There’s no Guinness world record yet for the greatest number of spams received in a two-day period. But Karen Hoffmann would surely be a contender. A self-proclaimed soccer mom from the suburbs of Toledo, Ohio, Hoffmann was inundated with over 100,000 junk emails over the course of forty-eight hours in January 2001.

The messages advertised a multilevel marketing program run by an outfit called the Institute for Global Prosperity (IGP). At the height of the spam attack, ads bearing the subject line “Be Your Own Boss” flowed into her email server at the rate of over thirty per minute. Hoffmann tried to keep her head above water by quickly downloading and deleting the messages. But she unavoidably fell behind, and before long the volume of spam overwhelmed her account’s storage capacity. Hoffmann’s ISP disconnected its mail server to weather the flood.

Prior to the incident, the 41-year-old Hoffmann had never paid much attention to junk email. She had been operating Toledo CyberCafe, her web-page design business, from her home since 1996. A computer science major in college, Hoffmann had started the small company after the collapsing savings-and-loan industry took with it her career as a systems analyst for banks. She had openly published her email address on the web sites she designed for clients, so Hoffmann was accustomed to deleting a couple dozen spams each day. But the onslaught that winter suddenly turned her into a vehement anti-spammer. She wanted to know who was responsible, and she wanted the criminals to pay.

For several days following the attacks, Hoffmann was unable to concentrate on real work for clients. While her son was at high school and her husband was at his office in Toledo, she cleaned up after the spam avalanche. After doing a bit of research, Hoffmann learned that she was the victim of a dictionary attack. The spammer’s mailing program had latched onto her toledocybercafe.com domain and fired off thousands of messages to nonexistent accounts, such as [email protected], [email protected], and [email protected]. The technique might have made sense against a big ISP such as AOL or EarthLink, but Hoffmann had fewer than a half-dozen active email accounts using her domain. The spam attack was so damaging because her ISP had configured the domain’s mail settings with a catch-all feature so that it accepted and forwarded to her main account any message sent to a toledocybercafe.com address.

Hoffmann had no prior experience in spam tracking, but drawing on her technical skills, she was able to trace the spam attack to dial-up accounts at UUNET. To conceal his identity, the spammer had used bogus return addresses in the messages’ “From” lines. He also bounced them off open mail relays in China, Thailand, and Columbia. But after studying the message headers, Hoffmann was able to determine that the emails originated from a computer using numerical Internet-protocol addresses registered to UUNET. She copied the IP addresses into an email and sent it off to the big ISP’s network abuse department.

A few days later, she followed up by phone and was able to get a UUNET representative to confirm that one of its customers in Clearwater, Florida, was responsible for the spam. But he said UUNET couldn’t divulge the identity of the spammer without a court order. Hoffmann was close to tears as she pleaded with the rep to help her, but he was adamant.

Hoffman turned to Internet newsgroups for more information about IGP. From searching Nanae, she discovered that the company’s sales associates had generated many spam complaints in recent years. Their messages invited recipients to buy expensive audiotapes or to attend costly seminars that provided investment advice. Prospects were also told they could pay a fee to become an IGP sales associate and earn commissions of up to $5,000 per week from new clients they brought in.

Officials from several states, including Massachusetts and Michigan, decided IGP was an illegal pyramid scheme. To protect consumers, the states issued cease-and-desist orders prohibiting IGP from operating in their jurisdictions. In an odd coincidence, just days after Hoffmann’s email bombing, the CBS television newsmagazine 48 Hours aired an exposé on IGP that included interviews with several people who claimed the company scammed them out of thousands of dollars.

Hoffmann decided to notify the FBI’s Toledo office about the spam attack, which she calculated had cost her at least $15,000 in billable time. A few weeks later, an agent showed up to interview her at her house, which was just down the road from a golf course in one of Sylvania, Ohio’s better neighborhoods. With Hoffmann’s husband—an attorney—at her side, the three of them sat in the living room, going over the stack of evidence she had printed out about the incident. The agent was very professional and seemed interested in her case. But he admitted his experience in spam investigations consisted of a one-week course at the FBI’s Quantico training center. He said the Toledo office had only one Internet-connected computer and a lone agent working computer-related crimes, who spent most of his time disguised as a 12-year-old, chasing pedophiles in online chat rooms. But the agent promised to submit a report about Hoffmann’s email bombing to the better-equipped Cleveland office for further investigation. He explained that he probably wouldn’t be able to write it up right away, since he was going on vacation to Florida the next week.

Unsure about what to do next, Hoffmann wrote up her own report on the attack and posted it to Nanae. Besides recounting her technical findings and the FBI interview, Hoffmann used the report to pontificate a bit about spam.

“There are thousands upon thousands of small-business owners on the Internet that are vulnerable to this malicious, illegal, unauthorized use of their computer equipment,” she wrote. “The spammers must be stopped now...By prosecuting to the fullest extent of the available laws, we can send a message that we won’t allow these unscrupulous vermin to deny others the right to life, liberty and the pursuit of happiness.”

That might have been the end of Hoffmann’s brief spam-fighting career but for two things. First, she was subsequently hit by smaller but similar dictionary attacks. (Her ISP took several weeks to turn off the catch-all setting.) And then there was the warm way that anti-spammers received her report on the incident. A Nanae participant in Massachusetts named Steve complimented Hoffmann for being such a quick study.

“I can’t tell you how much I respect you for following through on this knowing that your effort might just be a drop in the proverbial bucket. You ever get to Boston? Email me, dinner’s on me,” he wrote.

In early March 2001, Shiksaa patiently worked with Hoffman on another spam problem. Hoffmann was outraged after learning her ISP hosted a company that was selling Stealth Mail Master and was listed on Sapient Fridge’s spamware-sites roster. Hoffmann fired off an email to Host4U.net, reminding the firm that berserk spamware had caused her recent dictionary attacks and warning the ISP to cut off service to the spamware vendor, or she would take her business elsewhere. Hoffmann posted a copy of the letter on Nanae, prefaced by the words, “I hope my fury is showing.”

The next morning, Shiksaa gently told Hoffmann it was unrealistic to think Host4U would quickly give the boot to the spamware vendor. After all, Shiksaa pointed out, Host4U had been sluggish to respond to complaints about other bulk emailers, including Empire Towers, a major spam outfit listed in Rokso.

Hoffmann had never heard of Empire Towers, so she visited Spamhaus.org and reviewed the entry on the company. According to the Rokso listing, Empire Towers was “a hard-line stealth spamming operation” that “goes to elaborate lengths to hide spam origins and obfuscate URLs.” 32-year-old Thomas Carlton Cowles headed the company, which also went by aliases including Leverage Communications, World Reach Corporation, and PopLaunch.

The last name rang a bell. In February 2001, Hoffmann had received several pornography spams that advertised sites with bizarre addresses full of numbers, percent signs, and other code. The messages also contained the first copyright notice she’d ever seen in a spam. It warned recipients against “attempting to infringe upon the copyrights of PopLaunch or attempting to harm the natural course of business of PopLaunch” by hacking, performing denial-of-service attacks, or publishing “the location of client sites.”

That final bit about the concealed location of sites was apparently the raison d'être for the odd format of web addresses advertised in the spams. After Hoffmann posted a copy of the messages, an anti-spammer on Nanae using the alias Spamless explained how Empire Towers deployed an array of technical tricks, such as doubly encrypted JavaScript and browser redirects, to quickly shunt spam recipients through a series of temporary sites. When the user finally landed at the ultimate destination page, the browser’s location bar, which ordinarily displayed the site address, would be hidden. In addition, the right mouse button would be disabled in an effort to prevent users from viewing the web page source code. All the sleight of hand was intended to make it extremely difficult for the average person to identify, much less complain about, the sites advertised in the messages.

Hoffmann poked a bit further into the Rokso record on Empire Towers. Under the section listing the company’s known addresses, she was startled to read that it was based in her home state of Ohio. Empire Towers even maintained offices in Toledo, as well as one just across town from her in Sylvania.

Moments later, Hoffmann was in her blue minivan headed south on McCord Road. She was looking for 8505 Larch Road, the Empire Towers address listed in Rokso. After the frustration of being unable to positively identify the IGP spammer who had mail-bombed her, Hoffmann couldn’t believe the ease with which she was closing in on one of the Internet’s biggest spammers.

As she turned onto Larch Road and rolled slowly down the wooded street, Hoffmann spotted a mailbox just ahead with the number 8505. It belonged to a large, white house on the corner. The place had the look of a 1970s dream home gone to seed. Peeling paint on the exterior walls of the modern structure revealed large patches of grey stucco below. The bushes in the yard were overgrown and the lawn was unkempt. A camper trailer was parked in the side yard, and a Buick with weathered red paint sat beside the gravel driveway.

Hoffmann would later learn that the house was where Tom Cowles was raised and that his parents still lived in the place. But on that afternoon in early March, Hoffmann, who was just five-foot-two and had a tendency to avoid confrontation, didn’t even come to a full stop, let alone get out of her van and knock on the house’s front door. Instead, she drove quickly home and posted a note to Nanae about her findings.

“My God, what a small world,” she wrote. Then Hoffmann finished her post with a nod to Shiksaa, “Thanks for all you do.”

Shiksaa responded by publishing the most current address she had for Cowles—which turned out to be a mailbox rental place in Toledo—as well as the man’s physical description, which she had received from former Cowles business associates. Cowles, she reported, was around six-six, skinny, dark-haired, and geeky looking.

“If you see a similar creature strolling down the street in your town, it may be him,” said Shiksaa, not realizing at the time that she was planting the seeds for what she would later consider Hoffmann’s obsession with Tom Cowles.

Although Cowles and his company had begun to occupy a lot of her time, Hoffmann didn’t consider herself overly preoccupied with them. True, a week later, she dialed the number listed in Nanae as Cowles’s cell phone and hung up as soon as he answered. But she simply thought of herself as part of a team of people investigating one of the Net’s biggest spammers. Since Hoffmann was local to the Empire Towers operation, she figured she could contribute in ways others couldn’t. Shiksaa was using the Internet to dig up court records that showed Cowles had prior convictions in Indiana for burglary and in Ohio for passing bad checks. An anti-spammer named Mark had built a site that included details on how PopLaunch worked. Hoffmann, in turn, could physically visit the county courthouse or other places with information about Cowles and his gang.

To publicize the results of her Empire Towers investigations, Hoffmann put up a special page at her ToledoCyberCafe.com site. It also featured photographs she had taken of several area buildings used by Empire Towers, as well as links to other sources of information about the spam operation and to her Nanae postings about the IGP mail-bomb attack. Hoffmann’s hope was that the local media or law enforcement would pick up the story if she handed it to them on a silver platter. But none ever did.

A few weeks later, Hoffmann learned from Shiksaa that Cowles was keeping a low profile as the result of a big falling-out with a partner-in-spam. Shiksaa told her that Cowles had been sharing a data center in Florida with Eddy Marin, a notorious spammer-for-hire added to the Rokso list the past December.

Marin’s Boca Raton-based company, OptIn Services, was known to offer Internet users a free pornographic picture in exchange for providing a working email address. The trick enabled Marin to claim the users had “opted in” to receive his spam. Besides advertising porn sites, Marin had a history of sending spams touting Viagra and other drugs without prescriptions, as well as loans and cheap computer software.

Like Cowles, Marin had a criminal rap sheet. He was convicted in 1990 for cocaine trafficking and again in 1999 for money laundering. When Hoffmann learned about him in March 2001, Marin was halfway through his twelve-month money-laundering sentence at Eglin Federal Prison camp, a minimum-security facility on Florida’s Gulf Coast, also known as Club Fed.

The partnership in 2000 between Marin and Cowles seemed like a synergistic deal at the time. Marin had been running Azure Enterprises, a webcam pornography business, out of an office in Pompano Beach, Florida, and wanted to get into serious bulk emailing. Cowles was interested in setting up operations in South Florida to be closer to his many clients in the area. Through a third party, the two men worked out a deal by telephone under which Marin would get unlimited access to Cowles’s proprietary MassiveMail spamware system. (Empire Towers normally charged $20,000 per month for each server capable of sending a million spams per day.) In exchange, Marin would give Cowles half of any revenue from the mailings. In addition, Marin agreed to share his computer data center in Palm Beach, including the facility’s high-speed DS3 line, with Cowles.

Marin wasn’t the first spam king Cowles had tutored in the business. A few years back, he had driven up to West Bloomfield, Michigan and spent a couple days teaching a convicted fraud artist named Alan Ralsky the ins and outs of bulk email. Soon, the 57-year-old Ralsky was big enough to earn a top spot on the Spamhaus Rokso list—and a lawsuit in 2001 from Verizon Online Services, which accused Ralsky of bombarding its mail servers with fifty-six gigabytes of spam in one day. (Ralsky and Verizon later settled the lawsuit, and Ralsky returned to spamming.)

But when Cowles arrived in Florida, he felt like he had been dropped into a pool of sharks. The clients who had seemed like respectable business people on the telephone turned out to be cokeheads, pornographers, and petty thugs. Everyone seemed to be looking for a scam. Even Marin was quick to use his new affiliation with Empire Towers to position himself as a big player in the email business. As the weeks went by, Cowles suspected Marin of trying to steal Empire Towers’s clients by telling people he was one of the firm’s executives. (Marin’s lawyers later registered a Florida company named “Empire Tower Group” on Eddy’s behalf.)

In December 2000, a disgusted Cowles finally decided to pack up his equipment and move back to Toldeo. With Marin incarcerated, and Marin’s wife Kimberly running the spam operation, Cowles had an employee box up a load of servers and other computer gear from the shared data center and haul them to Ohio.

When Kim Marin found out, she filed a police report claiming that Cowles had stolen $16,000 of her company’s equipment.

In June 2001, the Broward County Sheriff’s Office told Marin an arrest warrant for Cowles was on its way, and she passed the word along via email to Shiksaa. (The two had previously exchanged messages about OptIn Services’s spamming. Like Ronnie Scelson, Marin had impressed Shiksaa with her tendency to tell the truth about her business.)

“Rest assured that this scum bag will be around for only a limited time,” wrote Marin. “Once they issue arrest warrants he will be extradited and held without bond. A day I look forward to.”

When Shiksaa posted the email to Nanae, with Marin’s name redacted, spam fighters chuckled at the spammer soap opera. Meanwhile, Hoffmann updated her Empire Towers site with the new information. Little did she know that her preoccupation with the company and its founder would eventually lead her right into the crossfire of the spam wars.

Just as Hoffmann was launching her Empire Towers page in April 2001, an anti-spammer who called himself Rob Mitchell was putting the crowning touches on a spammer-tracking web site he had been building for three years.

Mitchell was also considered obsessive by some Nanae participants for his painstaking research into the subject of his site: a chronic spammer who used the online nickname “Terri DiSisto” and claimed to be a female college student in Massachusetts.

Unlike most junk emailers, DiSisto wasn’t littering the Internet in hopes of selling something. Instead, her ads offered payment in the form of cash and computer or audio equipment to young men between eighteen and twenty-three who mailed her videos of themselves being tickled.

DiSisto’s bizarre story began around 1996, when she started spamming obscure newsgroups including alt.sex.fetish.tickling with her ads. “No sex or nudity are ever wanted in my videos,” stated the spams. “I just want to see guys tied up and mercilessly, relentlessly TICKLED!” DiSisto claimed she enjoyed tickling as a hobby and was not interested in real-life encounters with her video subjects.

“I have a boyfriend, full cadre of friends, and plenty of guys to tickle already. I AM NOT LOOKING TO MEET OR TICKLE ANY GUYS ENCOUNTERED FROM CYBERSPACE!” stated the ads. College-aged men who stepped up to the offer were told to send the finished products to post office boxes in New York or Massachusetts and were given elaborate instructions on how to produce the videos.

“When laughter begins, the tickler must ask the question, ‘How ticklish are you here?’” explained DiSisto’s instructions. “The tickled guy—while still being tickled—must respond in as much of a complete sentence or sentences as possible (e.g., avoiding responses like ‘very’ or ‘not too much’ in favor of ‘I’m totally ticklish under my arms...'). No one- or two-word answers.”

DiSisto also detailed her offer, as well as excerpts from videos and audiotapes she had received, at her web site, tickling.com. The site featured a photograph of an attractive young blonde woman, purportedly DiSisto, in an over-the-shoulder, yearbook pose.

In a misguided effort at target marketing, DiSisto began repeatedly posting her ads in newsgroups frequented by young men, such as rec.sports.paintball and rec.music.phish, a discussion board for fans of the rock group Phish. To avoid complaints that her messages were off topic and inappropriate, DiSisto posted offers of free tickets to Phish concerts in New York City to qualified young men who sent her videos.

But participants nonetheless began to complain about DiSisto’s flagrant violation of newsgroup etiquette. As the complaints piled up, anti-spammer Morely Dotes declared a Usenet Death Penalty against DiSisto in 1997, which meant that newsgroup administrators all over the Internet would immediately cancel any of her postings to Usenet.

Consumed by a belief that she had a right to act out her fetish anywhere in cyberspace, DiSisto began to fight back.

First, she started indiscriminately spamming her ads to email users all over the Internet. Then she dropped “binary bombs“—encoded messages designed to flood and disrupt a discussion group—on rec.music.phish and other forums where regulars had told her she was unwelcome. DiSisto also retaliated directly against individuals who griped about her tickling ads, deluging them with thousands of emails over the course of a few hours. She similarly used email bombs to take revenge on people who had second thoughts after agreeing to make videos for her.

When a Massachusetts high school student named Sean Gallagher stopped sending her videos after he graduated and went off to college, DiSisto bombed his personal email account and that of Gallagher’s friend, who was attending Suffolk University in Boston. DiSisto similarly bombed the email account of Suffolk administrators, forging the messages so they appeared to come from Gallagher’s friend. The attacks completely disabled Suffolk’s email system on three occasions. Similar retaliatory bombings knocked out the mail servers of at least two other universities.

Rob Mitchell was dragged into the bizarre world of “Terri Tickle” in early October of 1998. Thirty-nine at the time and a public school teacher in Huntsville, Texas, Mitchell had heard about DiSisto’s spamming and email bombings on a web-based message board. In a posting on his own board, which Mitchell had created for discussions of humorous fiction, Mitchell criticized DiSisto for harassing people who had no interest in providing her videos.

Somehow, DiSisto learned about Mitchell’s comments and decided to retaliate. She sent thousands of spams with the subject line, “A message board for TICKLISH GAY GUYS.” The body of the messages invited recipients who “would enjoy conversing and sharing stories/experiences involving tickling” to visit a web address—Mitchell’s—listed in the spam.

Within an hour, complaints began appearing on Mitchell’s board from people livid over receiving the spam. In the course of an afternoon, people posted over 200 angry comments. Meanwhile, reports about the spam were appearing on several Usenet newsgroups, including alt.kill.spammers. The next day, when Mitchell tried to access his board, he learned that the ISP hosting the service had terminated his account.

That was when Mitchell became DiSisto’s most formidable opponent and an ardent anti-spammer.

Over the course of nearly three years, Mitchell tussled with DiSisto in newsgroups and eventually over IRC chats and emails. As he tried to warn Internet users about the dangers of getting involved in DiSisto’s fetish, she publicly accused him of being gay and being jealous of her video collection. All the while, Mitchell was compiling evidence of her spamming and other Internet abuses. He studied every DiSisto email message header he could get his hands on and determined that she used accounts with at least sixteen different ISPs to send her ads and her mail bombs.

Mitchell posted his findings to Nanae and other groups under the title “Terri DiSisto: a History in URLs.” Yet his initial reception in Nanae was decidedly hostile. Many anti-spammers considered both DiSisto and Mitchell kooks cut from the same cloth.

“Why don’t you just marry her or shoot her or do something else reasonable?” suggested a veteran anti-spammer who used the online nickname Rebecca Ore. “Really, we know she’s bad. Just some of us think there are spammers who are several orders of magnitude worse,” Ore added.

Mitchell realized that DiSisto was a relatively small-time spammer who bulked out messages by the tens of thousands, not by the millions like some of the big players. But her crimes went well beyond spamming and made her, in his opinion, one of the worst individual abusers of the Internet.

But that argument mostly fell on deaf ears in Nanae. Even Steve Atkins, a veteran spam fighter and creator of the SamSpade.org site, which Mitchell relied on to analyze and track DiSisto’s spams, dismissed his explanation: “Bollocks...You just have a thing about tickling.”

Eventually DiSisto began visiting Nanae and became a regular participant. She alternated between trying to engage anti-spammers in rational discussions about her online behavior and taunting them with S.S. Titanic-derived metaphors about their inability to get her web site disconnected for more than a few days at a time.

“Tickling.com remains, I assure you, UNSINKABLE,” DiSisto bragged in a January 2000 posting to Nanae. “But like any great ship,” she added, “there can be periodic difficulties in the engine room.”

Shortly afterwards, DiSisto announced that she had located two television production firms in California that were making the videos she wanted. As a result, she claimed she no longer would advertise for tickling videos via email or Usenet spam.

“There is NO NEED to look for guys randomly out here in cyberspace. I haven’t done it in months. I don’t intend to do it anytime soon. I think my disappearance from the spam scene deserves notice,” she wrote.

If DiSisto believed the public announcement of her retirement from spamming would somehow erase her past, she was wrong. In fact, her Internet notoriety had already caught the attention of Reader’s Digest magazine, which planned to include her in a forthcoming article about online harassment. Hal Karp, a reporter for the magazine, contacted Mitchell that January after encountering his “History in URLs” postings to Nanae.

Karp said the story would focus on a group called Cyber Angels, which had assisted one of DiSisto’s mail-bombing victims. As Mitchell traded notes with Karp, he sensed the reporter was sitting on information that would blow the DiSisto case wide open. But Karp was keeping his cards close to the vest, and at one point he even said he had to be careful so as not to jeopardize an investigation by law enforcement.

When the April 2000 issue of Reader’s Digest was published, Karp’s article didn’t cite Mitchell or his Nanae postings. Nor did it mention tickling.com or the surname DiSisto, referring instead only to “a woman named Terri.” According to the article, the woman cyber-stalked a young Internet user, pseudonymously named Gary, hoping to get him to sell her a video of himself bound and tickled. When Gary refused, she bombed him with over 30,000 emails. Then, one night as Gary was discussing his situation in a chat room, someone claiming to be a Cyber Angel offered to help him track and research his stalker.

“The hunter was now the hunted,” wrote Karp, who reported that the anonymous Cyber Angel helped Gary uncover some shocking information. According to the article, “he learned that Terri was not a female college student, but a man...One night Gary tracked Terri online and revealed what he knew. The harassment screeched to a halt.”

The article left Mitchell stunned. All along, he had occasionally wondered about DiSisto’s gender, but how was Gary able so quickly to dig up information that Mitchell and others had failed to find over several years?

While unsatisfying to Mitchell, the article gave him hope that DiSisto was about to be publicly unmasked. Surely if Gary knew her real identity, it would just be a matter of time before federal authorities would act on the information. To assist in that process, Mitchell gathered up his “History in URLs” pages from Nanae and published them at a web page he created, which he entitled “Project Iceberg.”

What Karp hadn’t revealed in his article was that DiSisto’s victim Gary had provided the reporter with an archive of electronic files apparently stolen from DiSisto’s computer by a hacker in late 1999. The files included a trove of incriminating data such as a resumé bearing DiSisto’s true name and address, a file containing her social security number, and correspondence and other personal documents. Also contained in the archive was a newsgroup posting Mitchell had made with instructions on how to report DiSisto for spamming.

Karp hadn’t disclosed the information, or how he obtained it, primarily because of the liability concerns of the magazine’s lawyers. But he handed over the files, as well as a pile of other evidence he had dug up on DiSisto, to the FBI shortly after his article was published.

Meanwhile, DiSisto tried in public to spin the Reader’s Digest article as a work of fiction aimed at entertaining readers.

“I think you’ll find the overall impact of the article rather disappointing,” she told Nanae participants.

But clearly the piece had staggered DiSisto. Soon after it appeared she stopped posting to Nanae and retreated instead to newsgroups devoted to tickling, including one she had created herself, alt.multimedia.tk.terri-disisto.

Mitchell was ready to move on. He turned his attention to spamware vendor Andrew Brunner, on whom he composed a series of Nanae postings familiarly entitled “Andrew Brunner: A History in URLs.” The articles documented the combative Brunner’s online machinations since 1998. For his efforts, Shiksaa offered Mitchell a new email address using her domain: [email protected].

But Mitchell had not heard the last from “Terri Tickle.”

In their battles against junk emailers, anti-spammers constantly remind themselves of a bit of folklore known as “The Three Rules of Spam”:

In January of 2001, Davis Hawke got a rude introduction to Rule #3. He had accidentally left a sensitive file exposed at one of his web sites. When Shiksaa stumbled upon it and announced her discovery on Nanae, a fellow anti-spammer cried out, “Rule number three shining bright!”

Shiksaa had been poking around at CompuZoneUSA.com after someone on Nanae called attention to Hawke’s Spam Book ads, which included a link to the site. Shiksaa had taken to referring to Hawke on Nanae as “that neo-Nazi idiot” or “the creep Mad Pierre exposed.” So she was pleased to discover Hawke’s server had been improperly configured and allowed any Web surfer to view files not intended for the public. (She had used the same trick two years before to find unprotected customer order logs at a site run by computer seller and convicted stock manipulator Glenn Conley.)

Shiksaa didn’t uncover any order logs at CompuZoneUSA.com, but she did stumble across something known as a file transfer protocol (FTP) log. It included a list of over two dozen web sites operated by Hawke, most of them previously unknown even to anti-spammers such as Mad Pierre, who had been tracking Hawke closely.

Hawke wasn’t the first spammer to fall victim in that way to Rule #3. In the past, the discovery of FTP logs had helped anti-spammers notify ISPs that they had a chronic spammer in their midst. And this time was no different. An anti-spammer volunteered to report all of the sites on Hawke’s FTP log. A few days later, he proudly announced “Nuked and paved!” after the ISP hosting CompuZoneUSA.com shut down the site.^[1]

It wouldn’t be the last time Hawke was susceptible to dangerous lapses in his site security. But on this occasion, he was able to shrug it off without major damage. Following some downtime, he lined up new ISPs to host his sites. Soon, the refurbished CompuZoneUSA.com would become the online storefront for his newest spamming endeavor: androstenone pheromone concentrate.

Hawke had first heard about pheromone concentrate from the discussion forums at the Send-Safe spamware site. A company in Kansas called Internet Products Distributors had been spamming pheromones for nearly four years. The owner of the Wichita firm was looking to get out of spamming and instead wanted to wholesale the compound and other herbals to “bulkers,” a term many spammers used to describe themselves.

Androstenone came in little bottles and was worn like cologne. The substance was essentially odorless, despite that fact that trace amounts are present in human sweat. But according to the supplier, wearing androstenone concentrate would make any guy into an instant babe magnet. It supposedly caused a special receptor in a woman’s nose to send a powerful signal to her brain, announcing the wearer as a highly desirable sexual partner.

Hawke decided to buy a couple cases of concentrate and see how well it sold. He paid just over five dollars per bottle and planned to sell them for twenty-nine dollars each. Hawke wasn’t crazy about shipping and handling the little glass vials. But it was time for a change. The Spam Book and the Banned CD he’d been offering from PrivacyBuff.com were profitable, but the sales volume had stalled, and the books about becoming a private investigator and other topics weren’t selling at all.

Hawke had a feeling androstenone could take off, though. As he was writing the ad copy, he imagined some lonely guy just out of college, sitting at his computer, looking for love in all the wrong places:

The ad continued for several paragraphs. In strategic places Hawke had sprinkled a call to action (“Order Now!”) along with a hyperlink to his revamped CompuZoneUSA.com site. For readers who still needed convincing, the copy continued:

Hawke fired off a couple hundred thousand spams for androstenone in March. They carried the subject line, “Turbo charge your SEX life! Attract women FAST!”

The stuff moved quickly. Hawke sold out his supply in a week and had to get a rush order from the supplier to restock. He considered charging more for the pheromones, but from experience he had learned that there was a sweet spot in pricing spamvertized products. Even if Internet shoppers suspected you were selling snake oil, they’d whip out the plastic and take a chance as long as you kept the price under thirty dollars. Another plus to pricing right was that most people would just chalk it up to experience if the product arrived and didn’t work as advertised. But if you charged too much, they’d be lining up to get their money back.

For Hawke, selling pheromones was his way of cashing in on the sex-starved people who seemed to flock to the Internet. He had briefly mulled over the idea of sending ads for pornography sites. The market for digital images of naked people was huge, with sex sites among the biggest revenue generators on the Internet. (The domain sex.com itself was said to be worth sixty-five million dollars.)

But compared to the Publishing Company in a Box and other e-books, porn spam generated many more complaints. Plus, you couldn’t rip off someone’s porn content for very long without expecting trouble. Porno producers policed their copyrights, and some of the sex sites, he’d been told, were connected to organized crime. Hawke did not want to be messing with them.

On the other hand, porn site operators made going to work for them very easy. They had created affiliate programs that were advertised heavily on the message boards at the Send-Safe site and at BulkBarn.com, a spamming forum Hawke joined in early 2001. Spammers could earn commissions of between ten and twenty dollars for driving a new customer to a porn site.

Bottom line, being a porn spammer meant being a middleman. And that was something Hawke never wanted to do. He was a leader, not a follower. But most importantly, spamming on commission ran against his business strategy.

As Hawke saw it, the way to stay off the Spamhaus Rokso list and the Realtime Blackhole List run by Mail Abuse Prevention Systems (MAPS)—not to mention off the radars of regulators and anti-spam litigators for ISPs such as AOL—was to keep his volume of spams as low as possible. He could do that and still make a lot of money if his net income from each spam was as high as possible. Ensuring that his mailing lists were clean—free of undeliverable addresses and those of anti-spammers—was one way to keep the response rate high. But beyond that, the best way to maximize profits with the least amount of spamming was obvious: efficiently sell his own unique, high-margin products. It was boutique spamming, and it meant walking away from spammer-for-hire jobs.

After his quick success with pheromones, Hawke decided to try another product in the herbal-pharmaceutical niche. At the time, diet pills were all the rage with many bulk mailers, but Hawke was justifiably cautious. The U.S. government had already shown its willingness to prosecute online marketers of weight-loss products. The Federal Trade Commission (FTC) had been running a sting called Operation Waistline. As part of the FTC’s crackdown, seven companies had agreed in 1997 to pay a total of nearly a million dollars to settle charges of deceptive practices.

The agency followed up in 1999 with an unusual program to educate Internet users about online scams. The FTC mocked up a convincing web page for a fake weight-loss product called NoriCaLite. The ads promised to help users shed thirty pounds in a month. But clicking the site’s ordering link pulled up an FTC-created page with the title “You Could Get Scammed!” It warned users to resist “the false and deceptive advertising claims made by many so-called ‘weight-loss’ products.”

Still, by 2001 the Internet remained awash with ads for diet pills. Even eBay was full of them. During a visit to the auction site Hawke noticed a particular glut of ads for an herbal weight-loss product called Extreme Power Plus. The pills sold for thirteen dollars per bottle and contained a mixture of over a dozen herbs. The active weight-loss ingredient was ma huang, a Chinese herbal stimulant also known as ephedra. The pills were being offered by distributors working for a company in Louisiana called Dutch International Products. Dutch had built a multilevel scheme to market Extreme Power Plus and a handful of other herbal remedies, including Extreme Colon Cleanser and Extreme Coral Calcium.

Hawke had no desire to be a foundation stone in a pyramid scheme. But he was eager to try spamming diet pills. So he made arrangements to purchase some in bulk from Peak Nutrition, a supplier in Syracuse, Nebraska. In place of ma huang, Peak’s weight-loss pills contained what it called lipotropic fat burners. The ingredients supposedly produced none of the jitteriness and other side effects of ephedra. Hawke ordered a couple of cases of the ninety-tablet bottles and started working on an ad.

To speed things up, Hawke went to eBay and downloaded a web page containing the auction listing for Dutch International’s Extreme Power Plus. He made a few customizations to the ad, such as in pricing. He charged twenty-nine dollars per bottle, almost a twenty-five-dollar premium over what Peak charged him. Hawke also added hyperlinks that would take buyers to his ordering site. To capitalize on the work others had already done promoting the brand, he swapped out the words Extreme Power Plus with a name confusingly similar: Power Diet Plus.

The original ads had included testimonials from satisfied Extreme Power Plus customers, which Hawke modified only slightly. This led to some contradictions with the rest of his ad that Hawke overlooked. In one testimonial, a happy Power Diet Plus user named Sheryl told how her doctor proclaimed that ma huang was perfectly safe. Yet higher up in the ad, Hawke boasted that Power Diet Plus, unlike “the other stuff,” doesn’t contain the stimulant.

In April of 2001, Hawke fired off his first batch of spams for Power Diet Plus. “Lose 80 pounds by June GUARANTEED! #1 Diet Pill!” they said. What Hawke didn’t know as he pushed the send button was that he was about to stomp on the toes of George Alan Moore, Jr., a Dutch International Distributor.

Moore lived in Linthicum, Maryland, and referred to himself as “Dr. Fatburn.” He had been selling Extreme Power Plus via eBay and his own web site, UltimateDiets.com, for a couple of years. Unbeknownst to Hawke, Dr. Fatburn had hidden a digital watermark in the source code of the web page Hawke had copied from eBay. To prevent other eBay sellers from stealing his ad copy, Dr. Fatburn had inserted the words “This diet ad is property of UltimateDiets.com” in white-on-white text in several places within the ad. When casually viewed with most web page editors, or with an email software program such as Microsoft Outlook, the watermark was invisible. But it was plain to see for anyone who scoured the source code of the ad.

Anti-spammers often examined the source code of spammer web sites and email messages in their quest for clues, and they were quick to notice the reference to UltimateDiets.com in Hawke’s ads. As copies of Hawke’s Power Diet Plus ads began showing up in their email inboxes, some fired off complaints to the Florida ISP hosting Dr. Fatburn’s site. In turn, the ISP forwarded the messages to Dr. Fatburn.

Prior to selling diet pills online, Dr. Fatburn had made money through occupations such as delivering pizzas and selling collectible sports cards and autographs. His new weight-loss business was doing nicely, and he intended to keep it that way. In the eighteen-plus months that he had been marketing diet pills, Dr. Fatburn had never resorted to bulk email. That’s not to say he hadn’t contemplated it. In 2000 he purchased on eBay a bulk-emailing program capable of sending 100,000 messages per hour. But Dr. Fatburn didn’t use it. He stayed with his strategy to build a network of downline distributors by word of mouth and by discreetly placing messages in newsgroups such as alt.entrepreneurs and alt.make.money.fast.

But now, some guy was ripping off his ad copy and getting Dr. Fatburn unfairly branded as a spammer to boot.

Using the email address listed in QuikSilver’s spams, Dr. Fatburn sent a message warning the company to stop stealing his ads. But he never heard back, and QuikSilver continued to send out messages using the same ad copy. So Dr. Fatburn decided to do some reconnaissance: he placed an order for QuikSilver’s Power Diet Plus. When the package arrived, the bottle inside was labeled “Peak Nutrition Lipotropic Fat Burners.” He realized there was no such thing as Power Diet Plus. QuikSilver hadn’t even arranged for private labeling; it was just selling Peak’s house brand.

Dr. Fatburn located a phone number for Peak Nutrition and managed to reach one of the owners. He told her QuikSilver had ripped him off, and he wanted to know who was behind the company.

“They’re using a copyrighted ad and can be sued for that,” he said.

But the woman from Peak just gave him the brush-off. She refused to disclose who operated QuikSilver, although she agreed to bring up the matter of the advertisement when she had a chance. It was obvious to Dr. Fatburn that Peak was protecting QuikSilver because Hawke was making money for Peak.

In later spam runs QuikSilver used the same basic ad, modifying only the return address and the web site address for ordering. By August, Dr. Fatburn decided it was time for a change in tactics. He dusted off his bulk-mailing program and sent out his first salvo of spams for Extreme Power Plus. In a subtle jab at QuikSilver, he used the subject line “Finally A Product That Lives Up To Its Name.” Like the ad QuikSilver had ripped off, Dr. Fatburn’s message included a description of the product along with testimonials from customers. But Dr. Fatburn added a bonus QuikSilver didn’t have. If shoppers ordered within forty-eight hours, they’d get a free trial pack of Extreme Colon Cleanser.

It was Dr. Fatburn’s first foray into spam, but you’d never know it from the techniques he used to keep anti-spammers from reporting the spam to his ISP. The hyperlink to his ordering site was obfuscated, so that instead of the legible domain name (in this case, his site freecableland.com), it showed only a series of numbers. Rather than including his regular email as the message’s return address, Dr. Fatburn used an account he had specially set up at Yahoo!. Then, for the message’s “return path” header—the address to which bounces and other error messages would go—he listed an account he had created with a free email service in Poland.

But despite these stealthy spamming tricks, Dr. Fatburn did something junk emailers almost never do: all of his spams included his real name and home-office phone number. It wasn’t out of naïveté or an oversight. Dr. Fatburn considered himself an honest businessman and wanted customers to know that his company, Maryland Internet Marketing, was on the up and up. Only time would tell whether the calculated gamble would give him a competitive edge against spammers such as QuikSilver.

But one thing was certain. Hawke was on his way to earning a reputation among other junk emailers as a scammer.

In early 2001, anti-spammer Rob Mitchell continued to watch tickling fetishist and spammer Terri DiSisto’s online activities out of the corner of his eye. When he did mention DiSisto, he referred to him as “Terrance.” But Mitchell had almost given up hope that the law would ever catch up to the strange spammer.

Then, in March of 2001, Mitchell got a phone call from Reader’s Digest reporter Hal Karp. The reporter told him that federal prosecutors in Massachusetts had quietly announced a plea agreement with David P. D’Amato, a guidance counselor and assistant principal at West Hempstead High School on Long Island.

The 39-year-old D’Amato had pled guilty to misdemeanor charges of email bombing computers at Suffolk University in Boston and James Madison University in Harrisonburg, Virginia. The U.S. Attorney’s press release didn’t mention D’Amato’s Terri DiSisto persona or the spams for videos. But Karp assured Mitchell the feds had found their man and said D’Amato was facing up to a year in prison and fines of over $100,000 on each count, with sentencing scheduled for July.

Mitchell surfed to the West Hempstead High web site. There, at the top of the home page, was D’Amato’s name. As an educator himself, Mitchell was aghast at the thought of a sadistic spammer and online harasser like D’Amato working in schools most of his adult life.

“Such a person should never be in charge of children in any capacity ever again,” wrote Mitchell at his Project Iceberg site.

Newsday, a daily paper serving the greater New York metropolitan area, was among the first to publish a photograph of D’Amato. Taken from the West Hempstead High yearbook, the photo showed the plump, unsmiling assistant principal seated in his office. D’Amato’s balding pate and jowls made him look older than his years.

“Ewwww. He looks like Truman Capote,” was Shiksaa’s response after Mitchell posted a link to the photograph on Nanae.

Karen Hoffmann chimed in as well when she saw the photo: “MY GOD, could he have been any uglier?”

Another anti-spammer used the image to create a parody playbill for the movie Titanic, which Shiksaa posted at her site Chickenboner.com. It showed D’Amato’s head, juxtaposed with the female image of Terri DiSisto above the luxury ocean liner. Superimposed over the ship were the words “Titanic Spammer” and “A Rob Mitchell Film.”

Even Rebecca Ore, who had originally expressed skepticism about Mitchell’s obsession with DiSisto, had come around. She encouraged victims to travel to Boston for D’Amato’s sentencing. “All that’s remaining is for people who want to see him do active time to show up and let the judge know how much damage he did,” she said.

To the amazement of Mitchell and many other people following the case, D’Amato continued to work at West Hempstead High for nearly two weeks after signing the plea agreement. The school district suspended D’Amato only after Three Village Times, the hometown paper, acted on a tip from Karp and confronted school officials about D’Amato. They admitted they had heard nothing about the charges until that point.

Karp suspected that D’Amato’s attorneys had negotiated a deal to tone down the government’s press release and to keep it devoid of sensational details. Clearly, D’Amato was getting good legal representation. D’Amato’s father, George, was the head of a big Wall Street law firm. And his lawyer, Tracy A. Miner, was one of the top defense lawyers around and president of the Massachusetts Association of Criminal Defense Lawyers.

Karp concluded that George D’Amato was financially supporting his son, who lived in a swanky penthouse in Garden City, New York, well beyond the means of most public-school administrators.

When FBI agents raided the apartment in June of 2000, D’Amato admitted he was DiSisto and detailed how he performed the mail-bomb attacks. He said he used CyberCreek’s Avalanche software to send the messages through open mail relays. He also admitted to registering numerous post office boxes and telephone numbers under false names as part of his tickling video schemes. Later, in a hearing held at the time of his plea bargain, D’Amato told the court he had been under the care of a psychiatrist since January of 2000 for Internet addiction and job-related stress.

The Three Village Times article revealed that D’Amato had submitted his resignation to the school months prior to being exposed as Terri DiSisto. He had planned to leave in order to attend law school the coming autumn at his father’s alma mater, Fordham. The news troubled Mitchell. Impersonating lawyers was one of the tricks DiSisto had used to scare off anti-spammers and others who complained about his spamming and abuse.

“A more unfit person to enter the legal profession I cannot imagine,” concluded Mitchell in Project Iceberg.

Fordham Law School apparently reached a similar conclusion following D’Amato’s sentencing in July 2001.

At the hearing, D’Amato stood up and addressed the court: “Your honor, I would like to express my remorse and sorrow.” He apologized to his parents, who were present, and to “every person in this courtroom who may have been impacted.” D’Amato pleaded to the court for “mercy and compassion.”

Prosecutors had provided the judge with a small stack of letters from DiSisto’s online victims. The letters were gathered by Charles Dirksen, a San Francisco attorney and regular participant in the rec.music.phish newsgroup, who had put out an online call for testimony on behalf of prosecutors.

“I realize there are (inarguably) far more important things to get excited about these days...than putting a twisted, deviant spammer in jail for a year or two,” Dirksen wrote in an April posting to the newsgroup. “But nevertheless, as Phish fans, we have the chance to help put someone in prison who trashed our online community and harassed, threatened and insulted many of our fellow fans repeatedly and persistently.”

Before sentencing D’Amato, the judge asked whether anyone in the courtroom wished to speak about his or her experiences with the defendant. But no one rose to the occasion—not even Sean Gallagher, the student who had been mail-bombed by DiSisto. He was present in the courtroom but apparently content just to watch the proceedings.

The lenient sentence finally handed down by the judge disappointed many who had followed the case. Noting that D’Amato had already paid over $20,000 in restitution to Suffolk and James Madison universities, the judge spared D’Amato jail time for his violations of the Computer Fraud and Abuse Act. Instead, he ordered D’Amato to spend six months in a halfway house. The judge specifically stipulated that D’Amato’s incarceration should not interfere with his law school classes or mental health counseling. The order also didn’t place any restrictions on D’Amato’s Internet use.

But a wrench was thrown into the works when officials at Fordham, apparently awakened to the controversy surrounding D’Amato, balked and withdrew their offer to admit him. Despite protests from D’Amato’s attorney, the judge revised the sentence.

Instead of spending his days at Fordham’s midtown Manhattan campus—just a block from Central Park and the Lincoln Center for the Arts—D’Amato would be booked that August into the Metropolitan Detention Center in Brooklyn, where he would stay for three months until being transferred to a medium-security facility in Fairton, New Jersey. D’Amato would serve out the remaining two and a half months of his sentence in Fairton and be released in February of 2002.

For Mitchell, the conclusion of the case left many questions unresolved, such as how D’Amato had acquired his spamming and mail-bombing skills and whether he worked alone or had accomplices. Similarly, serious doubts remained for Karp about whether investigators had missed evidence of pedophilia in D’Amato’s past. The assistant principal’s resumé showed him to be a job hopper, having changed schools eight times in eleven years. Karp worried that D’Amato’s short stints at each school were the result of his being quietly let go due to misconduct that administrators decided was best to sweep under a rug, rather than face a lawsuit from D’Amato.

But those questions would stay unanswered, and Mitchell had to be content with knowing that Terri DiSisto would never again appear online.

“The era of the Internet presence of Terri DiSisto is at an end, forever,” he wrote as the final entry to his Project Iceberg site.

But then in early August, just days before D’Amato was incarcerated, Mitchell was surprised to receive a rambling email from the man. The message came from an email address he didn’t recognize, and the headers showed it was sent from a public library in Brooklyn.^[2]

A history major in college, D’Amato had frequently compared their online battles to those of opposing generals in the American Revolutionary War, and in his message that day he acknowledged that Mitchell had been a worthy opponent.

“Everything is going to turn out just fine,” said the former guidance counselor, noting that he still had his permanent certification from the New York State Education Department.

Annoyed, Mitchell sent a terse reply stating that he had grown weary of D’Amato’s analogies. He said D’Amato seemed in denial about what he had done and what lay ahead of him. But D’Amato apparently had no desire for introspection. He wrote back to say he was disappointed not to see Mitchell at his sentencing in Boston, and he invited Mitchell to meet him someday in New York.

When Mitchell finally responded, he said he’d try to look up D’Amato if his travels ever took him to the Northeast. But Mitchell never received a reply.