The decade-long quest to stop “Spamford” Wallace

 The decade-long quest to stop “Spamford” Wallace

This post was originally published on this site

The federal courthouse in Las Vegas, where Wallace was questioned about his money.

Enlarge / The federal courthouse in Las Vegas, where Wallace was questioned about his money.
Wikimedia Commons
Update, 12/28/20: It’s the year end holiday season, and much of Ars staff is still enjoying some necessary downtime. While that happens, we’re resurfacing some classic Ars stories like this 2013 excerpt from The Internet Police, Deputy Editor Nate Anderson’s look at how the Internet changed the game for criminals and law enforcement (now available in paperback!). This piece on bringing down junk email king Spamford Wallace first published on December 22, 2013, and it appears unchanged below.

On a warm April morning in 2007, one of the world’s most notorious spammers walked through the doors of the Lloyd D. George Federal Courthouse in Las Vegas. Though the Federal Trade Commission was attempting to collect a $4 million judgment against him, Sanford “Spamford” Wallace showed up to his sworn deposition without a lawyer—and without any of the documents required of him.

Wallace, though nominally cooperative, had been nearly impossible to reach. When attorneys from the social network MySpace had sued him weeks before, the process server tasked with delivering legal documents couldn’t make contact with Wallace and eventually went to the OPM Nightclub where Wallace worked weekends as a $400-a-week disc jockey under the name “DJ MasterWeb.” The process server claimed to have approached Wallace at the club before being intercepted by security guards; the lawsuit papers were literally thrown at Wallace in an attempt to get good service on him.

FTC lawyer David Frankel, who was overseeing Wallace courthouse questioning as part of a separate spam case brought by the government, had resorted to telephone calls, FedEx packages, and e-mails to contact Wallace; he even sent a personal messenger on occasion. Despite the extraordinary measures, Frankel didn’t know when he showed up to court that April morning whether Wallace would actually arrive.

Wallace did arrive. After swearing to tell the truth in his testimony, he explained to Frankel that the problems weren’t the result of malice but were instead caused by utter disorganization. “Let me just state, for the record, that I am chronically disorganized, and that’s one of the reasons it’s so difficult to communicate with me, and some of the things that would appear to the normal person to be uncooperative, it’s actually possible and very often related to the fact that I’m a very disorganized person,” he said at the beginning of his testimony. “I think you’ll see that as we continue this conversation that as a lot of documents haven’t been filed or organized in a very efficient manner by myself, I want to just state for the record that that is something that I could probably have a psychiatrist to verify if I had to.”

“A business that worked”

Yet Wallace had been organized enough to become a massive spammer. Born in 1968, he attended high school in Maplewood, New Jersey, but realized the academic world wasn’t for him. He tried attending college twice, first at SUNY-Buffalo and then at New Jersey’s Ramapo College; he didn’t last a semester at either. He later described himself as “not a good student.”

That didn’t stop him from finding monetary success—and public notoriety—during the mid-1990s with his Pennsylvania company Cyber Promotions. As a heavyset twentysomething with close-cropped hair and glasses, Wallace first spammed fax machines and then moved on to e-mail, believing that he had a legal right to market his wares as he saw fit. Dubbed “Spamford” by opponents, he eventually embraced the nickname and even registered the domain (In 1997, Hormel sent him a letter objecting to the name on the grounds that it used the company’s potted meat SPAM trademark). Unlike other spammers who hid their identities, Wallace regularly tangled in public with antispam crusaders.

Cyber Promotions quickly became so hated that a dozen Internet service providers, including AOL, sued Wallace in the late 1990s, each hoping to halt his flood of junk e-mail despite the lack of antispam laws at the time. Wallace pressed on, but the lawsuits did cramp his business. He settled several of them by agreeing not to spam the particular network at issue, which gradually whittled down the list of places he could send spam without getting into more trouble.

Antispam vigilantes were also after him and his company. They hacked his website, replacing its homepage, and went after the Michigan Internet provider that served Cyber Promotions. As recounted in the 2004 book Spam Kings by Brian McWilliams, Wallace was angry enough about the hacking to offer a $15,000 reward and claimed he was alerting the FBI.

By 1998, the pressure was so intense that Wallace had trouble finding an Internet provider to offer service to his company. In January, a local Philadelphia paper reported that Wallace had returned to his roots in junk faxing despite the fact that federal law now prohibited the practice. Local residents were furious; one managed to get Cyber Promotions delisted from the Better Business Bureau.

In April 1998, Wallace publicly announced his “retirement” from spamming. After several more failed ventures and a failed marriage, he moved to New Hampshire and in January 2002 bought a nightclub called Plum Crazy from Walter Rines, a former spam partner. The club, just outside of Rochester, proved popular; few visitors knew that club owner DJ MasterWeb had such a colorful past.

When Wired magazine visited Plum Crazy in 2003, Wallace appeared to be a changed man. Those lawsuits from Internet providers hadn’t killed his business; “they put me into business—a business that worked,” he said at the time. Even top antispam lawyers were pleased to see the change of heart. The Wired story included a line that at the time seemed perfectly sane: “I think the world of Sanford,” it quoted Pete Wellborn, an Atlanta attorney who won a $2 million judgment against Wallace on behalf of EarthLink in 1998. “He really is a man of his word, unlike the spammers we see now who are either ignorant or common criminals.”

The power of friends

Federal Trade Commission headquarters in Washington, DC. The FTC spent years chasing Wallace.

But Wallace soon needed money. Plum Crazy went bankrupt; Wallace sold his house and moved to Las Vegas. He revived an older business of his called SmartBot and soon began a scheme in which he infected computers with spyware that then popped up messages selling an “antispyware program” to clean the infection. This finally moved the feds to action. The Federal Trade Commission (FTC) filed suit against Wallace in 2004 to halt his SpamBot practices. FTC lawyers worked the case for two years and in March 2006 obtained a default judgment of $4 million when Wallace didn’t show up in court to contest the charges.

In October of that year, Wallace’s friend Rines was also hit with an injunction in an online marketing case. While this might have seemed like a good time for each man to lie low, the pair instead partnered again. They were soon at work on a new plan to make money marketing through the newly hot social networks. (The two “wasted little time in violating the Court’s Order” is how FTC lawyers later put it.) Their plan targeted the hugely popular MySpace site with the ultimate goal of directing MySpace users to websites advertising such things as ring tones and adult dating services.

Few people would click such low-quality links if they were clearly presented as ads. The beauty of the Wallace/Rines approach was that because their links appeared as messages from a MySpace user’s actual friends rather than as ads, clickthrough rates were high—as were profits. The FTC estimated that the scheme raked in at least $555,850.04 (the actual tally was probably higher).

Sanford Wallace, from his Google+ page.

Sanford Wallace, from his Google+ page.

The project showed real, if devious, creativity. In order to access people’s MySpace accounts, Wallace and Rines devised a plan to get people to hand over their account information. No subject was off-limits. Could the resurrection of Jesus somehow be used to generate money from sex sites? Yes, it could. In one memorable exploit, the pair used MySpace accounts they had created to send 392,726 unsolicited messages pitching Easter e-cards to other MySpace users. When the recipients clicked the link to view the online card, they were asked if they would like to “forward” the card to their own friends. They did so by entering their MySpace password and username into a form that looked a lot like the actual MySpace log-in page; Wallace and Rines would then add the accounts to their database. Later, they would log into these accounts and spam links to people’s friends, advertising whatever websites were willing to pay them. Visitors to the Easter e-card site who tried to leave the page without divulging their MySpace credentials were simply redirected to the advertising sites.

Even for a network the size of MySpace, which had 50 million registered users in early 2006, Wallace quickly became a serious problem. As the technical side of the operation, he used automated tools to log in to more than 300,000 MySpace accounts and send more than 890,000 messages with links. The MySpace abuse team received more than 800 complaints about this behavior. In early 2007, the company filed a lawsuit against Wallace, and the FTC soon went after both men for violating the injunctions against more spamming. But Wallace defended his actions.

During his deposition with Frankel, the FTC lawyer, Wallace insisted that the messages he sent to other MySpace users weren’t “unsolicited” at all. This was the beauty of sending links from one MySpace user to the user’s friends. “A message between two friends is not defined as ‘unsolicited’ by several standards,” Wallace said. “If I call you up tomorrow and ask you if you’d like me to send you a document, is that an unsolicited phone call, or do we have an existing relationship?”

Besides, this wasn’t e-mail in the traditional technical sense, he said. “It’s not something coming from a stranger with a fake return address like the CAN-SPAM act is apparently trying to address… “This is friend to friend communication, and we don’t evade any type of friend to friend blocking techniques. We don’t trick in any way. We don’t trick people into getting messages from their friends. It’s based solely on their friend’s action [in giving log-in information to Wallace].” Wallace insisted that he had found a novel, legal way to market websites. “I’ve just been working with [Rines] on MySpace-related activities, advertising and Internet traffic and things of that sort, nothing in violation of your order,” he said.

Frankel let it go and turned to the question of the money. Why hadn’t Wallace paid the millions he owed the FTC? After all, Wallace had pulled in more than $4 million from SmartBot alone and was earning hundreds of thousands from his work on MySpace. Wallace insisted he was in debt, that he no longer had a credit card because “I basically could not pay off some of my credit card bills,” and that he had made big payments to six casinos for gambling debts—including $350,000 to the MGM Grand Mirage. But beyond that, he was maddeningly vague.

He said he could not recall the amounts he had paid to other casinos. He claimed to have no real idea of the total income he had made over the years. And he could not explain what had happened to all of his money:

Q. [Frankel] Well, here’s the kicker with all that. What happened to all this money? What happened to the $4 million plus, where is it today?

A. [Wallace] Most of it was spent, I had debts and all this has to be—all this has to be reconciled through the use of this bank account which I would like to get cleared and taken care of with you, so that you can see exactly where the monies went. It’s all pretty much a pretty obvious story if you look at the bank.

Q. What’s your—give me the general answer. What happened to the money? Right now you’re saying you have to show me documents, but where did the money go? Where is it? It’s a lot of money.

A. Yeah. I mean I had a lot of debt, and honestly I don’t know exactly where the money went. I would have to look at my bank account with you, and I’m not evading your question. I just don’t know how to give a general answer to that. And monies went out and came in for three years.

Q. I’m not a rich guy, but if I had $4 million and I have nothing now, I would have at least some sense as to where the money went.

A. I had over a million dollars in casino debts.

Q. Okay. Grant that. Now, where did the other $3 million go?

A. Again, this is a very impossible question for me to answer without having actual paperwork in front of me to go over specific itemization of what happened to the money and what didn’t happen to the money.

Although he claimed that he currently had only $20,000 in a checking account, Wallace drove a $30,000 car with only 1,500 miles on it, had a $1,100-a-month apartment, and had just purchased a $1,400 watch. How did he afford it all, Frankel asked, on his $400-a-week DJ income? “I could not afford my rent if I did not have the other business,” Wallace admitted, referring to his MySpace activities. When the money got tight, he went back to what he knew.

Frankel was resigned. “I’m trying to help you reform,” he said, as the day of sparring drew to a close, “which is probably not going to happen, but I’m trying.”

Social networks strike back

The hoped-for reformation was not to be. In the MySpace civil lawsuit, the one where the process server had allegedly thrown the papers at Wallace in an attempt to serve him, Wallace refused to comply with court orders. He offered the same set of excuses about total disorganization that he had given Frankel. As a 2008 CNET article put it, “Each time, MySpace waited and each time Wallace failed to comply. Early on, Wallace informed MySpace he was having a hard time finding legal counsel. Soon after, he said he couldn’t comply because he was unaware of his court dates; he wasn’t accepting mail or signing for packages and that’s why he missed receiving notifications.”

The judge, fed up with all the delays, eventually ruled Wallace in contempt and awarded MySpace $230 million dollars to be paid jointly by Wallace and Rines. Several months later, in September 2008, the FTC successfully convinced the chief federal judge in New Hampshire to hold both Wallace and Rines in contempt for their MySpace activities. They were ordered to “disgorge” the $555,850.04 in cash that the FTC had been able to track.

The judge wasn’t about to hand out $7 billion antispam awards, but in October he did award Facebook $711 million in damages when Wallace still refused to appear.

In early 2009, Facebook filed suit against Wallace after he tried his MySpace-style “marketing” on a new social network. Wallace failed to comply with court orders in the case, and a default judgment hearing was scheduled for June 12. The day before the hearing, Facebook found out that Wallace had filed for bankruptcy in Las Vegas, which granted him an automatic stay on the default proceedings. But Wallace had not filed all the required documents with the bankruptcy court—perhaps he truly was pathologically disorganized, or perhaps the bankruptcy filing was just a delay tactic. The bankruptcy court threw his case out in late July, making Wallace again a viable target for Facebook. Company lawyers asked the judge to find Wallace in default and argued that, by their calculations, he owed them $7 billion.

The judge wasn’t about to hand out $7 billion antispam awards, but in October, he did award Facebook $711 million in damages when Wallace still refused to appear. (“The Court is not persuaded that an award of statutory damages in excess of seven billion dollars is proportionate to Wallace’s offenses,” wrote the judge.) Facebook rather optimistically declared victory. “While we don’t expect to receive the vast majority of the award, we hope that this will act as a continued deterrent against these criminals,” said a post on the company’s blog.

To summarize the absurd situation as it stood at the start of 2011: Wallace had been targeted by a major federal agency and now owed it $4,555,850.04 ($4 million for SpamBot plus a separate $555,850.04 for his MySpace antics); he had been sued by MySpace and hit with a $230-million judgment; he was the subject of several court-ordered injunctions against his behavior; and he owed Facebook $711 million.

Yet no one seemed able to squeeze any cash out of him, nor could they get him to stop spamming. According to the judge in the Facebook case, Wallace had spent a good bit of 2009 ignoring the court’s initial temporary restraining order and continued his Facebook account harvesting and link spamming.

Perhaps what Wallace said was all true: he was a big-spending, boom-and-bust guy who paid no real attention to his finances, who missed court dates, and didn’t produce documents because he was supremely disorganized. Perhaps he really had moved from one venture to the next with good intentions, always believing that he had tweaked his approach just enough to remain legal. But increasingly no one cared about the reasons; they just wanted Wallace to stop.

Pete Wellborn, the lawyer who had tangled with Wallace in the 1990s and who believed that Wallace had gone straight, told me in late 2012, “I absolutely believed Sanford when I made that statement nearly 15 years ago.” Without personal knowledge of Wallace, Wellborn ventured no comment on the recent spamming charges. But “if any of the more recent charges against Sanford are true, it is a sad and disappointing state of affairs,” he told me. “Like him or not, Sanford is crazy smart and could have been ultra-successful in any variety of legitimate technology ventures.”

Highway to hell

“I was reminded of a quote by LBJ [US President Lyndon Baines Johnson],” said veteran FTC attorney Joshua Millard when I asked him about the difficulty of stopping a devoted spammer. “It’s one thing to tell a fellow to go to hell; it’s another thing to actually make him go there.” Millard had led the FTC prosecution of Wallace during one of the spammer’s many brushes with the agency. Though Millard believed that fines were generally “persuasive” deterrents, he acknowledged that the FTC sees “a small but hearty number of defendants who can be highly resistant to persuasion. A fellow like Wallace, somebody who’s engaged in that much spamming over the years—that’s very unusual—it really speaks to the degree that for him it’s almost force of habit.”

Finally, one judge had enough. Convinced that Wallace had “willfully violated” his initial restraining order in the Facebook case, Judge Jeremy Fogel at last referred Wallace to the local US attorney’s office and requested that Wallace be prosecuted for criminal contempt.

After the criminal contempt referral, breaking Wallace of his habit became the job of the US attorney for the Northern District of California. No longer limited to fines, criminal contempt charges carried the threat of real jail time—the only absolutely surefire way to stop a spammer. The FBI investigated Wallace’s Facebook activities for two years before the government finally filed its case, charging that Wallace had connected to Facebook from 143 different, proxied IP addresses “in order to deceive Facebook” and had sent 27 million pieces of spam through 500,000 compromised Facebook accounts. On August 4, 2011, Wallace—then 43 years old—surrendered to FBI agents. “Interesting day to say the least,” he wrote the next day on social network Google+ after posting a $100,000 bail.

The government’s indictment suggests just how committed to spamming Wallace had become. In March 2009, he had been ordered to stop all contact with Facebook; he allegedly held out only until the middle of April, when he logged into his Facebook account from a Virgin Airlines flight to New York. Despite the $711 million judgment against him in the case and the knowledge that criminal contempt charges were likely in the works, Wallace maintained a Facebook profile for “David Sinful-Saturdays Fredericks” until at least February 2011.

Wallace’s long case history illustrates an obvious fact: not even the powerful word of the US government is self-executing. Those who have grown up with respect for judicial and police authority and those with a strong stake in the existing system of law and order need little more than a judge’s word or an FTC consent order to comply. For civil matters, the government does have mechanisms in place to ultimately compel behavior, but each mechanism requires renewed, and significant, human effort. FTC lawyers can go to court and obtain default judgments when their targets don’t show up, but every move to enforce those judgments requires more trips to the judge, more evidence collection, more legal documents, and the eventual involvement of US marshals. If lawyers for a defendant start challenging these steps, the amount of effort needed to collect a fine grows more quickly than a Vegas air-conditioning bill.

The FTC’s Frankel reminded Wallace of this government power when grilling him about money during their day together in Las Vegas. “I mean if we got to it, we could get to the point where we literally have a US Marshal—you understand, where collection actions go—US Marshals come to your apartment knocking on your door,” he said. “If you don’t answer, they can literally go in—I’m not saying we’re going to do this—go in and say, ‘We understand you have money in your kitchen cabinet somewhere.’ I want to know approximately where it is and approximately how much it is.”

Not that bringing in the US Marshals solves the collections problem. They might be directed to seize a bank account in payment of a huge court judgment, for instance, only to find that it holds less than $1,000. What happened to the rest of the money? It’s not their job to find out, which means the problem goes back to the lawyers to solve. The lawyers collect more evidence, hold debtors’ hearings, investigate bank account records. That level of effort can only be expended for certain cases. If a lawyer suspects that his target really is out of cash, what’s to be gained by spending another month in a fruitless attempt to secure payment?

For the most determined spammers and scammers, fines—if paid at all—may be little more than a cost of doing business. The FTC regularly requires bad actors to disgorge their ill-gotten gains, but in some cases these have already been spent or cannot be fully located. This procedure, one common complaint argues, creates a cold calculus of costs. Say you’re a spammer with a hot new idea to try out on a new social network. The worst-case scenario is that you are (1) found out, (2) actually pursued in court, and (3) eventually forced to pay back the money. The best case is that the government gives up and you end up with all the cash. In neither case are you in jail, and in neither case have you paid huge additional fines.

This process sometimes riles up consumer advocates, who want scammers to lose more than their misgotten gains. At the “Scam Times” blog, for instance, writer Matt Jezorek complains that “the FTC needs to step up and quit being sissy’s [sic] and start putting people where they belong either in jail or out of business, these types of people seem to think the fines are the cost of doing business and they are making enough money to pay the fines and continue with the same deceptive practices they are getting in trouble for.”

Agencies like the FTC recognize the issue, of course, but insist that their enforcement actions stop all but the most devoted spammers—and that civil enforcement is not the country-club operation that some critics suggest. As Millard put it, “I have yet to have anyone be cheered by the prospect of a Federal Trade Commission suit.”

How do you make a fellow go to hell? Sticking him in a federal prison is a good start down that broad road—but it’s also an admission of just how ineffective all lesser remedies have been.

As of December 2013, the federal case against Wallace continues.

Listing image by Sean MacEntee