it hasn't made a false positive yet:


Unfortunately, not available for all devices. That is incredibly weird, any idea why that might be the case?

I'd definitely like to use an app like this, and couldn't find any info via searching as to why it's not available on all devices.

1) You can't eliminate Caller ID spoofing without overhauling the whole phone network, which won't happen until carriers are forced to do so by regulatory forces. A strong narrative here is the relative security guarantees of IPsec vs SS7.

2) Caller ID accuracy is a database federation problem and is not likely to be fixed without regulatory reform of data disbursement practices. Lockheed Martin Information Systems (Now called Neustar) is the central repository for all Caller ID records but many providers keep their own Caller ID databases to avoid paying the Neustar "dip" fees.

The way robocalling works is with outbound voice detection. You light up X circuits and only route the call to your harassment agent when a human voice is detected. It's trivially simple to detect these guys, and the way many voip providers deal with this is to charge a lot for the first minute of a call.

The NSA has the tools to track robocallers down. Maybe they could actually help the U.S. public out for a change.

Very true and indeed is costing American nationals time and money and that is key toa countries security. Also good PR for the NSA and for them would and should be a walk in the park and one in which would look good on the books.

But can only hope, though I'd call it a no-brainer for the NSA and nobody is going to argue about it falling under there remit.

Maybe we should call spammers financial-terrorists or time-terrorists or communication-terrorists, then maybe, just maybe things would get done.

No doubt the NSA would get involved if the robocallers started selling e.g. nuclear materials or certain herbal extracts, but they would still deny any role to avoid revealing sources and methods.

Alternatively, just get rid of the phone system entirely. Transitional points are starting to exist, and if we can do more things that interop without involving telecoms and are decentralized, you can have a situation a lot like what email /should/ be (with better identity management and less 60's holdover support).

I truly believe eventually cell phones will just be a data communications tool and "voice" will be done through these kinds of standards rather than phone numbers and ridiculous bureaucracy surrounding them, not to mention the quality of such communications will be fantastic comparatively.

Then the VoIP providers are effectively the source of the calls. Go after them.

(I just solve this problem by never answering my phone unless it's a contact. Phone calls are rude anyways IMO, use async communication.)

Earlier this week I was robocalled. The caller ID was spoofed to appear to be from someone in my address book.

Why not just target the businesses that the spam is promoting? It seems that with enough spam complaints on file, an investigator could subpoena records to see where a business is paying for robospammers.

Why not just target the businesses that the spam is promoting?

Many times they are boiler rooms and are after CC #'s. Sometimes, though, they are for real, local businesses. A carpet cleaning business in my area used a robot call service and I played along to get the name of the business. I then hung up and called them, and asked to speak to the owner. After a while I got him. I gave him a piece of my mind, politely, and told him I would never, ever hire him and I would tell everyone I know the same.

You know what? He didn't give a shit, and was pretty surprised at my call. That means that people don't do what I did and there's little downside for what he did (hiring scumbags).

I heard that many of the boiler room operations are based in Pakistan, especially those for carpet cleaning or duct cleaning where there are actually people on the call rather than recordings.

Usually it's a staged thing. Robocall -> level 2 operator -> boiler room.

The level 2 people appear very, very bored and are unfazed by you yelling or swearing. They just immediately hang up when they feel you are not a mark.

The boiler room guys are slick as fuck. I once kept one of them on the phone for 10-15 minutes, playing dumb (I told him I was looking for my CC statement). When I hung up, my phone rang immediately. I told him to fuck off and take me off his list. He said "you'll regret this" and hung up. My phone rang immediately and the person at the other end was just yelling. It was someone like me that was redirected to my phone #. I unplugged my phone for 30 minutes.

I googled for the phrases they used ("credit card services") and found a law suit in Texas from the early 2000's. The company was shutdown and fined. There was a lawyer's name on the press release. I called information, found him, dialed the number. He answered. I introduced myself and told him briefly what had happened and he was pretty interested. He lectured me, though, to not get involved. He said they were pretty nasty people. He recommended I call AT&T (my provider at the time) and file a complaint. I started the process, but AT&T made the process so fucking horrible that I abandoned it after putting in an hour or two over a few days. Useless.

My tip for getting under their skin: sincerely try to persuade them that they deserve a better job than the shitty, exploitative thing they're going. They are prepared for yelling, but not so prepared for compassion and honesty.

I've also had some luck opening with, "Does your family know that you lie to people for money?" That can be a good lead-in to suggesting they do something actually worthwhile.

I don't know, but it doesn't seem that people with a conscience and a host of better options would voluntarily do this instead.

In high school I was prodded to get a job, so I looked in the paper, applied for a bunch of things, and eventually got one. It was a company that did telephone fundraising for charities, which at 17 seemed ok by me.

Very gradually I learned that it was run by scoundrels, and that only about 15% of the money raised actually made it to the charity in question. The work was awful, but I stuck with it because that's what you do with jobs. It was the realization that I was basically helping scam artists take money from big-hearted, too-trusting people that got me to quit.

Conscience isn't some fixed thing; it's a skill you learn, a habit of ongoing evaluation. If I can wake just one of these people up so that they, like me, go and get a job that isn't net harmful to society, I'll consider my time well spent.

My tip for getting under their skin: sincerely try to persuade them that they deserve a better job than the shitty, exploitative thing they're going. They are prepared for yelling, but not so prepared for compassion and honesty.

They'll just hang up as soon as they know you aren't a mark. I've tried everything, with these folks.

Have you tried actually caring that they get a better job? I've definitely had a number of conversations in the 3-5 minute range, and a few at 10-15.

Unless you are offering that person a job, you aren't helping.

My goal isn't strictly to help them; my goal is to get them to stop being paid by criminals to waste everybody's time (and possibly steal their money).

you could lease promotion for a competitor and wait for them to get fined.

Can not this be done with spammers as well? I could pretent to be Microsoft or a smaller company?

I think all the countermeasure and spam prevent techniques for phone spam can be taken from everything we learned regarding email spam.

There's always a legitimate need for lots of calls. For instance political dialer is allowed. Anyways, the answer is to put liability onto the carriers handling this traffic, and let the fine trickle down. I guarantee you that even with a token fine of 5 or 10 grand, all traffic resellers, from large wholesale to retail would suddenly find ways of vetting customers. They'd either hold bonds or require credit.

Sure, scammers would move to hacking pbxes to place calls. But with strong liability, resellers would find ways to limit the damage a single account could do, like you suggest.

Also there isn't any real good way to limit caller ID "spoofing". The level of interconnects makes it as hard or worse than IP spoofing. And it's already an offense to spoof ID for scamming, at $10k a pop. But no one follows up and pushes the issue.

Political dialer is legal, but not legitimate.

OK well if we wanna go that route then why stop at dialer?

Indeed, why? I say we start there and then keep going. I'd be perfectly willing to go as far as banning all paid advertising. Surely humanity could find something useful to do with the trillion or so we spend on advertising, PR, and related manipulation. But let's start small and see how it goes.

I think I remember a comedy video where somebody went door to door speaking and messaging in the manner of online advertisements. Probably also perfectly legal (despite any "No Solicitors" signs on front doors) and something that would only be part of a completely horrible world.

In China, Xiaomi phone users have a "report spam" button, and if X number of people report that phone number as a spammer, calls from that number get blocked on all other Xiaomi phones. (I think X = 5, but I'm not sure.)

I really wished we had something like that here. One of the only times I'm jealous of my mom's phone.

Truecaller has that feature.

That seems like a nightmare to police.

"Is this number generating call volumes two standard deviations outside the norm?"

How is this different from the report spam or phishing button that is built into Gmail?

Thise spam buttons are a lot more complicated on the back end and they're still a pain for legitimate mailers, which requires google set up and maintain a "feedback loop" program for email providers

Apparently there were 214,000 people who complained about robo callers to the FCC last year. If you think about how obscure that reporting process is and extrapolate to the real number, you're probably not that far from the truth.

I've complained and was appalled at how obtuse the process is. (E.g. the FCC requires that you include hyphens in phone numbers, the Do-not-call list won't allow numbers with hyphens.)

I've thought of making an app to automate the process. It would remember all form's entries for you (name, address, etc) and fill in the current time and date. You'd just have to copy the phone number.

Think there's any demand for this?

And then they thank you for reporting, tell you that they cannot handle individual complaints, and close the case. If they fixed the problem they could handle more difficult cases.

I get one or more a day but then again I have a business line with a Google listing. I started to use the whitepages caller Id all to block known slammers - it is pretty good.

The real number is obviously "every phone number".

I have been getting some bullshit robocalls constantly recently, some recording about Google+ blah blah blah. I just hang up and block the number.

I swear 90% of my phone & snail mail spam comes from the fact that I used my real name & address (PO Box) for domain names I've registered (as required by ICANN). I mean I doubt ICANN can enforce that but it'd be a dumb way to lose my domains so I used real info.

The Google+ one is a new popular one, and it's impressive that someone things Google+ is worth conning about.


For those who don't know, this fellow was famous as early as the 90s [1].

If he returns to spamming again and again, doesn't it mean that the punishment is lesser than the gains to be had? And too bad.

[1] https://en.wikipedia.org/wiki/Sanford_Wallace

It also means that eventually the courts will throw the book at him XD

The evidence suggests otherwise.

Did you and I read the same thing? He's looking at jail time.

Sanford Wallace is quite famous for his spamming history for those who remember the 90s: https://en.wikipedia.org/wiki/Sanford_Wallace

> In 2001 he was linked to a website, passthison.com, which utilized multiple-window launching to snag Web viewers, an advertising practice rarely seen outside of the online pornography industry.

It's funny how 2001 bad spyware practices used only on porn sites have been utilized by mainstream media sites via iOS/Android browser redirects in 2015.

I remember a long time ago regularly browsing a porn webmaster forum for ideas to use in regular sites. The porn sites were generally at the forefront of a lot of things, obviously not all questionable.

Well, porn sites figured out it was bad for business. The demographic targeted for these spam messages easily falls for the same tricks, but aren't getting any services in exchange; only a faceless company.

Credit card farmers don't really care about repeat business, same goes for the brain pill trial guys that people for some reason give their CC info willingly. If someone catches on, you just bring up another llc, rinse, and repeat.

No, we got popup blocking built into browsers about a decade ago. Similarly, intrusive advertising is driving flashblocking and indeed total ad-blocking.

(Currenltly struggling with the fact that Plume for Android is nice to use - except when ads bounce you out of the app without being clicked on, sometimes over and over again)

You shouldn't be surprise that someone who needs a brain pill could be duped into giving away their CC info.

It's not exactly true for the article to say the technique was "rarely seen outside of the online pornography industry" when it was popularised by Geocities at a time when they were in the top 5 web properties...

The most bizarre part of this article:

> As of October 2003, Wallace was working as a DJ in New Hampshire, making weekly appearances at area nightclubs. Wallace performs under the name DJ MasterWeb.

Spam King by day, club DJ by night. With a cringey name, to boot.

Spamford Wallace! A blast from the past. I remember the epic Slashdot articles following the story of the vigilantes that hunted him down. He was easily one of the most-hated villains of the late 1990s Internet.

By far the most intriguing was Davis Wolfgang Hawke, the "spam Nazi", subject of the 2004 book Spam Kings.

Is 27 million messages a lot? I'm not sure if this is a testament to how good facebook is at fighting spam, or a media error.

Facebook's usually really good about fighting spammers and multiple accounts from what I've seen. Early community was facebook was filled with spammers but it's much harder to find spam accounts nowadays. Basically every account I encounter is real....I wonder what crazy thing he had to do to get 500k spam accounts

It doesn't say they're spam accounts -- more likely good accounts taken over, which accounts for some of the fraud.

I made a nice bit of money spamming those early community pages. . . Ahh yes the good 'ole days.

The technical term is not "made", but something more like "stole". If you put $1 in your pocket while wasting $10 (or, more likely, $100 or $1000) of other people's time, then you're not a productive citizen, you're a parasite.

He gained access to 500k accounts... so I'm roughly guessing that he sent a message to every friend people had on each one of those accounts.

Yeah, that bit of information is more interesting. Did he get the access illegally? Why was that not a crime, but sending the messages was? Something is off here.

Him getting access was the fraud part of the charges. The spamming was covered under the contempt part, because he was under court orders to not use facebook due to prior spamming.

In 2009 we had 1b sends/day, so not really:


Not really when their user base is over 1 billion.

Holy crap, it's Spamford. I totally lost track of him for years, but this is his one-trick pony. He knows nothing else besides how to send spam, and will do it no matter what he has to break into to do it. Very obsessed.

Wait, so what was the actual crime? Violating a court order forbidding any access to Facebook? Was he charged under CANSPAM? Or CFAA (was he phishing real accounts?)

I'm confused how this turned into a criminal case.

Violating a court order forbidding any access to Facebook?

Yes, as stated in the article.

"Spamford" Wallace has a slight history, including multiple instances of recidivism after former spamming episodes dating to 1991.


In the late 1990s, his company, Cyber Promotions, aka Cyberpromo, was widely blacklisted as a source of unsolicited email. Wallace's high-profile pro-spam stance and unrepentant persistence earned him the derisive nickname 'Spamford'.

Prior to his email spam ventures, Wallace had gained notoriety in other questionable marketing circles, as a heavy utilizer of junk fax marketing, a practice outlawed in the United States since 1991.[2]

In 1995, Wallace formed Cyber Promotions, entering the spam market. Thanks to a self-marketing campaign, Cyberpromo rapidly became the most successful seller of email marketing—as well as the number one source of unsolicited email. After Cyberpromo failed to become a legitimate business, Wallace returned to junk faxing in late 1997.[2]

So why is violating a court order not to access Facebook considered criminal contempt, not civil contempt?

I read previously that he is charged criminally for hacking the 100,000-500,000 accounts. They were real accounts which belonged to real people and he may have phished them.

Who said it was criminal contempt and not civil contempt?

Wow, I didn't know Spamford was even still around.

I still remember the hundreds of cyberout.com emails I'd get from his company back when I used AOL around 1995.

Was this man prosecuted primarily because of his notorious history? I have never heard of FB spammers being prosecuted before.

Anybody know how was he spamming? Using wall or messages?

Pff, 250 and 700 million dollars. That seems ridiculously large for a petty spamming crime.

At least he filed bankruptcy.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact