Two Missouri brothers were indicted by a federal grand jury April 23 on charges of illegally harvesting student eMail addresses from more than 2,000 campuses using a program that falsified eMail header information and avoided spam filters. The spamming scheme allegedly sold $4.1 million worth of products to students.
Osmaan Ahmad Shah, 25, of Columbia, Mo., and his brother, Amir Ahmad Shah, 28, of St. Louis, along with two others, were charged in a 51-count indictment released to the public April 29. The Shahs, who ran a company called I2O Inc., allegedly obtained more than 8 million eMail addresses from students nationwide.
The brothers are accused of using the University of Missouri’s computer network and servers to send millions of unsolicited bulk eMail messages, damaging the costly equipment.
When university officials found in 2005 that the Shahs were using their network to dispatch mass spamming campaigns, the brothers allegedly removed Missouri students’ eMail addresses and stopped using the campus servers. Instead, they registered several dozen web domains–sometimes as many as 60–and continued to direct students to identical web sites that sold products such as MP3 players, pepper spray, teeth whiteners, spring break travel guides, and digital cameras.
Osmaan Shah, a student at the university, allegedly connected to Missouri’s network via its wireless internet connection and by using an Ethernet cable connection in a campus classroom.
"Nearly every college and university in the United States was impacted by this scheme," said Matt J. Whitworth, acting United States attorney for Missouri’s western district. "Illegal hacking and eMail spamming wreaks havoc on computer networks. These schools spent significant funds to repair the damage and to implement costly preventive measures to defend themselves against future intrusions."
Mary Jo Banken, a spokeswoman for the University of Missouri, said faculty members, students, and their parents should be assured that their personal data — social security and credit card numbers — were not compromised in the spamming scheme.
"This was not an identity-theft issue," Banken said. "It was a matter of breaking laws that deal with spamming. … That’s something we want to make absolutely clear."
A spokesman for Whitworth’s office said he could not discuss anything that was not mentioned in the indictment, including how much money the University of Missouri spent to repair its networks and equipment.
Whitworth said University of Missouri officials were "instrumental in bringing this case to indictment."
The Shahs’ alleged scheme reportedly hinged on mass-mailing software that ensured spam eMails would make it into students’ in-boxes–not their spam folders–by constantly changing subject lines, content of the messages, URLs, and reply addresses. If that information had remained unchanged, commercial and school-based eMail systems would have stopped the spam from reaching the students’ in-boxes.
The brothers allegedly used misleading information in 31 massive spam eMail campaigns, telling students that their company was "alumni-owned" or that their messages were sent by a campus representative.
The Shahs allegedly teamed up with Guang Ming, a Chinese citizen who helped the brothers start their spam campaigns, as early as 2002, according to the indictment. Ming allegedly gave them access to 40 servers in China, which gave the spammers anonymity and prevented students’ complaint eMails from reaching them.
If the Shahs are found guilty of the charges leveled against them, they would have to pay the government the $4.1 million they allegedly made from the 31 spam campaigns. They also would have to forfeit a 2001 BMW, a 2002 Lexus sedan, and residential properties in St. Louis and Columbia.
Attempts to obtain comments from the Shahs or their attorneys were not successful by press time.
Office of the United State Attorney Western District of Missouri
University of Missouri