On a warm April morning in 2007, one of the world’s most notorious spammers walked through the doors of the Lloyd D. George Federal Courthouse in Las Vegas. Though the Federal Trade Commission was attempting to collect a $4 million judgment against him, Sanford “Spamford” Wallace showed up to his sworn deposition without a lawyer—and without any of the documents required of him.

Wallace, though nominally cooperative, had been nearly impossible to reach. When attorneys from the social network MySpace had sued him weeks before, the process server tasked with delivering legal documents couldn’t make contact with Wallace and eventually went to the OPM Nightclub where Wallace worked weekends as a $400-a-week disc jockey under the name “DJ MasterWeb.” The process server claimed to have approached Wallace at the club before being intercepted by security guards; the lawsuit papers were literally thrown at Wallace in an attempt to get good service on him.

FTC lawyer David Frankel, who was overseeing Wallace courthouse questioning as part of a separate spam case brought by the government, had resorted to telephone calls, FedEx packages, and e-mails to contact Wallace; he even sent a personal messenger on occasion. Despite the extraordinary measures, Frankel didn’t know when he showed up to court that April morning whether Wallace would actually arrive.

Wallace did arrive. After swearing to tell the truth in his testimony, he explained to Frankel that the problems weren’t the result of malice but were instead caused by utter disorganization. “Let me just state, for the record, that I am chronically disorganized, and that’s one of the reasons it’s so difficult to communicate with me, and some of the things that would appear to the normal person to be uncooperative, it’s actually possible and very often related to the fact that I’m a very disorganized person,” he said at the beginning of his testimony. “I think you’ll see that as we continue this conversation that as a lot of documents haven’t been filed or organized in a very efficient manner by myself, I want to just state for the record that that is something that I could probably have a psychiatrist to verify if I had to.”

“A business that worked”

Yet Wallace had been organized enough to become a massive spammer. Born in 1968, he attended high school in Maplewood, New Jersey, but realized the academic world wasn’t for him. He tried attending college twice, first at SUNY-Buffalo and then at New Jersey’s Ramapo College; he didn’t last a semester at either. He later described himself as “not a good student.”

A note on sourcing

This feature is excerpted, in slightly modified form, from the book The Internet Police: How Crime Went Online, and the Cops Followed by Ars Deputy Editor Nate Anderson. It can currently be purchased as a hardback (Amazon, Barnes & Noble, or local bookstores) or as an e-book (Amazon, iTunes, Barnes & Noble, or Google Play).

Most quotes from Wallace come from the “Deposition of Contempt Defendant Sanford Wallace,” FTC v. Odysseus Marketing and Walter Rines, United States District Court—District of New Hampshire, case no. 05-CV-330-SM, docket nos. 27–32, filed January 23, 2008.

Full footnotes are available in the book.

That didn’t stop him from finding monetary success—and public notoriety—during the mid-1990s with his Pennsylvania company Cyber Promotions. As a heavyset twentysomething with close-cropped hair and glasses, Wallace first spammed fax machines and then moved on to e-mail, believing that he had a legal right to market his wares as he saw fit. Dubbed “Spamford” by opponents, he eventually embraced the nickname and even registered the domain spamford.com. (In 1997, Hormel sent him a letter objecting to the name on the grounds that it used the company’s potted meat SPAM trademark). Unlike other spammers who hid their identities, Wallace regularly tangled in public with antispam crusaders.

Cyber Promotions quickly became so hated that a dozen Internet service providers, including AOL, sued Wallace in the late 1990s, each hoping to halt his flood of junk e-mail despite the lack of antispam laws at the time. Wallace pressed on, but the lawsuits did cramp his business. He settled several of them by agreeing not to spam the particular network at issue, which gradually whittled down the list of places he could send spam without getting into more trouble.

Antispam vigilantes were also after him and his company. They hacked his website, replacing its homepage, and went after the Michigan Internet provider that served Cyber Promotions. As recounted in the 2004 book Spam Kings by Brian McWilliams, Wallace was angry enough about the hacking to offer a $15,000 reward and claimed he was alerting the FBI.

By 1998, the pressure was so intense that Wallace had trouble finding an Internet provider to offer service to his company. In January, a local Philadelphia paper reported that Wallace had returned to his roots in junk faxing despite the fact that federal law now prohibited the practice. Local residents were furious; one managed to get Cyber Promotions delisted from the Better Business Bureau.

In April 1998, Wallace publicly announced his “retirement” from spamming. After several more failed ventures and a failed marriage, he moved to New Hampshire and in January 2002 bought a nightclub called Plum Crazy from Walter Rines, a former spam partner. The club, just outside of Rochester, proved popular; few visitors knew that club owner DJ MasterWeb had such a colorful past.

When Wired magazine visited Plum Crazy in 2003, Wallace appeared to be a changed man. Those lawsuits from Internet providers hadn’t killed his business; “they put me into business—a business that worked,” he said at the time. Even top antispam lawyers were pleased to see the change of heart. The Wired story included a line that at the time seemed perfectly sane: “I think the world of Sanford,” it quoted Pete Wellborn, an Atlanta attorney who won a $2 million judgment against Wallace on behalf of EarthLink in 1998. “He really is a man of his word, unlike the spammers we see now who are either ignorant or common criminals.”

The power of friends

But Wallace soon needed money. Plum Crazy went bankrupt; Wallace sold his house and moved to Las Vegas. He revived an older business of his called SmartBot and soon began a scheme in which he infected computers with spyware that then popped up messages selling an “antispyware program” to clean the infection. This finally moved the feds to action. The Federal Trade Commission (FTC) filed suit against Wallace in 2004 to halt his SpamBot practices. FTC lawyers worked the case for two years and in March 2006 obtained a default judgment of $4 million when Wallace didn’t show up in court to contest the charges.

In October of that year, Wallace’s friend Rines was also hit with an injunction in an online marketing case. While this might have seemed like a good time for each man to lie low, the pair instead partnered again. They were soon at work on a new plan to make money marketing through the newly hot social networks. (The two “wasted little time in violating the Court’s Order” is how FTC lawyers later put it.) Their plan targeted the hugely popular MySpace site with the ultimate goal of directing MySpace users to websites advertising such things as ring tones and adult dating services.

Few people would click such low-quality links if they were clearly presented as ads. The beauty of the Wallace/Rines approach was that because their links appeared as messages from a MySpace user’s actual friends rather than as ads, clickthrough rates were high—as were profits. The FTC estimated that the scheme raked in at least $555,850.04 (the actual tally was probably higher).

The project showed real, if devious, creativity. In order to access people’s MySpace accounts, Wallace and Rines devised a plan to get people to hand over their account information. No subject was off-limits. Could the resurrection of Jesus somehow be used to generate money from sex sites? Yes, it could. In one memorable exploit, the pair used MySpace accounts they had created to send 392,726 unsolicited messages pitching Easter e-cards to other MySpace users. When the recipients clicked the link to view the online card, they were asked if they would like to “forward” the card to their own friends. They did so by entering their MySpace password and username into a form that looked a lot like the actual MySpace log-in page; Wallace and Rines would then add the accounts to their database. Later, they would log into these accounts and spam links to people’s friends, advertising whatever websites were willing to pay them. Visitors to the Easter e-card site who tried to leave the page without divulging their MySpace credentials were simply redirected to the advertising sites.

Even for a network the size of MySpace, which had 50 million registered users in early 2006, Wallace quickly became a serious problem. As the technical side of the operation, he used automated tools to log in to more than 300,000 MySpace accounts and send more than 890,000 messages with links. The MySpace abuse team received more than 800 complaints about this behavior. In early 2007, the company filed a lawsuit against Wallace, and the FTC soon went after both men for violating the injunctions against more spamming. But Wallace defended his actions.

During his deposition with Frankel, the FTC lawyer, Wallace insisted that the messages he sent to other MySpace users weren’t “unsolicited” at all. This was the beauty of sending links from one MySpace user to the user’s friends. “A message between two friends is not defined as ‘unsolicited’ by several standards,” Wallace said. “If I call you up tomorrow and ask you if you’d like me to send you a document, is that an unsolicited phone call, or do we have an existing relationship?”

Besides, this wasn’t e-mail in the traditional technical sense, he said. “It’s not something coming from a stranger with a fake return address like the CAN-SPAM act is apparently trying to address... “This is friend to friend communication, and we don’t evade any type of friend to friend blocking techniques. We don’t trick in any way. We don’t trick people into getting messages from their friends. It’s based solely on their friend’s action [in giving log-in information to Wallace].” Wallace insisted that he had found a novel, legal way to market websites. “I’ve just been working with [Rines] on MySpace-related activities, advertising and Internet traffic and things of that sort, nothing in violation of your order,” he said.

Frankel let it go and turned to the question of the money. Why hadn’t Wallace paid the millions he owed the FTC? After all, Wallace had pulled in more than $4 million from SmartBot alone and was earning hundreds of thousands from his work on MySpace. Wallace insisted he was in debt, that he no longer had a credit card because “I basically could not pay off some of my credit card bills,” and that he had made big payments to six casinos for gambling debts—including $350,000 to the MGM Grand Mirage. But beyond that, he was maddeningly vague.

He said he could not recall the amounts he had paid to other casinos. He claimed to have no real idea of the total income he had made over the years. And he could not explain what had happened to all of his money:

Q. [Frankel] Well, here’s the kicker with all that. What happened to all this money? What happened to the $4 million plus, where is it today?

A. [Wallace] Most of it was spent, I had debts and all this has to be—all this has to be reconciled through the use of this bank account which I would like to get cleared and taken care of with you, so that you can see exactly where the monies went. It’s all pretty much a pretty obvious story if you look at the bank.

Q. What’s your—give me the general answer. What happened to the money? Right now you’re saying you have to show me documents, but where did the money go? Where is it? It’s a lot of money.

A. Yeah. I mean I had a lot of debt, and honestly I don’t know exactly where the money went. I would have to look at my bank account with you, and I’m not evading your question. I just don’t know how to give a general answer to that. And monies went out and came in for three years.

Q. I’m not a rich guy, but if I had $4 million and I have nothing now, I would have at least some sense as to where the money went.

A. I had over a million dollars in casino debts.

Q. Okay. Grant that. Now, where did the other $3 million go?

A. Again, this is a very impossible question for me to answer without having actual paperwork in front of me to go over specific itemization of what happened to the money and what didn’t happen to the money.

Although he claimed that he currently had only $20,000 in a checking account, Wallace drove a $30,000 car with only 1,500 miles on it, had a $1,100-a-month apartment, and had just purchased a $1,400 watch. How did he afford it all, Frankel asked, on his $400-a-week DJ income? “I could not afford my rent if I did not have the other business,” Wallace admitted, referring to his MySpace activities. When the money got tight, he went back to what he knew.

Frankel was resigned. “I’m trying to help you reform,” he said, as the day of sparring drew to a close, “which is probably not going to happen, but I’m trying.”