Facebook says prosecution of billion-dollar spammer not over

Facebook isn’t finished with a Canadian who was ordered to pay the company CDN$1 billion last week for spamming.

Although the Sept. 28 ruling by Quebec Superior Court closed Facebook’s civil case against Montreal’s Adam Guerbuez, the spammer has said he doesn’t intend to pay a cent of the fine. He’s declared bankruptcy, he told the Canadian Press Tuesday.

Also see ’10 security reasons to quit Facebook (and 1 reason to stay on)’

Guerbuez didn’t return messages seeking comment, but on his blog, he seems pleased with the publicity that the case has brought. He’s looking for book or movie deals, and on Wednesday said he was happy to see Internet commentators expressing support for him following “the most ridiculous billion dollar judgment ever.”

In a November 2008 decision the U.S. District Court for the Northern District of California set the fine at US$873 million. The Quebec court said that Guerbuez must pay that amount in Canadian dollars, valued at the November 2008 exchange rate.

But Guerbuez may soon have a more interesting tale to tell if he really does land that book deal.

“The case isn’t done,” said Joe Sullivan, Facebook’s chief security officer, speaking in an interview at a security event hosted by Intel Wednesday. He declined to comment on any possible criminal charges against Guerbuez, but that is a possibility.

In court filings, Facebook accuses Guerbuez of setting up fake phishing Web pages to trick victims into giving up their usernames and passwords and then using a botnet of hacked computers to send out more than 4 million spam messages. If the allegations are true, that could lead to criminal charges in addition to the civil judgment against him.

Guerbuez did not return messages seeking comment.

According to Peter Cassidy, secretary general of the Anti-Phishing Working Group, it’s unlikely that law enforcement will pursue criminal charges against Guerbuez, despite his high profile. “There are professional botnet guys … and they are probably higher on law enforcement’s list than one loud guy,” he said. Guerbuez may have annoyed a lot of people, but unlike the criminals behind, say, the Zeus Trojan program, he’s not accused of stealing tens of millions of dollars.

This isn’t the only big judgment against a Facebook spammer. Last year, the company secured a similar US$711 million judgment against notorious spammer Sanford Wallace.

Though Sullivan used to be skeptical about the effectiveness of civil cases, he’s changed his mind. The big judgments that Facebook has received are causing some spammers to think twice, he said. He’s seen discussions in underground forums where spammers say things like, “I don’t want a $100 million judgment hanging over me,” he said.

Sullivan added that he is happy with the Quebec court’s decision.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com