Back in the late 1980s, when I was using an email client called Lotus cc:Mail, my work email address had found its way to a porn spammer, and he began to load my inbox with enticements. After five of them came through in a couple of minutes, I decided to take a look at the email header. Back then, spammers didn't hide as much, and the header revealed the spammer's true domain name. Using a reverse lookup, I found the hacker's name, address, and work email address from his domain's DNS registrar.
I sent a polite email asking to be removed from the spammer's email list. He replied that there's nothing he could do and followed up with 10 more porn spams. This ticked me off, so I created a mailbox rule to send right back at him 100 copies of any porn spam message he shot my way. Naturally, this only incited him to fire off even more spam and a personal email indicating that he was sharing my email address with other spammers.
I used the search engine we all envied at the time, AltaVista, and found not only his personal email account, but those of his wife, daughter, and grandparents. I sent him an email notifying him that every time I received any new spam I would send 100 copies of that spam to his personal email account, as well as those of his wife, his daughter, and his grandparents. Not surprisingly, the new spam suddenly stopped. I even got an email from him notifying me that it might take a day for all spam to stop because he had to remove my name from external lists beyond his control. I never got another spam from him.
I contacted the late, great Ed Foster's Gripeline column at InfoWorld (many years before I began writing for InfoWorld myself) and told him what I did and how I had found a new way to stop spam that anyone could use. I expected him to congratulate me and make me the focus of one of his columns. Instead, he told me that what I did, or proposed to do, including using the daughter's email address in my threat, bordered on illegal, or at least ethical, issues. Bless Ed Foster for making me realize I was walking a line I might not want to tread.
True tale of (mostly) white-hat hacking No. 3: Red-herring sting nabs nefarious fishmonger
Years ago I was hired by the CEO of a small fish-selling business. He had a hunch that a former senior executive had hacked his company to get a competitive edge in fish sales to Egypt. A new company, started by the former VP, was suddenly and consistently beating his bid proposals by 1 cent per pound -- just enough to ensure that my client's company went from getting every fish delivery project to getting none. The fishmonger was near bankruptcy when he hired me.
I was a little skeptical of his allegations of computer hacking during our initial visit, but while I was there something odd happened. An Egyptian contact, to whom the CEO had sent bid responses, had received an automatic notice of an email being opened (a read receipt) from an unknown email account in response to an email he had sent my client. The read receipt should have originated from the CEO's email account, but instead it came from a university email account. It looked like, and was later confirmed, that the hacker had forgotten to turn off automated read receipts in his email client, and when he opened email intended to the CEO, his email client sent back a read receipt from his email account.