back to article Florida Man jailed for 4 years after raking in a million bucks from spam

A marketer who used stolen email accounts to trouser more than a million dollars by spamming people has been sent down for four years. Timothy Livingston, 31, was handed the 48-month term after he pleaded guilty to counts of conspiracy to commit fraud in connection with computers and access devices, conspiracy to commit fraud …

  1. Uncle Ron

    My $0.02

    Here's what I think: The global disaster that is spam e-mail, and the loss, dysfunction, heart-ache, and unnecessary load that it places on the Web, should be targeted with -far- more serious penalties that "48 months" in prison. If I steel a hundred bucks worth of spam from a 7-11 store I could very well get a TEN year prison sentence, but steel a MILLION dollars with a TRILLION spam e-mails and I get a lousy 4 years. This is just not right. It sends the wrong message to these assholes.

    1. zanshin

      Re: My $0.02

      On the other hand, when you "steel" money by robbing a 7/11, usually that involves walking in and threatening an attendant with bodily harm, sometimes with a weapon. You're also taking someone else's property (the cash in the register) directly, instead of being paid for work you actually performed, though in this case that work was performed in illegal and unethical ways.

      I don't approve at all of what this guy did (and especially not of how he did it), and it's unfortunate that he pocketed a lot of money doing it, but in terms of effort to dissuade criminals I'm on board with in-person, physical robbery being penalized more harshly than using compromised servers as botnets for spam, even if there is a huge disparity in the gains.

      If there's any aspect of this that I think might warrant a harsher penalty its the alleged material support of illegal narcotics sales. It's not clear that the authorities could pin that on him, though, since that's not something he ended up found guilty of.

      1. Mark 85 Silver badge

        Re: My $0.02

        But there is a problem here that's overlooked. That the computers that have compromised and need to be cleaned up. Most users/punters have no idea what they're infected with or how to clean it up. I daresay, that clean up costs should be a part of the punishment. If the crim can't pay, then load them up with some additional porridge time.

        As it is, everyone else is left with the clean up and there's nothing to dissuade crims from building botnets, etc.

      2. JLV Silver badge

        Re: My $0.02

        >in-person, physical robbery being penalized more harshly than using compromised servers as botnets for spam, even if there is a huge disparity in the gains.

        Respectfully disagree with you. There are ample well-grounded precedents for applying very stiff penalties to low-violence crimes because not doing so would result in undue criminal burden to society at large.

        Take for example money counterfeiting. Two guys hanging out in a garage and printing out fake money on a high end printer is not a violent crime. But, if such behavior was not very aggressively discouraged, then public trust in money would be undermined (the Nazis even had an elaborate plan to do that to the British currency during WW2). Ditto, I have been told, penalties for dine-n-dash in France - it's not much of a crime, but if it becomes cheap and easy to get away with, then societal trust is lost.

        Scammers on the internet may not be violent types, but amassing millions of loot implies a lot of individual victims. I don't minimize the trauma to a 7-11 clerk of getting robbed (without injury) at knife or gun point, but the overall societal impact is low. And if it becomes "10 years for $100 armed robbery" or "1 year for $1M internet ID theft", any criminal with the vague intellectual capacity required for ID theft will reconvert. Leaving behind hundreds or thousands of people dealing with the major hassles of ID theft.

        I admit I am switching the goal posts from spam to ID theft, but ID theft is a non-violent crime needing strong deterrence. Pure spam I am less gung-ho about. Still, in this case, 4 years (he's gonna be out in, what, 1.5 at the most?) served for 1M$ gain is hardly being unduly harsh on the little lowlife.

        (that's not my downvote, I generally agree with minimizing jail time for most minor crimes)

        1. zanshin

          Re: My $0.02 (@JLV)

          JLV, I agree that ID theft is different. My reply earlier was specific to the crime in question, and how it specifically was contrasted to robbery. That's even evident in the summary bit you quoted.

          ID theft definitely can cause significant disruption to one's personal life, or even the life of a whole family. I'm directly aware, as I've been a victim of it, and my case wasn't even that severe. (It was achieved before Internet use was commonplace, via theft of items from my postal mailbox.) Doing that on a mass scale is extremely disruptive and can have a high overall societal cost.

          As far as I can tell, this guy was sending mass mails on behalf of other companies, which, with caveats, does not have such a severe cost to society.

          Now, if his mails directly facilitated downstream crimes, that's a compounding factor. For example, if he was spamming out phishing mails, that's a different deal, as he's then facilitating another crime with greater societal cost. He's helping make it possible, even if it doesn't materialize. That's why I mentioned before that I felt that there might be warrant for greater punishment if he'd facilitated the illegal sale of narcotics.

          Yes, his compromised botnet needs to be cleaned up, and there's a real cost associated with that. That very much matters. Does it matter enough to justify his jail term being longer than that for a 7/11 robber? I don't know. It depends on how much it really costs to deal with.

          Basically, we shouldn't just look at how much money he made in order to determine the severity of his crime. The same is true of the 7/11 robber. We should look at the cost to others of them getting that money, which is not likely to be the same as the amount of money itself.

          1. JLV Silver badge

            Re: My $0.02 (@JLV)

            >we shouldn't just look at how much money he made in order to determine the severity of his crime

            We still disagree on this point. I appreciate your reasoning, but, IMHO, in the case of white collar crime we want to aim somewhat for a Nash Equilibrium where rational criminals can look at the cost/benefit outcomes and realize that cybercrime isn't a risk-free proposition, purely from a financial gain POV. That

            requires you to look at money, because money IS the metric in this type of cases.

            In addressing white-collar crime, deterrence for CEO-level crimes is also required, but bear in mind that that type of perpetrator has a lot to lose in the cost-benefit matrix, precisely due to their already-(over?)privileged position. So, if SPAM $1M => 4 years, it doesn't automatically follow that $10M CEO needs 15 years. An actual conviction for 3-4 years, with regulation implying the loss of future earning capacity, would still be sufficient, I think. With exceptions for especially egregious cases like Madoff.

            Different crimes can be minimized different ways. Here in BC we had a horrific case where a gas station attendant tried to stop some gas-n-dash lowlives and got dragged to death. The solution (besides jailing those particular lowlives and throwing away the key), was to pass regulations that require prepayment at gas stations. Problem solved.

            There is no one-size fits all. Any time we jail someone society incurs very real costs. I believe that what this guy got is consistent with society's interest in minimizing his type of crime. Whether he "deserves it" at an individual level is not the question I am addressing.

    2. Anonymous Coward
      Anonymous Coward

      Re: My $0.02

      Just what unnecessary load does email place on the web? On the internet yes, but the web? Use a bloody email client, not a web browser for email.

    3. Anonymous Coward
      Anonymous Coward

      Re: My $0.02

      Here's what I think: The global disaster that is spam e-mail, and the loss, dysfunction, heart-ache, and unnecessary load that it places on the Web, should be targeted with -far- more serious penalties that "48 months" in prison

      Apologies for throwing in some cynicism, but you're forgetting this is America.

      Actually SOLVING the spam problem means that they (a) don't get to frequently confiscate a rather serious sum and (b) don't sponsor the nearest prison with tax money for 48 months (as they are privatised and need to maintain an occupancy rate).

      Let me translate that: leaving the problem as it is, and only catching miscreants when they have made a lot of money represents a fat source of income. There is no chance anyone is going to mess that up.

    4. ritey

      Re: My $0.02

      Every person who has every received one of his email should be allowed to punch him square on in the face.

      Now that would be appropriate justice.

      1. werdsmith Silver badge

        Re: My $0.02

        "He would then collect a commission every time one of his junk mail messages was converted to a sale."

        This is part of the problem.

        Firstly, the companies that paid him commission should also be fined, this will force them to be careful who they are dealing with.

        Secondly, the idiots who respond to junk mail should get lifetime internet bans.

  2. Phil Endecott Silver badge

    The aspect that I find disappointing is that he was in business for long enough to make a million dollars before he got stopped.

    Ideally, I'd get one spam email and forward it to the authorities who would act immediately to shut down whoever sent it. In practice, the reaction to such reports is "you probably signed up for their spam but forgot".

    1. Ian Michael Gumby Silver badge

      @Phil Endecott


      Where were you when Siegel and Cantor spammed USENET with their green card adverts?

      (Do you even know what USENET is/was?)

      The point is that its not that easy to catch and shut down.

      It used to be that you would go after the ISP and shut down the pink contracts. SAVVIS was a big time offender.

      But when they use a botnet and malware... you have to check out who is behind it and that takes time and a bit of luck. Its not that easy. (It also depends on how the botnet is controlled.) The only way to track them down is to contact a legitimate business and see who they signed on with and go after them. Until of course it leads to people off shore.

      I do think that it would be nice that these guys get longer prison sentences. However... that will never happen. And of course they will always try to find another scam.

      1. Phil Endecott Silver badge

        Re: @Phil Endecott

        > (Do you even know what USENET is/was?)

        Very much so, I was there.

        > The point is that its not that easy to catch and shut down.

        These guys were selling their services to legitimate businesses. You catch them by asking the businesses that are promoted in the emails who they paid to send them. Much easier to prove in court if you have a witness who says "we paid them to do it", rather than evidence involving IP addresses.

      2. Alan Brown Silver badge

        Re: @Phil Endecott

        "The point is that its not that easy to catch and shut down."

        The sendsys they got pretty effectively parked their little red wagon.

    2. GrapeBunch Bronze badge

      Ideally, I'd get one spam email and forward it to the authorities who would act immediately to shut down whoever sent it. In practice, the reaction to such reports is "you probably signed up for their spam but forgot".

      You live in a different universe. Decades ago I would report e-mail based fraud to the RCMP address for that. What I heard back: silence. What I heard elsewhere: lots of reports of people being scammed, no reports of anybody in Canada going to jail for scamming them. Ditto for phishing e-mails spoofing a bank at which I actually held an account.

      Mere spam. Well. I occasionally help a small number (3 ?) of individuals with computer problems. One of them was complaining about a particular spam stream. She swore up and down that she never signed up for it. As she never erased e-mails, the forensic trail was easy to uncover. There was a first spam, and it was from the purveyor, thanking her for signing up. It transpired that yes she did sign up for the spam, thinking to receive messages only about subject A, but in fact getting messages about subjects B, C, D, E, and F in addition. And lots of them. Another helpee doesn't sign up for anything, and if she receives spam, it is filtered for her by [ubiquitous free email purveyor].

      In brief, if they actually do something about fraud attempts, I happily forgive their inaction on mere spam.

      Sometimes when I look at these reports, I begin to think that they are fake news. Maybe not 100% fake, but at least doctored. For example, in this item, the bad guy did a plea bargain by agreeing to give back the money. So who receives the money? The people whose computers he botnetted? The spam recipients? I doubt it. There's something too trite about the story, so trite that I smell trout.

    3. Anonymous Coward
      Anonymous Coward

      Ideally, I'd get one spam email and forward it to the authorities who would act immediately to shut down whoever sent it.

      I admire your charming belief in the authorities, but I have already illustrated why I think that belief is misplaced, not to mention that a million forwarded emails will amount to a DDoS on such an authority. From a simple technical perspective, few people are capable of forwarding an email in a manner that preserves the original headers (not to mention that few email clients make this easy), and that's without referring to the tiny problem that such spam floods are typically proxied through compromised systems of others.

      Personally I'd like to lock up spammers and force them to eat every email printed on sharp edged cardboard before they're let out, but I fear it's a problem we can only fix when we stop the average person from having their equipment subverted, and that's an effort that hasn't even started properly - it's still FAR too hard to do for the average Joe.

  3. frank ly Silver badge

    moral panic

    "... online pharmacies that sold narcotics without prescriptions,"

    Where I live (the UK), there are many high street pharmacies that sell narcotics (codeine) without a prescription, as long as you look legally adult. It depends which country you're in for if it's illegal or not. (The pharmacy that I use is in the Asda supermarket, which is owned by Wal Mart.)

    As for the spamming with stolen email addresses: string him up.

    1. Alan Brown Silver badge

      Re: moral panic

      Otc codine in the uk has paracetamol mixed in. You can't take a narcotic dose of the former without simultaneously ingesting a fatal dose of the latter.

      Prescription versions don't have the paracetamol on board.

  4. GrumpenKraut Silver badge

    "He will have to forfeit all of that ..."

    Good! I wish that would happen here in GrumpenLand more often.

    1. Doctor Syntax Silver badge

      Re: "He will have to forfeit all of that ..."


      Agreed. Nevertheless I have a sneaking suspicion that he'll have pocketed a good deal more than was accounted for and will end up with a good rate of pay for his 4 years.

      1. veti Silver badge

        Re: "He will have to forfeit all of that ..."

        And it's worse than that, because this is only what happens if you get caught and convicted.

        How many other spammers are there who haven't been caught? You need to divide the penalty by that number to get an "expected cost of doing business".

  5. Christoph Silver badge

    "Livingston's clients included legitimate businesses – such as insurance companies that wished to send bulk emails to advertise their businesses"

    If they knowingly send bulk advertising emails they are spammers. They are not a legitimate business.

    1. Alan Brown Silver badge

      I've spent many years dealing with spammers and their victims - both the advertisers and the spammees.

      Most advertisers are blissfully unaware that sending bulk email is mostly illegal unless "done right" and are happy to sign up for a glossy brochure and a smooth talker - it's worth noting that the vast majority of signups of otherwise reputable businesses happen via spammers treading the boards at tradeshows, introducing themselves as marketing experts and usiing the usual snake oil high pressure selling techniques we all know and hate.

      Responsible businesses generally learn pretty fast thanks to the tsunami of complaints they get and general business losses resulting from the spam campaign - which can be substantial and most spammers demand payment in advance. (Then there are Joe Jobs... spam sent by someone purporting to be from a 3rd party in order to deliberately damage the 3rd party)

      Unfortunately there are some who decide the pain is worth it, the ones who do it twice are of the same ilk as the spammers - entitled sociopaths who usually cry "free speech" when confronted and "victim" when the tables get turned (see: Alan Ralksy, or Donald Trump)

      The long-term way of eliminating spam is to punish the companies which hire spammers - even for a first offence, but with increasing fines if they continue. That way only criminals will hire spammers and spammers knowingly involved in a criminal enterprise are usually part of organised crime groups that the smaller players will steer clear of. (The mafia hates competition, etc)

      4 years isn't long enough. But it's a start. I just hope that his activities are tagged when released so that if there is any other source of money found, it can be confiscated too.

  6. Anonymous Coward
    Anonymous Coward

    Small potatoes

    I don't know about you, but $1M isn't that much any more, IMO. Maybe you could live a very modest lifestyle on it for a few years. Very modest.

    I'm certainly glad he got caught, and it seems fitting that he should give his ill gotten gains back.

    But ballyhooing him as some big time crook? For a paltry $1M?

    Let me know when they catch the guys who have made $10M. Or $100M. Now that's some real scratch.

    1. DJO Silver badge

      Re: Small potatoes

      25 years with only $40,000 per year tax free. Bummer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Small potatoes

        You think he's paid the taxes on his ill gotten gains? If he gets to keep any of it, he'll probably owe taxes on it because I bet he hasn't paid those either.

        And he'll owe taxes on the interest it earns, although most banks are paying 1 or 1.5%.

        Yeah, you might do okay on $40K in some places. Not where I live. Just renting a dumpy one bedroom apartment here will eat nearly half of that.

        1. DJO Silver badge

          Re: Small potatoes

          Just renting a dumpy one bedroom apartment here will eat nearly half of that

          You need to be near to your work, our hypothetical crook does not, he'd could however easily afford to rent or buy a house near a beach in Goa or somewhere like that. Sun sea and a really low cost of living, ain't life a bitch.

    2. Smooth Newt Silver badge

      Re: Small potatoes

      I don't know about you, but $1M isn't that much any more, IMO. Maybe you could live a very modest lifestyle on it for a few years. Very modest.

      An October 2016 Justice Department press release1 says he was running the business from 2011, and that he forfeits $1.3M money as well as property including a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider, which a quick web search suggests may be worth as much as $40k and $170k respectively.

      $1.5M for five years = $300k per year, and that is just what can be seized. Presumably money spent on living expenses - which might have been substantially more lavish than sandwiches and an occasional trip to the cinema - has gone. Whilst hardly Pablo Escabar, $300k+ per year would pay for a very comfortable lifestyle.


      1. Alan Brown Silver badge

        Re: Small potatoes

        "$1.5M for five years = $300k per year"

        If he's splashing out on that kind of toy and has 1.3mill sitting in his bank account, then the actual figure taken in is likely to be significantly higher.

        It really depends how deep down the rabbit hole the investigators want to go, but most crooks tend to sequester money in multiple locations.

        1. werdsmith Silver badge

          Re: Small potatoes

          With $1M I could retire and live very comfortably right now.

  7. patrickstar

    Boca Raton, Florida? Again, really? Is there something in the drinking water there that has made the inhabitants spam since the beginning of time (well, of spam)?

    I wonder if the police found a lot of empty KFC buckets with chicken bone leftovers in them, too... Just to complete the old spammer stereotype.

    1. ecofeco Silver badge

      "Forget it Jake, it's Boca Raton."

    2. Alan Brown Silver badge

      Florida is home to many scammers due to the large population of retirees (easy targets) and laws which prevent losing your home if convicted or bankrupted

  8. Roopee

    Re It's not tax-free

    Of course it is tax-free if he's operating under the radar!

    Also it doesn't sound to me as though the spammer was guilty of fraud in the true sense. He operated a 'business' that took money (commission) in return for services rendered, with no force or duress (unlike your typical organised criminals). Spamming per se is illegal, so he and the directors/owners of his clients were committing crimes and should of corse be punished for that.

    But, and it's a big but, he would have earned nothing if it weren't for the unwitting/witless/knowing idiots out there who clicked on his customers' links and then went on to actually purchase things. That's a true idiot tax!

    Like many of you, I've provided technical support for countless end users who claim never to have clicked anything, signed up for anything or agreed to any installations when clearly they have, but even they usually stop short at handing over any payment details. The ones that do get out their credit card without any kind of the most basic due diligence are naive, stupid or greedy, sometimes all three! Our criminals here are basically taking advantage of that. A fool and his money... Whether that should be a crime depends on your attitude to Darwinism...

    1. Richard 12 Silver badge

      He used other people's computers without permission

      Depending on how that was done, it may be fraud in the truthiest sense.

      One could also argue that taking money for bulk-emailing services that were done by stealing computing time and resources from 3rd parties is defrauding the customer buying those services.

      Thiugh that is rather hard to justify as a concept when payment is by conversion rate, rather than per email per recipient.

      That implies a knowledge on the part of the customer that said bulk emailer is not entirely legitimate...

      1. Anonymous Coward
        Anonymous Coward

        Re: He used other people's computers without permission

        "One could also argue that taking money for bulk-emailing services that were done by stealing computing time and resources from 3rd parties is defrauding the customer buying those services."

        That's theft rather than fraud. The electricity and CPU cycles were taken without permission, and with intent to deprive the rightful owner (the computer owner, electricity bill payer). Admittedly trivial amounts, but trivial amounts times billions of emails will add up. In addition to theft, his botnet amounts to criminal damage, whose clear up costs will be significant. Then there's the time wasted of the recipients, disk space stolen on a whole range of servers, even before the (alleged) fraud on the business customers paying for email marketing, or the promotion of illegal activities.

        Unfortunately, the authorities have generally treated spamming (and much internet crime) at the level of priority and gravitas as the single instance. And they hide behind weak excuses of intervention being "too difficult" (even as they grant themselves vast and ever increasing powers of surveillance and internet snooping). In this case they've started to up their game, but if you have to be a millionaire before they'll act, the point about trivialising the crime still stands.

        Whilst the authorities continue to regard a million offences as rarely more serious than a single one, they offer a licence to operate to spammers and fraudsters, and if there's a threshold below which they clearly can't be arsed to act, then there's little deterrent to starting down the path of cybercrime.

        1. Alan Brown Silver badge

          Re: He used other people's computers without permission

          > That's theft rather than fraud

          Under US law it's "wire fraud" - and can have up to 20 years attached just for that.

  9. Alan Brown Silver badge

    Joint enterprise

    Spamming won't be eliminated but you can put one hell of a dent in it by making the companies paying them responsible for the spam too.

    This was the part of the USA's TCPA that put a huge brake on junk faxes. Advertisers started caring when illigal advertising practices cost them directly.

    At that point the remaining spam is mostly for illegal shit like web pharmacies selling narcotics - which you can use to ensure the spammer gets a lot more than 4 years.

    1. patrickstar

      Re: Joint enterprise

      So then you can put some competitor/enemy out of business by spamming pretending to be him?

      This is not even unheard of now (there's even a word for it - 'joe job'), as there are already lots of other downsides to being spamvertised.

      Besides, very little spam, percentage wise, is for any sort of legitimate business. At most it's "legitimate" in that you actually get the pills you ordered, or something resembling them, but it's gonna be from Nortern Farawayistan and not Canada despite the name of the pharmacy...

  10. Christian Berger Silver badge

    What I wonder is...

    I mean sending e-mail legitimately is fairly simple, you don't need a special company for it, if you're not sending spam... why didn't the companies send it themselves? Did they intend to send spam? I mean spam is often hidden under euphemisms like "E-Mail marketing" and there are some big players like Adobe in that field. Shouldn't we start going after them too, as they make spam appear more legitimate to businesses?

  11. myhandler

    Pled? isn't it "he pleaded guily m'lud" , or do plebs pled in the US?

    1. Glenturret Single Malt

      According to Chambers Dictionary pled is an alternative to pleaded ("Spenser, Scot, US and dialect").

      It is commonly used in reports of Scottish court cases so presumably is the term used in court.

  12. PeterM42

    4 years!?!?!?!?

    What about removal of his testicles???

  13. lukewarmdog

    I wonder

    How many of those clicks that made him money were from people who wanted to buy some insurance they'd just just received, unsolicited or whether instead all those clicks were for the illegal services he was helping to promote.

    Also good he has got jail and lost the money but I'd really like his payment sources to be traced back, legitimate businesses given a bollocking and things like the online pharmacies closed down.

    Also a note on over the counter codeine and the fact it's mixed with paracetamol. Cold water extraction is so simple that anyone with even half a mind to get the codeine out will find how to do it as the first hit on google.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019