Spam Kings (9 page)

Read Spam Kings Online

Authors: Brian S McWilliams

Tags: #COMPUTERS / General

BOOK: Spam Kings
6.54Mb size Format: txt, pdf, ePub

A week before Christmas, Hawke returned to Nashville and entered a quick-chess
tournament, again using the alias Walter Smith. Players were limited to just fifteen minutes
of clock time, which gave nimble competitors an advantage. The favorites in the field of
thirty-two were Jerry Spinrad, a computer science professor at Vanderbilt University who
entered with a USCF rating of 2069, and Dale Rigby, an English professor at Western Kentucky
University who had a USCF rating of 2031.

After he beat his first two opponents, Hawke faced Rigby in the third round. Rigby
regarded "Smith" with suspicion. The newcomer entered the tournament without an official
USCF rating, yet Smith obviously was no beginner. Rigby's intuition told him Smith was a
sandbagger who had competed in plenty of tournaments before, perhaps under a different name.
His suspicions were confirmed when he struggled before ultimately defeating Smith.

After the loss to Rigby, Hawke rebounded, winning his next three games, including one
against a high school player who had been in the hunt for the tournament lead. That set up a
showdown between Hawke and Spinrad in the seventh and penultimate round. Spinrad had won all
of his matches until that point, including one against Rigby. He had watched the unknown
"Smith" play in the early rounds and spoke with him briefly between matches. Smith struck
him as friendly but not at all intimidated by the field, extremely confident of his chess
skills. Indeed, Smith jumped out to a small advantage as their match began. While Spinrad
never felt in danger of losing, he was relieved when time ran out, and he was able to come
away with a draw. Smith, however, seemed disappointed with the outcome, as though he had
expected to defeat the stronger player.

In the contest's final round, Hawke pulled off a win over a solid player, which gave him
six and a half points in the tournament. But Spinrad also managed to defeat his final
opponent, earning him a total of seven and a half points and the tournament title. Still,
Hawke, playing as Smith, took a surprising second place and a forty-five-dollar prize, while
Rigby finished third, just a half-point behind him.

As a kid, Hawke would have reviewed each round of the competition with his parents on
the ride back home. Chess tournaments had always been a family activity for the Greenbaums.
Both parents usually traveled with Hawke to chess competitions, and not just as spectators.
Even his mother, who had originally taught him the game, would enter the tournament in the
novice section. Hawke's father was rated slightly higher than she, though he never came
close to beating his son. But neither parent entered a chess tournament again after Hawke
went off to college.

Following his strong showing in Nashville, Hawke drove home to Cosby alone. Then, on the
evening of December 24, 2000, as families all around the country gathered to celebrate the
holidays, Hawke was in his trailer, using a UUNET dial-up account to send out a new batch of
spam advertising the Banned CD
. He knew some people might consider it a depressing way to spend Christmas Eve.
But Hawke refused to indulge in such sentimental thinking.

The next day, a spam fighter filed complaints with UUNET and Hawke's web site host about
the Banned CD ads. Hawke found out about the anti-spammer's reports a few days later. Now
that
, thought Hawke, was a depressing way for someone to spend
Christmas morning.

Chapter 5. 
Tracking Empire Towers

There's no Guinness world record yet for the greatest number of spams received in a
two-day period. But Karen Hoffmann would surely be a contender. A self-proclaimed soccer mom
from the suburbs of Toledo, Ohio, Hoffmann was inundated with over 100,000 junk emails over
the course of forty-eight hours in January 2001.

The messages advertised a multilevel marketing program run by an outfit called the
Institute for Global Prosperity (IGP)
. At the height of the spam attack, ads bearing the subject line "Be Your Own
Boss" flowed into her email server at the rate of over thirty per minute. Hoffmann tried to
keep her head above water by quickly downloading and deleting the messages. But she
unavoidably fell behind, and before long the volume of spam overwhelmed her account's
storage capacity. Hoffmann's ISP disconnected its mail server to weather the flood.

Prior to the incident, the 41-year-old Hoffmann had never paid much attention to junk
email. She had been operating Toledo CyberCafe
, her web-page design business, from her home since 1996. A computer science
major in college, Hoffmann had started the small company after the collapsing
savings-and-loan industry took with it her career as a systems analyst for banks. She had
openly published her email address on the web sites she designed for clients, so Hoffmann
was accustomed to deleting a couple dozen spams each day. But the onslaught that winter
suddenly turned her into a vehement anti-spammer. She wanted to know who was responsible,
and she wanted the criminals to pay.

For several days following the attacks, Hoffmann was unable to concentrate on real work
for clients. While her son was at high school and her husband was at his office in Toledo,
she cleaned up after the spam avalanche. After doing a bit of research, Hoffmann learned
that she was the victim of a dictionary attack
. The spammer's mailing program had latched onto her toledocybercafe.com domain
and fired off thousands of messages to nonexistent accounts, such as
[email protected]
,
[email protected]
, and
[email protected]
. The technique might have made sense against a
big ISP such as AOL or EarthLink, but Hoffmann had fewer than a half-dozen active email
accounts using her domain. The spam attack was so damaging because her ISP had configured
the domain's mail settings with a catch-all feature so that it accepted and forwarded to her
main account any message sent to a toledocybercafe.com address.

Hoffmann had no prior experience in spam tracking, but drawing on her technical skills,
she was able to trace the spam attack to dial-up accounts at UUNET
. To conceal his identity, the spammer had used bogus return addresses in the
messages' "From" lines. He also bounced them off open mail relays in China, Thailand, and
Columbia. But after studying the message headers, Hoffmann was able to determine that the
emails originated from a computer using numerical Internet-protocol addresses registered to
UUNET. She copied the IP addresses into an email and sent it off to the big ISP's network
abuse department.

A few days later, she followed up by phone and was able to get a UUNET representative to
confirm that one of its customers in Clearwater, Florida, was responsible for the spam. But
he said UUNET couldn't divulge the identity of the spammer without a court order. Hoffmann
was close to tears as she pleaded with the rep to help her, but he was adamant.

Hoffman turned to Internet newsgroups for more information about IGP. From searching
Nanae, she discovered that the company's sales associates had generated many spam complaints
in recent years. Their messages invited recipients to buy expensive audiotapes or to attend
costly seminars that provided investment advice. Prospects were also told they could pay a
fee to become an IGP sales associate and earn commissions of up to $5,000 per week from new
clients they brought in.

Officials from several states, including Massachusetts and Michigan, decided IGP was an
illegal pyramid scheme. To protect consumers, the states issued cease-and-desist orders
prohibiting IGP from operating in their jurisdictions. In an odd coincidence, just days
after Hoffmann's email bombing, the CBS television newsmagazine
48
Hours
aired an exposé on IGP that included interviews with several people who
claimed the company scammed them out of thousands of dollars.

Hoffmann decided to notify the FBI's Toledo office about the spam attack, which she
calculated had cost her at least $15,000 in billable time. A few weeks later, an agent
showed up to interview her at her house, which was just down the road from a golf course in
one of Sylvania, Ohio's better neighborhoods. With Hoffmann's husband—an attorney—at her
side, the three of them sat in the living room, going over the stack of evidence she had
printed out about the incident. The agent was very professional and seemed interested in her
case. But he admitted his experience in spam investigations consisted of a one-week course
at the FBI's Quantico training center. He said the Toledo office had only one
Internet-connected computer and a lone agent working computer-related crimes, who spent most
of his time disguised as a 12-year-old, chasing pedophiles in online chat rooms. But the
agent promised to submit a report about Hoffmann's email bombing to the better-equipped
Cleveland office for further investigation. He explained that he probably wouldn't be able
to write it up right away, since he was going on vacation to Florida the next week.

Unsure about what to do next, Hoffmann wrote up her own report on the attack and posted
it to Nanae. Besides recounting her technical findings and the FBI interview, Hoffmann used
the report to pontificate a bit about spam.

"There are thousands upon thousands of small-business owners on the Internet that are
vulnerable to this malicious, illegal, unauthorized use of their computer equipment," she
wrote. "The spammers must be stopped now...By prosecuting to the fullest extent of the
available laws, we can send a message that we won't allow these unscrupulous vermin to deny
others the right to life, liberty and the pursuit of happiness."

That might have been the end of Hoffmann's brief spam-fighting career but for two
things. First, she was subsequently hit by smaller but similar dictionary attacks. (Her ISP
took several weeks to turn off the catch-all setting.) And then there was the warm way that
anti-spammers received her report on the incident. A Nanae participant in Massachusetts
named Steve complimented Hoffmann for being such a quick study.

"I can't tell you how much I respect you for following through on this knowing that your
effort might just be a drop in the proverbial bucket. You ever get to Boston? Email me,
dinner's on me," he wrote.

In early March 2001, Shiksaa patiently worked with Hoffman on another spam problem.
Hoffmann was outraged after learning her ISP hosted a company that was selling Stealth Mail
Master
and was listed on Sapient Fridge's spamware-sites roster. Hoffmann fired off an
email to Host4U.net, reminding the firm that berserk spamware had caused her recent
dictionary attacks and warning the ISP to cut off service to the spamware vendor, or she
would take her business elsewhere. Hoffmann posted a copy of the letter on Nanae, prefaced
by the words, "I hope my fury is showing."

The next morning, Shiksaa gently told Hoffmann it was unrealistic to think Host4U would
quickly give the boot to the spamware vendor. After all, Shiksaa pointed out, Host4U had
been sluggish to respond to complaints about other bulk emailers, including Empire
Towers
, a major spam outfit listed in Rokso.

Hoffmann had never heard of Empire Towers, so she visited Spamhaus.org and reviewed the
entry on the company. According to the Rokso listing, Empire Towers was "a hard-line stealth
spamming operation" that "goes to elaborate lengths to hide spam origins and obfuscate
URLs." 32-year-old Thomas Carlton Cowles headed the company, which also went by aliases
including Leverage Communications, World Reach Corporation, and PopLaunch.

The last name rang a bell. In February 2001, Hoffmann had received several pornography
spams that advertised sites with bizarre addresses full of numbers, percent signs, and other
code. The messages also contained the first copyright notice she'd ever seen in a spam. It
warned recipients against "attempting to infringe upon the copyrights of PopLaunch or
attempting to harm the natural course of business of PopLaunch" by hacking, performing
denial-of-service attacks, or publishing "the location of client sites."

That final bit about the concealed location of sites was apparently the raison d'être
for the odd format of web addresses advertised in the spams. After Hoffmann posted a copy of
the messages, an anti-spammer on Nanae using the alias Spamless explained how Empire Towers
deployed an array of technical tricks, such as doubly encrypted JavaScript and browser
redirects, to quickly shunt spam recipients through a series of temporary sites. When the
user finally landed at the ultimate destination page, the browser's location bar, which
ordinarily displayed the site address, would be hidden. In addition, the right mouse button
would be disabled in an effort to prevent users from viewing the web page source code. All
the sleight of hand was intended to make it extremely difficult for the average person to
identify, much less complain about, the sites advertised in the messages.

Hoffmann poked a bit further into the Rokso record on Empire Towers. Under the section
listing the company's known addresses, she was startled to read that it was based in her
home state of Ohio. Empire Towers even maintained offices in Toledo, as well as one just
across town from her in Sylvania.

Moments later, Hoffmann was in her blue minivan headed south on McCord Road. She was
looking for 8505 Larch Road, the Empire Towers address listed in Rokso. After the
frustration of being unable to positively identify the IGP spammer who had mail-bombed her,
Hoffmann couldn't believe the ease with which she was closing in on one of the Internet's
biggest spammers.

As she turned onto Larch Road and rolled slowly down the wooded street, Hoffmann spotted
a mailbox just ahead with the number 8505. It belonged to a large, white house on the
corner. The place had the look of a 1970s dream home gone to seed. Peeling paint on the
exterior walls of the modern structure revealed large patches of grey stucco below. The
bushes in the yard were overgrown and the lawn was unkempt. A camper trailer was parked in
the side yard, and a Buick with weathered red paint sat beside the gravel driveway.

Hoffmann would later learn that the house was where Tom Cowles was raised and that his
parents still lived in the place. But on that afternoon in early March, Hoffmann, who was
just five-foot-two and had a tendency to avoid confrontation, didn't even come to a full
stop, let alone get out of her van and knock on the house's front door. Instead, she drove
quickly home and posted a note to Nanae about her findings.

"My God, what a small world," she wrote. Then Hoffmann finished her post with a nod to
Shiksaa, "Thanks for all you do."

Shiksaa responded by publishing the most current address she had for Cowles—which turned
out to be a mailbox rental place in Toledo—as well as the man's physical description, which
she had received from former Cowles business associates. Cowles, she reported, was around
six-six, skinny, dark-haired, and geeky looking.

"If you see a similar creature strolling down the street in your town, it may be him,"
said Shiksaa, not realizing at the time that she was planting the seeds for what she would
later consider Hoffmann's obsession with Tom Cowles.

Although Cowles and his company had begun to occupy a lot of her time, Hoffmann didn't
consider herself overly preoccupied with them. True, a week later, she dialed the number
listed in Nanae as Cowles's cell phone and hung up as soon as he answered. But she simply
thought of herself as part of a team of people investigating one of the Net's biggest
spammers. Since Hoffmann was local to the Empire Towers operation, she figured she could
contribute in ways others couldn't. Shiksaa was using the Internet to dig up court records
that showed Cowles had prior convictions in Indiana for burglary and in Ohio for passing bad
checks. An anti-spammer named Mark had built a site that included details on how PopLaunch
worked. Hoffmann, in turn, could physically visit the county courthouse or other places with
information about Cowles and his gang.

To publicize the results of her Empire Towers investigations, Hoffmann put up a special
page at her ToledoCyberCafe.com site. It also featured photographs she had taken of several
area buildings used by Empire Towers, as well as links to other sources of information about
the spam operation and to her Nanae postings about the IGP mail-bomb attack. Hoffmann's hope
was that the local media or law enforcement would pick up the story if she handed it to them
on a silver platter. But none ever did.

A few weeks later, Hoffmann learned from Shiksaa that Cowles was keeping a low profile
as the result of a big falling-out with a partner-in-spam. Shiksaa told her that Cowles had
been sharing a data center in Florida with Eddy Marin, a notorious spammer-for-hire added to
the Rokso list the past December.

Marin's Boca Raton-based company, OptIn Services, was known to offer Internet users a
free pornographic picture in exchange for providing a working email address. The trick
enabled Marin to claim the users had "opted in" to receive his spam. Besides advertising
porn sites, Marin had a history of sending spams touting Viagra and other drugs without
prescriptions, as well as loans and cheap computer software.

Like Cowles, Marin had a criminal rap sheet. He was convicted in 1990 for cocaine
trafficking and again in 1999 for money laundering. When Hoffmann learned about him in March
2001, Marin was halfway through his twelve-month money-laundering sentence at Eglin Federal
Prison camp, a minimum-security facility on Florida's Gulf Coast, also known as Club
Fed.

Other books

The Neighbors Are Watching by Debra Ginsberg
Have No Mercy by Shannon Dermott
Flower by Irene N.Watts
Visions Of Paradise by Tianna Xander
Keeping by Sarah Masters
Frog and Friends by Eve Bunting
Space Magic by Levine, David D., Sara A. Mueller