By Cynthia L. Webb washingtonpost.com Staff Writer
Thursday, June 24, 2004; 9:38 AM
America Online has amply demonstrated its acumen in attacking spam, but the latest news on the junk e-mail front has left the company reeling.
Authorities yesterday arrested 24-year-old AOL software engineer Jason Smathers, who is accused of lifting 92 million AOL subscribers' e-mail addresses and selling them to 21-year-old Internet gambling entrepreneur Sean Dunaway for $100,000. Authorities allege Dunaway, who was also arrested, sold the addresses to spammers and used it to hawk gambling ads. Both men were charged with conspiracy and, if convicted, could spend up to five years in prison and be forced to pay a $250,000 fine. That punishment, however, might not even come close to making up for the potential damage to customer confidence in AOL's internal security.
The Los Angles Times reported that the "case underscores the difficulties that Internet service providers face as they fight to keep their networks free of spam. AOL, the country's biggest ISP, with more than 30 million customers, has sued dozens of spammers and blocked billions of their messages. But the actions of a single rogue employee may have delivered AOL's entire member list into the hands of online marketers. 'It's a black eye,' said Rob Sanderson, an analyst with American Technology Research."
Los Angeles Times: Insider Arrested In Spam Scheme
"The theft, the first at AOL, is one of the largest of its kind. It underscores what spammers will do to reach consumers. They usually buy e-mail addresses from people who comb the Internet for them," USA Today reported. Independent tech researcher Michael Osterman told the paper that "If it can happen to AOL, it can happen to anyone."
USA Today: AOL Says Worker Sold Screen Names
The case is one of the first that relies on the six-month-old national anti-spam law, as The Wall Street Journal reported. "The CAN-SPAM act, which took effect Jan. 1, regulates commercial e-mail by requiring, for example, an existing business relationship between the sender and the recipient. The law requires that commercial e-mail contain a valid U.S. postal address as well as a way for recipients to refuse future mailings from the sender. The law also makes it harder for senders to disguise their identity. ... Smathers and Dunaway couldn't be reached to comment," the paper said. The Financial Times said the charges "highlight the dangers facing internet service providers from spammers who are willing to go to ever-greater lengths to ensure e-mails reach users' inboxes."
The Wall Street Journal: AOL Employee Faces Charges In Spam Probe (Subscription required)
Financial Times: AOL Man Charged With Spam Offences
The Washington Post detailed how authorities think the heist occurred: "Smathers, who became an AOL employee in 1999, obtained other AOL member information as well, including telephone numbers, Zip codes and types of credit cards used by members, though not credit card numbers, according to the complaint. The company said those numbers are stored in a separate, secure facility... According to prosecutors, Smathers was not authorized to access AOL's customer database, which can be viewed by only a small number of employees and is 'housed' in secure computers. But in May 2003, Smathers used the computerized employee identification code of another AOL worker to gain entry to the data and compile the lists of AOL's roughly 30 million users, many of whom maintain more than one screen name. 'I think I found the member database,' Smathers wrote in an instant message to an unidentified person who used the handle The Brews. 'There are going to be millions of them so, will take time to extract. I will do them a chunk at a time.'"
The Associated Press said Dunaway eventually "offered the list to spammers, charging them $2,000 for lists containing names beginning with a single letter of the alphabet or $52,000 for the entire list, the complaint said. At least one spammer used the list to send advertising for herbal penile enhancement pills, prosecutors said."
And more from the Post: "The revelations come as AOL and other Internet providers have ramped up their efforts to track down the purveyors of spam, which has grown into a maddening scourge that costs consumers and businesses billions of dollars a year." Not to understate the case, but the news left AOL management in a pretty bad mood. "I am very, very angry about this," AOL chief executive Jonathan F. Miller, wrote in an e-mail to employees yesterday, according to the Post. "We will absolutely not tolerate wrongdoing by employees. . . . We will do everything we can to uncover abuse and assist law enforcement in prosecuting it."
The Washington Post: AOL Employee Charged In Theft of Screen Names (Registration required)
Associated Press via The Washington Post: Two Men Arrested In AOL Spam Scheme (Registration required)
The New York Times provided more details on how the case was cracked: "In the process of discovery for that lawsuit, AOL interviewed someone who said he bought addresses of its members from an insider and used it to send spam for penis enlargement pills, according to the complaint. AOL passed that information to the Secret Service. The pill vendor told the Secret Service that he purchased a list of names from Mr. Dunaway, who had told him they came from an employee of AOL.
America Online, a unit of Time Warner, was able to determine the identity of the insider by looking at the dates from a copy of the stolen list provided by the pill vendor, according to the complaint. Once it determined the date that the list was stolen, it looked at its log of users and determined that the computer of Mr. Smathers was involved in looking up e-mail addresses on that date," the article said. "America Online searched the laptop computer of Mr. Smathers, who was fired yesterday, and discovered e-mail discussions about the profits that can be earned from sending spam as well as evidence that he had broken into AOL's database, the complaint said."
The New York Times: Two Arrested and Charged In E-mail Theft (Registration required)