Arresting News for AOL

By Mike Musgrove and David A. Vise
Washington Post Staff Writers
Friday, June 25, 2004

Spammers can cross the e-mail address off their lists, because Mount Airy resident Roland A. Mariano canceled his subscription to America Online yesterday.

The news that a 24-year-old America Online software engineer was arrested on charges that he hacked into the Internet provider's computers and took a list of 92 million AOL-mail addresses so they could be sold to bulk e-mailers sent Mariano over the edge.

"I think you're going to have a lot of people quitting," he said, still fuming over the half-hour-long phone call it took to discontinue the account.

Mariano is an extreme case; America Online Inc. officials said there were no mass defections by subscribers as a result of the news. Rather, during a 24-hour period following the announcement of the arrest of former employee Jason Smathers, the company said, it experienced a small surge of calls to its call centers amounting to a 2 percent increase over a typical day, according to Nicholas Graham, a company spokesman.

Subscribers described several reasons for staying put. Changing an address can be a major inconvenience not unlike changing a phone number. Not only do you have to set up a new online identity but you have to alert friends, family and others to the new address. Besides, some users figured they were just as likely to receive stacks of unwanted e-mail at any new address they picked.

Nancy Malloy, a Rockville resident and AOL subscriber since the 1990s, found the theft of screen names annoying, but didn't bother to stop her account. She said she still remembers the runaround she received when she tried to cancel her subscription once before.

"I would cancel it if I had the time to sit on the phone and go through it with them today, but I didn't," Malloy said.

Malloy figures she will change her screen name as a response to the security breach; AOL members get seven screen names, monikers under which they can send and receive e-mail. She had to change her screen name once a year or two ago, after a spammer sent bulk e-mails using her e-mail address. "Now I guess I'll have to do it again," she sighed.

Yesterday, AOL was counseling users not to take any action as a result of the screen name theft. After all, some popular spam techniques, called "dictionary" attacks, don't depend on lists of known users, they simply work by trying different combinations of words and numbers.

"Spam is still going to exist on the Internet no matter what kind of screen name you have or whether it gets changed," Graham said.

Some Web experts counsel Internet users wanting to avoid spam to use difficult-to-guess addresses using strings of letters and numbers to guard against dictionary attacks. People can also limit their exposure to spam by taking care not to post their address publicly. When an address must be public, it helps to do so in a form like "" to defeat software that automatically searches the Web to collect addresses.

Spam is not the only concern. The alleged theft at AOL also put the subscriber Zip codes, phone numbers and types of credit card -- but not card numbers -- into the hands of spammers. During a talk in Tysons Corner yesterday to the Potomac Officers Club, a local business group, America Online chief executive Jonathan F. Miller said the damage could have been far worse if customers' credit card numbers and passwords had been released. Instead, such data is stored separately, and fewer people have access to the information, AOL officials said.

CONTINUED     1        >

© 2004 The Washington Post Company