Facebook has won a $873m judgement in a case against a spammer in one of the largest awards yet for a suit filed under the CAN-SPAM Act.

The suit charged Adam Guerbuez, Atlantis Blue Capital and 25 other unnamed people for falsely obtaining login information for Facebook users and then sending spam to those users' friends.

Guerbuez and the others set up fake Facebook pages where users would enter their login details, which the spammers could then steal, Facebook charged in the suit. During the months of March and April this year, the spammers used the stolen login names to send more than 4 million spam messages over Facebook's network, the social-networking site alleged.

The spam messages would show up on Facebook users' profile pages and appeared to indicate that the user endorsed products including marijuana, male enhancement pills and other materials, according to the suit.

Guerbuez is a Canadian citizen and Atlantis Blue Capital is a company name he uses to register domain names, Facebook said.

The activities violated CAN-SPAM and other computer fraud and privacy laws, Facebook said.

On Friday, the US District Court for the Northern District of California in San Jose ruled that the defendants did violate the CAN-SPAM Act and they were ordered to pay Facebook $873m in damages. The judgement also included injunctions preventing Guerbuez and his colleagues from accessing any Facebook data in the future.

"While Facebook will no doubt struggle to collect this huge amount of money, the enormity of this fine will, we hope, deter spammers from attempting to capitalise on the social networking site's popularity to push their products," said Carole Theriault, senior security consultant at Sophos.

"This kind of spam has grown in volume in recent months as cybercriminals have realised that social networking users can be more easily fooled into clicking on a link that appears to have come from a Facebook friend than if it arrived via regular email. While Facebook is taking steps to better protect its users, hackers will no doubt continue to seek out new vectors of attack - ultimately the onus is on the individual user to exercise caution when using the site and when clicking on unknown links."

Earlier this year a MySpace spammer was ordered to pay more than $230m for violating CAN-SPAM. At the time, that was thought to be the largest award yet under the act.