Or the webhost where Bob's Plumbing Supplies is hosted detects an attack and files a complain. Or the SAAS/server rental sees this, puts you on some automatic blacklist and puts in on the "to be investigated" blacklist. Too many parties involved whom you are "hurting" that might get back to you.

Not saying this to keep anyone from repeating this, though; just that when doing so, keep in mind that you're probably not just hurting a scammer alone.

If you're messing with criminals using an IP traceable to you then the police might be the least of your problems.