August 23, 2006 7:33 AM PDT

U.K. spammer gets two-month curfew

A U.K. teen pleaded guilty on Wednesday to breaking the Computer Misuse Act by crashing the e-mail server of his former employer.

David Lennon, 18, was then sentenced to a two-month curfew by a judge in the Wimbledon Magistrates court.

Lennon had originally been cleared of the charges in November 2005, after another judge ruled that it wasn't an offense to overwhelm an e-mail server with millions of messages. This ruling was later challenged by the Crown Prosecution Service. In May 2006, the case was sent back to the Magistrates Court.

On Wednesday, the judge ruled that Lennon should be subject to a curfew, which means he must stay at home between the hours of 12.30 a.m. and 7a.m. on weekdays, and between 12.30 a.m. and 10 a.m. on weekends. If he breaks this curfew, he risks a more serious sentence.

The curfew has been timed so as not to interfere with Lennon's work at a local cinema. The judge said it was a "happy coincidence" that it will end the day before Lennon starts college in September.

The prosecution dropped its demand that Lennon should pay costs amounting to $55,000 (29,000 pounds), which arose from his attack on Domestic & General Group in which 5 million e-mails crashed its servers.

The defense argued that Lennon should receive a conditional discharge, given the confusion over whether the Computer Misuse Act outlawed the sending of masses of e-mails. The judge, though, argued that this was inappropriate.

"Even given his age at the time, this was a grave offense and caused serious damage, so I need to impose something to make him think again," the judge told the court.

The Computer Misuse Act, which was introduced in 1990, explicitly outlaws the "unauthorized access" and "unauthorized modification" of computer material. Section 3, under which Lennon was charged, concerns unauthorized data modification and tampering with systems.

Lennon's original case was heard by a district judge, who ruled that massive amounts of e-mail did not violate the Computer Misuse Act because e-mail servers were set up to receive e-mails. As such, each individual email could be ruled to make an "authorized modification" to the server.

The Computer Misuse Act is now seen as insufficient to combat the rise of cybercrime such as denial-of-service attacks. A series of amendments are being introduced by the government to update it.

Colin Barker and Graeme Wearden of ZDNet UK reported from London.

See more CNET content tagged:
e-mail server, U.K., server, e-mail

8 comments

Join the conversation!
Add your comment
What relation to spam?
What does a curfew have anything to do with sending email?
Teenagers these days KNOW what they're doing when it comes to cybercrime... especially spam, which is a serious offense due to its volume in inboxes (<a class="jive-link-external" href="http://essentialsecurity.com/Documents/article20.htm" target="_newWindow">http://essentialsecurity.com/Documents/article20.htm</a>). The sentence should've had more to do with the crime and less with babysitting.
Posted by ml_ess (71 comments )
Reply Link Flag
That's some nice spam you got there
That's some nice spam you got with that url you keep throwing around everywhere; I'm kidding, mostly.

In relation to the article, I'd have to go back and see if it said how old the offender was. If they are young and it's a first offense without complete understanding of the implications then sure, cerfew and community service. A second offense would not be acceptable.

In this case it wasn't SPAM; it's a DoS attack, specificaly an email flood a-la good old fashioned ping flood style. It seems the intent was to overload the server not distribute unsolicited advertising.

But then SPAM get's people reading articles where as "yet another teen carries out DoS flood attack" isn't nearly as sexy.

I also gotta ask why the server got overloaded with email in the first place. If the admin actualy did there job, the server would have been tested under two or three times maximum work load. Should the kid have a botnet that could threaten resources, security triggers should have gone off due to high bandwidth use, mail deamon workload or some similar thing.

Heck, something as simple as a fat pipe from server to router and smaller pipes from router to inet and workstations would have restricted data flow before it hit the server hardware in the first place.

Hind Site is twenty-twenty though.
Posted by jabbotts (492 comments )
Link Flag
Curfew?
As a computer geek, I would not be at all bothered by having a curfew like that. I don't read that they took away his computer(s) or internet access. Who needs to go outside?
Posted by MrNougat (78 comments )
Reply Link Flag
Yup after reading the full article; SPAM is incorrect
Ok, so I went back and read the full article in detail. C/Net, your incorrect in reporting this as a SPAM incodent.

Though Email was the medium used, though intent was target the server not email recipients and the application was that of a denial of service attack through flooding. It just happened that it was the Email Deamon's port attacked.

An HTML Request Flood, Ping Flood or similar Client/Deamon interaction would have produced the same result.

But I still understand "SPAM" get's page hits, "UK Youth purpatrates Flood Attack" doesn't.

I mean SPAM is SPAM and the more intollerant the public can become about it, the less advertising agencies are going to hire spammers. Then it's just the issue of purely frodulent SPAM to be addressed. In this instance, it just wasn't SPAM.
Posted by jabbotts (492 comments )
Reply Link Flag
UK Spammer? Mailbomber you mean.
Err, c|net, this David Lennon twit wasn't a spammer, he was a
mailbomber. The correct article title should have been "UK
Mailbomber gets two-month curfew".
Posted by Spamhaus Project (1 comment )
Reply Link Flag
... each individual email could be ruled to make an "authorized ...
&gt; ... a district judge, who ruled that massive amounts of e-mail did not violate
&gt; the Computer Misuse Act because e-mail servers were set up to receive e-mails.
&gt; As such, each individual email could be ruled to make an "authorized modification"
&gt; to the server.

To me this is the problem here: the problem is with the judicial process or the law that has to adapt to new circumstances were the repeatition or a completely legal action makes an illegal action.

There is no need for special new legislation for new technology and new types of crime. Most "cyber-crime" can be handled if existing criminal law is applied correctly. However, new "legal theory" might be needed. If I see a dime, pick it up and put it in my pocket, no one will put me in jail for that. Even if I was supposed to know that this dime belonged to someone else. It's only 10 cents. No one was really hurt by me taking those ten cents. But if a bank employee takes "only 10 cents" out of every customer's account, still nobody has really been hurt by this action, but if caught the employee might spend many years in jail.

So there's no need for a special "Computer Misuse Act" to make the flooding of an email server (or any other computer) a crime, just like you don't need a special law for murder performed with a knife, and another one if a chainsaw (modern technology) is used. An action was taken. It consisted of setting up a routine that would access a certain computer millions of times with the intent of making it (temporarily) disfunctional, and that should be enough for the legal system to take the criminal to court. It doesn't matter is an email server is meant to receive email messages. The crime is not "sending email". The crime is the causing of certain equipment not to function, and it shouldn't matter what type of equipment it was or how it was made not to function properly.

Now to spam: the same logic applies to mass unsolicited mailing. It's not the same as the sending of a single email message, no matter of what type. The problem is the mass mailing. A spammer sends ten million pieces of spam to get maybe a hundred responses that would end with a sale of something. It's not musc different from the 10 cents story. Each individual might just look at it, see its unwanted and delete it. Just Ten seconds. And let's assume 90% did not even get past the filters. So it's only one million recipients times 10 seconds, or just 10 million secnds. Less than 3000 hours of recipients' time to achieve a few sales for the spammer. Of course a few thousands of these million recipients might have just been close to filling their email quotas when the spam arrived, so the next message delivered would bounce as the spam message filled the quota. But hey, any single email message can cause the same, so what's my point here? My point is that in the case of a spammer that sends a huge number of mail messages it's not that a problem might occur as a result of this action, but it's a certainty that htis problem will happen to a few thosands out of the recipients, so the spammer's action of sending millions of messages is not just a million times sending one message. There are known consequences that are predictable, and the spammer can be held accountable if the legal system adapts to technology that can be used to make new crimes out of mass repeation of completely legal actions. This applies not just to spamming, but also to DOS attacks, hspreading viruses, herding botnets etc. It can be proved that those who do it have criminal intent and are performing different crimes by showing that the cummulative effects of what they do ammounts to more than the sum of its parts.
Posted by hadaso (468 comments )
Reply Link Flag
Bottom Line
&gt;&gt;&gt;The Computer Misuse Act is now seen as insufficient to combat the rise of cybercrime such as denial-of-service attacks.&lt;&lt;&lt;

I think that can be said for a good majority of computer crime related laws these days.

When those laws were created... they hadn't even considered much of the misuse which occurs today!

We need effective laws to match todays problems, but one which is flexible enough to be carry into the future and still be valid.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
I'm in agreement with the previous comment
By your idea, we need new laws created to address new criminal intentions. In some cases this is obviously true if at minimum, by statistical possability.

In most cases though as in this case, it's an old crime with a new tool. If you hit someone with a stick, a club or a baseball bat; it's all the same crime just with newer tools each time.

SPAM is fraud. The laws already exist. Flooding a neibourhood with fliers for fraudulent offers or flooding an email distribution list with SPAM is the same thing; the tools is just more hype.

Denial of service (as this was) is already covered by unauthorized access and thieft of services.

Enacting new law just because it makes use of a hype new tool is like putting "e", "i" or "cyber" on the start of any word to make it sound hype rather than because it actually does something new.
Posted by jabbotts (492 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.