Two University of Missouri Graduates Plead Guilty to College E-Mail Spam Conspiracy; Must Forfeit Over $400,000
Millions of E-Mail Addresses Illegally Harvested from Computers at Hundreds of Universities

KANSAS CITY, MO—Beth Phillips, United States Attorney for the Western District of Missouri, announced that two Missouri men and their company pleaded guilty in federal court today to their role in a nationwide e-mail spamming scheme that victimized more than 2,000 colleges and universities, including the University of Missouri.

“Today the defendants admitted they spammed universities and colleges across the country,” Phillips said. “As part of their pleas, they agreed to forfeit the proceeds of their illegal activities, over $439,000 in cash and property.

“Illegal spam campaigns create significant problems for computer networks,” Phillips added, “and those who seek to profit by spamming will be held accountable.”

Amir Ahmad Shah, 29, of St. Louis, Mo., his brother, Osmaan Ahmad Shah, 26, of Columbia, Mo., their business, i2o, Inc., represented by company president Amir Shah, pleaded guilty before U.S. District Judge Howard F. Sachs to the charges contained in an April 23, 2009, federal indictment.

The Shahs admitted that they and their co-conspirators created a spam e-mail scheme that targeted college students across the United States. They developed individualized e-mail extracting programs which they used to harvest student e-mail addresses from the University of Missouri and hundreds of other universities and colleges. They then used this database of more than 8 million e-mail addresses to send unsolicited commercial e-mails selling various products and services (such as such as digital cameras, MP3 players, magazine subscriptions, spring break travel offers, pepper spray, and teeth whiteners) to those college students.

Co-defendant Paul Zucker, 57, of Wayne, New Jersey, pleaded guilty on July 13, 2010, to his role in the conspiracy.

From Jan. 1, 2004, to Feb. 28, 2005, the Shahs and their co-conspirators were successful in sending e-mails that were not caught by university and college spam e-mail filters by using a variety of methods. They set up hosting in China, which they called “Offshore Bullet Proof Hosting,” meaning it was immune to complaints from recipients of their e-mails and provided them anonymity as to the origins of their e-mails. They bought and sold open proxies (computer servers that enabled them to make indirect network connections to other computers in order to camouflage the original source of their e-mail). They used bulk e-mail software to falsify e-mail header information and rotate subject line entries, reply-to addresses, and message body content in their messages. They also provided false information when registering some of their domain names.

The Shahs also admitted that they initiated their spam campaigns by using the bandwidth provided by the University of Missouri’s computer network, thereby causing damage to the network and its users. Osmaan Shah, who was a student at the University of Missouri, connected to the Internet via the campus wireless Internet service and also connected directly to the network through an ethernet cable connection in a classroom or other campus building. The university’s network sustained damage from the large amount of network resources and bandwidth used during the transmission of millions of spam e-mail through its system.

Zucker admitted that he provided proxies, which were intended to be used both inside and outside of the United States for the purpose of sending spam e-mail messages. Zucker also admitted that he provided bulk e-mail software that was designed to falsify e-mail header information and rotate subject line entries, reply-to addresses, message body content, and URLs in their messages. This allowed conspirators to penetrate university and college spam e-mail filters.

In addition to the conspiracy, the Shahs and i2o also pleaded guilty to one count of aiding and abetting each other to access a protected computer without authorization and transmit multiple commercial e-mails with the intent to deceive or mislead the recipients (or any Internet access service) about the origin of those messages.

By pleading guilty today, the Shahs and i2o agreed to forfeit to the government a total of $78,980 contained in several bank accounts, two residential properties in St. Louis and Columbia (valued at a total of $344,250), a 2001 BMW belonging to Amir Shah and a 2002 Lexus belonging to Osmaan Shah, and several Internet domain names. The total forfeiture amount, including the cash value of the property, is approximately $439,820.

Under federal statutes, the Shahs are each subject to a sentence of up to eight years in federal prison without parole, plus an order of restitution. i2o is subject to a sentence of up to 10 years of probation, plus an order of restitution. Sentencing hearings will be scheduled after the completion of presentence investigations by the United States Probation Office.

CAN-SPAM Act

In 2003, Congress passed the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, making fraud in connection with electronic mail a federal crime. Spam refers to unsolicited bulk commercial e-mail. Under federal law, it is illegal to send multiple commercial e-mails if the sender accesses a computer system without authorization, transmits the e-mails in such a way as to hide their origin, or materially falsifies the header information in the messages.

This case is being prosecuted by Assistant U.S. Attorney Matthew P. Wolesky. It was investigated by the Federal Bureau of Investigation.