Following his strong showing in Nashville, Hawke drove home to Cosby alone. Then, on the evening of December 24, 2000, as families all around the country gathered to celebrate the holidays, Hawke was in his trailer, using a UUNET dial-up account to send out a new batch of spam advertising the Banned CD. He knew some people might consider it a depressing way to spend Christmas Eve. But Hawke refused to indulge in such sentimental thinking.
The next day, a spam fighter filed complaints with UUNET and Hawke's web site host about the Banned CD ads. Hawke found out about the anti-spammer's reports a few days later. Now that, thought Hawke, was a depressing way for someone to spend Christmas morning.
Chapter 5.
Tracking Empire Towers
There's no Guinness world record yet for the greatest number of spams received in a two-day period. But Karen Hoffmann would surely be a contender. A self-proclaimed soccer mom from the suburbs of Toledo, Ohio, Hoffmann was inundated with over 100,000 junk emails over the course of forty-eight hours in January 2001.
The messages advertised a multilevel marketing program run by an outfit called the Institute for Global Prosperity (IGP). At the height of the spam attack, ads bearing the subject line "Be Your Own Boss" flowed into her email server at the rate of over thirty per minute. Hoffmann tried to keep her head above water by quickly downloading and deleting the messages. But she unavoidably fell behind, and before long the volume of spam overwhelmed her account's storage capacity. Hoffmann's ISP disconnected its mail server to weather the flood.
Prior to the incident, the 41-year-old Hoffmann had never paid much attention to junk email. She had been operating Toledo CyberCafe, her web-page design business, from her home since 1996. A computer science major in college, Hoffmann had started the small company after the collapsing savings-and-loan industry took with it her career as a systems analyst for banks. She had openly published her email address on the web sites she designed for clients, so Hoffmann was accustomed to deleting a couple dozen spams each day. But the onslaught that winter suddenly turned her into a vehement anti-spammer. She wanted to know who was responsible, and she wanted the criminals to pay.
For several days following the attacks, Hoffmann was unable to concentrate on real work for clients. While her son was at high school and her husband was at his office in Toledo, she cleaned up after the spam avalanche. After doing a bit of research, Hoffmann learned that she was the victim of a dictionary attack. The spammer's mailing program had latched onto her toledocybercafe.com domain and fired off thousands of messages to nonexistent accounts, such as [email protected], [email protected], and [email protected]. The technique might have made sense against a big ISP such as AOL or EarthLink, but Hoffmann had fewer than a half-dozen active email accounts using her domain. The spam attack was so damaging because her ISP had configured the domain's mail settings with a catch-all feature so that it accepted and forwarded to her main account any message sent to a toledocybercafe.com address.
Hoffmann had no prior experience in spam tracking, but drawing on her technical skills, she was able to trace the spam attack to dial-up accounts at UUNET. To conceal his identity, the spammer had used bogus return addresses in the messages' "From" lines. He also bounced them off open mail relays in China, Thailand, and Columbia. But after studying the message headers, Hoffmann was able to determine that the emails originated from a computer using numerical Internet-protocol addresses registered to UUNET. She copied the IP addresses into an email and sent it off to the big ISP's network abuse department.
A few days later, she followed up by phone and was able to get a UUNET representative to confirm that one of its customers in Clearwater, Florida, was responsible for the spam. But he said UUNET couldn't divulge the identity of the spammer without a court order. Hoffmann was close to tears as she pleaded with the rep to help her, but he was adamant.
Hoffman turned to Internet newsgroups for more information about IGP. From searching Nanae, she discovered that the company's sales associates had generated many spam complaints in recent years. Their messages invited recipients to buy expensive audiotapes or to attend costly seminars that provided investment advice. Prospects were also told they could pay a fee to become an IGP sales associate and earn commissions of up to $5,000 per week from new clients they brought in.
Officials from several states, including Massachusetts and Michigan, decided IGP was an illegal pyramid scheme. To protect consumers, the states issued cease-and-desist orders prohibiting IGP from operating in their jurisdictions. In an odd coincidence, just days after Hoffmann's email bombing, the CBS television newsmagazine 48 Hours aired an exposé on IGP that included interviews with several people who claimed the company scammed them out of thousands of dollars.
Hoffmann decided to notify the FBI's Toledo office about the spam attack, which she calculated had cost her at least $15,000 in billable time. A few weeks later, an agent showed up to interview her at her house, which was just down the road from a golf course in one of Sylvania, Ohio's better neighborhoods. With Hoffmann's husband—an attorney—at her side, the three of them sat in the living room, going over the stack of evidence she had printed out about the incident. The agent was very professional and seemed interested in her case. But he admitted his experience in spam investigations consisted of a one-week course at the FBI's Quantico training center. He said the Toledo office had only one Internet-connected computer and a lone agent working computer-related crimes, who spent most of his time disguised as a 12-year-old, chasing pedophiles in online chat rooms. But the agent promised to submit a report about Hoffmann's email bombing to the better-equipped Cleveland office for further investigation. He explained that he probably wouldn't be able to write it up right away, since he was going on vacation to Florida the next week.
Unsure about what to do next, Hoffmann wrote up her own report on the attack and posted it to Nanae. Besides recounting her technical findings and the FBI interview, Hoffmann used the report to pontificate a bit about spam.
"There are thousands upon thousands of small-business owners on the Internet that are vulnerable to this malicious, illegal, unauthorized use of their computer equipment," she wrote. "The spammers must be stopped now...By prosecuting to the fullest extent of the available laws, we can send a message that we won't allow these unscrupulous vermin to deny others the right to life, liberty and the pursuit of happiness."
That might have been the end of Hoffmann's brief spam-fighting career but for two things. First, she was subsequently hit by smaller but similar dictionary attacks. (Her ISP took several weeks to turn off the catch-all setting.) And then there was the warm way that anti-spammers received her report on the incident. A Nanae participant in Massachusetts named Steve complimented Hoffmann for being such a quick study.
"I can't tell you how much I respect you for following through on this knowing that your effort might just be a drop in the proverbial bucket. You ever get to Boston? Email me, dinner's on me," he wrote.
In early March 2001, Shiksaa patiently worked with Hoffman on another spam problem. Hoffmann was outraged after learning her ISP hosted a company that was selling Stealth Mail Master and was listed on Sapient Fridge's spamware-sites roster. Hoffmann fired off an email to Host4U.net, reminding the firm that berserk spamware had caused her recent dictionary attacks and warning the ISP to cut off service to the spamware vendor, or she would take her business elsewhere. Hoffmann posted a copy of the letter on Nanae, prefaced by the words, "I hope my fury is showing."
The next morning, Shiksaa gently told Hoffmann it was unrealistic to think Host4U would quickly give the boot to the spamware vendor. After all, Shiksaa pointed out, Host4U had been sluggish to respond to complaints about other bulk emailers, including Empire Towers, a major spam outfit listed in Rokso.
Hoffmann had never heard of Empire Towers, so she visited Spamhaus.org and reviewed the entry on the company. According to the Rokso listing, Empire Towers was "a hard-line stealth spamming operatio
n" that "goes to elaborate lengths to hide spam origins and obfuscate URLs." 32-year-old Thomas Carlton Cowles headed the company, which also went by aliases including Leverage Communications, World Reach Corporation, and PopLaunch.
The last name rang a bell. In February 2001, Hoffmann had received several pornography spams that advertised sites with bizarre addresses full of numbers, percent signs, and other code. The messages also contained the first copyright notice she'd ever seen in a spam. It warned recipients against "attempting to infringe upon the copyrights of PopLaunch or attempting to harm the natural course of business of PopLaunch" by hacking, performing denial-of-service attacks, or publishing "the location of client sites."
That final bit about the concealed location of sites was apparently the raison d'être for the odd format of web addresses advertised in the spams. After Hoffmann posted a copy of the messages, an anti-spammer on Nanae using the alias Spamless explained how Empire Towers deployed an array of technical tricks, such as doubly encrypted JavaScript and browser redirects, to quickly shunt spam recipients through a series of temporary sites. When the user finally landed at the ultimate destination page, the browser's location bar, which ordinarily displayed the site address, would be hidden. In addition, the right mouse button would be disabled in an effort to prevent users from viewing the web page source code. All the sleight of hand was intended to make it extremely difficult for the average person to identify, much less complain about, the sites advertised in the messages.
Hoffmann poked a bit further into the Rokso record on Empire Towers. Under the section listing the company's known addresses, she was startled to read that it was based in her home state of Ohio. Empire Towers even maintained offices in Toledo, as well as one just across town from her in Sylvania.
Moments later, Hoffmann was in her blue minivan headed south on McCord Road. She was looking for 8505 Larch Road, the Empire Towers address listed in Rokso. After the frustration of being unable to positively identify the IGP spammer who had mail-bombed her, Hoffmann couldn't believe the ease with which she was closing in on one of the Internet's biggest spammers.
As she turned onto Larch Road and rolled slowly down the wooded street, Hoffmann spotted a mailbox just ahead with the number 8505. It belonged to a large, white house on the corner. The place had the look of a 1970s dream home gone to seed. Peeling paint on the exterior walls of the modern structure revealed large patches of grey stucco below. The bushes in the yard were overgrown and the lawn was unkempt. A camper trailer was parked in the side yard, and a Buick with weathered red paint sat beside the gravel driveway.
Hoffmann would later learn that the house was where Tom Cowles was raised and that his parents still lived in the place. But on that afternoon in early March, Hoffmann, who was just five-foot-two and had a tendency to avoid confrontation, didn't even come to a full stop, let alone get out of her van and knock on the house's front door. Instead, she drove quickly home and posted a note to Nanae about her findings.
"My God, what a small world," she wrote. Then Hoffmann finished her post with a nod to Shiksaa, "Thanks for all you do."
Shiksaa responded by publishing the most current address she had for Cowles—which turned out to be a mailbox rental place in Toledo—as well as the man's physical description, which she had received from former Cowles business associates. Cowles, she reported, was around six-six, skinny, dark-haired, and geeky looking.
"If you see a similar creature strolling down the street in your town, it may be him," said Shiksaa, not realizing at the time that she was planting the seeds for what she would later consider Hoffmann's obsession with Tom Cowles.
Although Cowles and his company had begun to occupy a lot of her time, Hoffmann didn't consider herself overly preoccupied with them. True, a week later, she dialed the number listed in Nanae as Cowles's cell phone and hung up as soon as he answered. But she simply thought of herself as part of a team of people investigating one of the Net's biggest spammers. Since Hoffmann was local to the Empire Towers operation, she figured she could contribute in ways others couldn't. Shiksaa was using the Internet to dig up court records that showed Cowles had prior convictions in Indiana for burglary and in Ohio for passing bad checks. An anti-spammer named Mark had built a site that included details on how PopLaunch worked. Hoffmann, in turn, could physically visit the county courthouse or other places with information about Cowles and his gang.
To publicize the results of her Empire Towers investigations, Hoffmann put up a special page at her ToledoCyberCafe.com site. It also featured photographs she had taken of several area buildings used by Empire Towers, as well as links to other sources of information about the spam operation and to her Nanae postings about the IGP mail-bomb attack. Hoffmann's hope was that the local media or law enforcement would pick up the story if she handed it to them on a silver platter. But none ever did.
A few weeks later, Hoffmann learned from Shiksaa that Cowles was keeping a low profile as the result of a big falling-out with a partner-in-spam. Shiksaa told her that Cowles had been sharing a data center in Florida with Eddy Marin, a notorious spammer-for-hire added to the Rokso list the past December.
Marin's Boca Raton-based company, OptIn Services, was known to offer Internet users a free pornographic picture in exchange for providing a working email address. The trick enabled Marin to claim the users had "opted in" to receive his spam. Besides advertising porn sites, Marin had a history of sending spams touting Viagra and other drugs without prescriptions, as well as loans and cheap computer software.
Like Cowles, Marin had a criminal rap sheet. He was convicted in 1990 for cocaine trafficking and again in 1999 for money laundering. When Hoffmann learned about him in March 2001, Marin was halfway through his twelve-month money-laundering sentence at Eglin Federal Prison camp, a minimum-security facility on Florida's Gulf Coast, also known as Club Fed.
The partnership in 2000 between Marin and Cowles seemed like a synergistic deal at the time. Marin had been running Azure Enterprises, a webcam pornography business, out of an office in Pompano Beach, Florida, and wanted to get into serious bulk emailing. Cowles was interested in setting up operations in South Florida to be closer to his many clients in the area. Through a third party, the two men worked out a deal by telephone under which Marin would get unlimited access to Cowles's proprietary MassiveMail spamware system. (Empire Towers normally charged $20,000 per month for each server capable of sending a million spams per day.) In exchange, Marin would give Cowles half of any revenue from the mailings. In addition, Marin agreed to share his computer data center in Palm Beach, including the facility's high-speed DS3 line, with Cowles.
Marin wasn't the first spam king Cowles had tutored in the business. A few years back, he had driven up to West Bloomfield, Michigan and spent a couple days teaching a convicted fraud artist named Alan Ralsky the ins and outs of bulk email. Soon, the 57-year-old Ralsky was big enough to earn a top spot on the Spamhaus Rokso list—and a lawsuit in 2001 from Verizon Online Services, which accused Ralsky of bombarding its mail servers with fifty-six gigabytes of spam in one day. (Ralsky and Verizon later settled the lawsuit, and Ralsky returned to spamming.)
But when Cowles arrived in Florida, he felt like he had been dropped into a pool of sharks. The clients who had seemed like respectable business people on the telephone turned out to be cokeheads, pornographers, and petty thugs. Everyone seemed to be looking for a scam. Even Marin was quick to use his new affiliation with Empire Towers to position himself as a big player in the email business. As the weeks went by, Cowles suspected Marin of trying to steal Empire Towers's clients by telling people he was one of the firm's executives. (Marin's lawyers later registered a Florida company named "Empire Tower Group" on Eddy's behalf.)
In December 2000, a disgusted Cowles finally decided to pack up his equipment and move back to Toldeo. With Marin incarcerated, and Marin's wife Kimberly running the spam operation, Cowles had an employee box up a load of servers and other computer gear from the sha
red data center and haul them to Ohio.
When Kim Marin found out, she filed a police report claiming that Cowles had stolen $16,000 of her company's equipment.
In June 2001, the Broward County Sheriff's Office told Marin an arrest warrant for Cowles was on its way, and she passed the word along via email to Shiksaa. (The two had previously exchanged messages about OptIn Services's spamming. Like Ronnie Scelson, Marin had impressed Shiksaa with her tendency to tell the truth about her business.)
"Rest assured that this scum bag will be around for only a limited time," wrote Marin. "Once they issue arrest warrants he will be extradited and held without bond. A day I look forward to."
When Shiksaa posted the email to Nanae, with Marin's name redacted, spam fighters chuckled at the spammer soap opera. Meanwhile, Hoffmann updated her Empire Towers site with the new information. Little did she know that her preoccupation with the company and its founder would eventually lead her right into the crossfire of the spam wars.
Terri TickleDescends on Nanae
Just as Hoffmann was launching her Empire Towers page in April 2001, an anti-spammer who called himself Rob Mitchell was putting the crowning touches on a spammer-tracking web site he had been building for three years.
Mitchell was also considered obsessive by some Nanae participants for his painstaking research into the subject of his site: a chronic spammer who used the online nickname "Terri DiSisto" and claimed to be a female college student in Massachusetts.
Unlike most junk emailers, DiSisto wasn't littering the Internet in hopes of selling something. Instead, her ads offered payment in the form of cash and computer or audio equipment to young men between eighteen and twenty-three who mailed her videos of themselves being tickled.
Spam Kings Page 11