Two Missouri Brothers Among Those Indicted in $4 Million Nationwide Spamming Conspiracy
Millions of E-Mail Addresses Illegally Harvested from Computers at 2,000 Schools

KANSAS CITY, MO—Two Missouri men and their company are among those indicted by a federal grand jury in a nationwide e-mail spamming case that victimized more than 2,000 colleges and universities in a scheme that sold more than $4 million worth of products to students, announced Matt J. Whitworth, Acting United States Attorney for the Western District of Missouri.

Amir Ahmad Shah, 28, of St. Louis., his brother, Osmaan Ahmad Shah, 25, of Columbia, Mo., their business, I2O, Inc., Liu Guang Ming, a citizen of China, and Paul Zucker, 55, of Wayne, N.J., were charged in a 51-count indictment returned under seal by a federal grand jury in Kansas City, Mo., on April 23, 2009. That indictment was unsealed and made public today upon the arrests and initial court appearances of Amir and Osmaan Shah.

“Nearly every college and university in the United States was impacted by this scheme,” Whitworth said. “Illegal hacking and e-mail spamming wreaks havoc on computer networks. These schools spent significant funds to repair the damage and to implement costly preventive measures to defend themselves against future intrusions. We take computer crimes seriously and will aggressively prosecute those who violate the federal CAN-SPAM Act.”

The federal indictment alleges that the spam e-mail scheme targeted colleges and universities across the United States. The Shahs allegedly developed e-mail extracting programs, which they used to illegally harvest more than eight million student e-mail addresses from more than 2,000 colleges and universities. They allegedly used this database of e-mail addresses to send targeted spam e-mails selling various products and services to those students. They conducted at least 31 of these spam e-mail marketing campaigns directed at students, the indictment says, selling more than $4.1 million worth of products.

According to the indictment, the Shahs often initiated their spam campaigns, sending millions upon millions of spam e-mail messages through the computer network at the University of Missouri, where Osmaan Shah is a student. Osmaan Shah either connected to the Internet via the campus wireless Internet service or connected directly to the network through an ethernet cable connection in a classroom or other campus building. The university’s network sustained damage from the large amount of network resources and bandwidth used during the transmission of millions of spam e-mail through its system. The university also expended a substantial amount of time, money and resources to respond to and repair problems caused by the spam e-mail campaigns and to protect and defend its network from future spam e-mail campaigns.

“The University of Missouri has worked closely alongside our office throughout this investigation,” Whitworth said. “We appreciate their partnership and cooperation, which has been instrumental in bringing this case to indictment.”

As part of the conspiracy, the indictment says, the Shahs used false and misleading information in the spam e-mails, suggesting they had an association with the university or college that the student receiving the spam attended. They allegedly used fictitious name and purported to be “campus representatives” from the college of the student receiving the spam. They also falsely claimed that the businesses who manufactured or sold the products in the spam e-mail were “alumni-owned” companies.

The Shahs allegedly made money from these spam e-mail campaigns in one of two ways: by earning a “referral fee” for sending spam e-mail for products and services sold by others, or by buying products in bulk themselves and then selling those products.

The Shahs hired several employees – who are not named in the indictment, but identified as unindicted co-conspirators – to help develop the e-mail extraction program and create the Web sites to market and sell the products and services advertised by their spam e-mails. The Shahs allegedly used mass mailing software programs to materially falsify e-mail header information and to avoid spam filters by rotating subject lines, reply addresses, message content and URLs, and other information in the e-mail header and e-mail body content.

The Shahs allegedly created dozens of identical Web sites for each campaign (often more than 60 Web sites per campaign) in order to divide, obscure, and conceal the source of the spam e-mails, and to attempt to keep the source of their spam e-mails from being blocked by spam filters. These Web sites sold products such as digital cameras, MP3 players, magazine subscriptions, spring break travel offers, pepper spray and teeth whiteners. More recently, the indictment says, the Shahs began sending spam e-mails soliciting students to subscribe to their social networking Web site, www.noog.com.

According to the indictment, the Shahs initially set up hosting in China, which provided them anonymity as to the origins of the spam e-mails and shielded them from complaints from the recipients of their spam. Ming allegedly partnered with the Shahs as early as 2002 and rented them access to a network of 40 servers under his control in China for hosting Web sites and sending spam e-mail. Ming also provided hosting and mailing services to other spammers, the indictment says, with the Shahs acting as the middle-man in the transactions. The Shahs solicited customers for what was advertised as “Offshore Bullet Proof Hosting” and collected the money, which they sent to Ming. Ming performed the network administration duties in China, and worked to keep the Web sites operational.

After learning of the criminal investigation into their activities in 2005 when search warrants were executed on their residence and business, the indictment says, the Shahs modified their scheme. Because officials at the University of Missouri had identified them as the source of the spam e-mails, they allegedly removed the e-mail addresses of students of the University of Missouri from their database and continued to send their spam e-mail to all of the other colleges and universities. According to the indictment, they began leasing hosting and mail services from numerous companies for each subsequent spam campaign in order to conceal the source and size of their spam e-mail campaigns.

Zucker, allegedly a spammer sending spam e-mail for his own products, partnered with the Shahs when they were leasing space on Ming’s servers in China. Zucker is alleged to have bought and sold proxies (computer servers that allow clients to make indirect network connections to other computers in order to camouflage the originating source of an e-mail) with the Shahs.

Each of the defendants is charged with participating in the conspiracy to engage in an unlawful spam e-mail operation since Jan. 1, 2004. In addition to the conspiracy charge, the indictment also contains the following charges:

Fraud in Connection with Computers

The Shahs are charged in each of five counts of computer hacking related to the use of e-mail extractor programs to unlawfully harvest student e-mail addresses.

Each of the defendants is charged in one count of aiding and abetting each other to unlawfully use the University of Missouri computer network to send spam e-mail. In 2004, the Shahs conducted at least seven spam e-mail campaigns utilizing the university’s network.

Fraud in Connection with E-mail

All of the defendants are charged in each of nine counts of aiding and abetting each other to access a protected computer without authorization and transmit multiple commercial e-mails.

All of the defendants are charged in each of nine counts of aiding and abetting each other to materially falsify header information in multiple commercial e-mails.

The Shahs and I2O are also charged in each of 26 counts of aiding and abetting each other to access a protected computer without authorization and transmit multiple commercial e-mails with the intent to deceive or mislead the recipients (or any Internet access service) about the origin of those messages.

Forfeiture Allegation

The indictment also contains a forfeiture allegation, which would require the defendants to forfeit to the government $4,191,966, representing the proceeds obtained as a result of the offense, for which the defendants are jointly and severally liable, as well as two residential properties in St. Louis and a 2001 BMW belonging to Amir Shah and a residential property in Columbia and a 2002 Lexus sedan belonging to Osmaan Shah.

CAN-SPAM Act

In 2003, Congress passed the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, making fraud in connection with electronic mail a federal crime. Spam refers to unsolicited bulk commercial e-mail. Under federal law, it is illegal to send multiple commercial e-mails if the sender accesses a computer system without authorization, transmits the e-mails in such a way as to hide their origin, or materially falsifies the header information in the messages.

Whitworth cautioned that the charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.

This case is being prosecuted by Assistant U.S. Attorney Matthew P. Wolesky. It was investigated by the FBI.