Spammers can cross the e-mail address firstname.lastname@example.org off their lists, because Mount Airy resident Roland A. Mariano canceled his subscription to America Online yesterday.
The news that a 24-year-old America Online software engineer was arrested on charges that he hacked into the Internet provider's computers and took a list of 92 million AOL-mail addresses so they could be sold to bulk e-mailers sent Mariano over the edge.
"I think you're going to have a lot of people quitting," he said, still fuming over the half-hour-long phone call it took to discontinue the account.
Mariano is an extreme case; America Online Inc. officials said there were no mass defections by subscribers as a result of the news. Rather, during a 24-hour period following the announcement of the arrest of former employee Jason Smathers, the company said, it experienced a small surge of calls to its call centers amounting to a 2 percent increase over a typical day, according to Nicholas Graham, a company spokesman.
Subscribers described several reasons for staying put. Changing an address can be a major inconvenience not unlike changing a phone number. Not only do you have to set up a new online identity but you have to alert friends, family and others to the new address. Besides, some users figured they were just as likely to receive stacks of unwanted e-mail at any new address they picked.
Nancy Malloy, a Rockville resident and AOL subscriber since the 1990s, found the theft of screen names annoying, but didn't bother to stop her account. She said she still remembers the runaround she received when she tried to cancel her subscription once before.
"I would cancel it if I had the time to sit on the phone and go through it with them today, but I didn't," Malloy said.
Malloy figures she will change her screen name as a response to the security breach; AOL members get seven screen names, monikers under which they can send and receive e-mail. She had to change her screen name once a year or two ago, after a spammer sent bulk e-mails using her e-mail address. "Now I guess I'll have to do it again," she sighed.
Yesterday, AOL was counseling users not to take any action as a result of the screen name theft. After all, some popular spam techniques, called "dictionary" attacks, don't depend on lists of known users, they simply work by trying different combinations of words and numbers.
"Spam is still going to exist on the Internet no matter what kind of screen name you have or whether it gets changed," Graham said.
Some Web experts counsel Internet users wanting to avoid spam to use difficult-to-guess addresses using strings of letters and numbers to guard against dictionary attacks. People can also limit their exposure to spam by taking care not to post their address publicly. When an address must be public, it helps to do so in a form like "nameNOSPAM@aol.com" to defeat software that automatically searches the Web to collect addresses.
Spam is not the only concern. The alleged theft at AOL also put the subscriber Zip codes, phone numbers and types of credit card -- but not card numbers -- into the hands of spammers. During a talk in Tysons Corner yesterday to the Potomac Officers Club, a local business group, America Online chief executive Jonathan F. Miller said the damage could have been far worse if customers' credit card numbers and passwords had been released. Instead, such data is stored separately, and fewer people have access to the information, AOL officials said.
Miller said internal security breaches are a risk that all businesses face. "The hardest thing for any company is to prevent theft from the inside by someone with knowledge, access and criminal intent," Miller said.
As for spammers, "it is a cat-and-mouse game," he said. "We are going after them, and we'll continue going after them."
AOL said that it blocks up to 2.5 billion pieces of spam every day and that users are getting less of it in their inboxes than they did last year. It is impossible to tell how many of such unwanted e-mails are sent by spammers that had allegedly bought names from Smathers. Prosecutors said they included pitches for online casinos and herbal penile enlargement remedies.
Smathers, who is accused of having accessed AOL's list of addresses by using another employee's computerized identification code, could face up to five years in prison and at least $250,000 in fines if convicted. At a brief hearing in federal court in Alexandria yesterday, U.S. Magistrate Judge Theresa C. Buchanan released him on his own recognizance and ordered him to report to federal authorities in New York by July 23. Until then, he will be allowed to travel only in the area of his home in Harpers Ferry, W. Va., and New York.
The substance of the charges was not discussed at the hearing, and a lawyer for Smathers, Nina Vidal, and Smathers's wife declined to comment.
For Mariano, the AOL subscriber who canceled his account yesterday, the episode had one silver lining. He finally had someone to blame for all the offers he was receiving for potentially embarrassing men's products.
"My wife was getting on my case; she thought I was being a jerk," he said.
Staff writer Jerry Markon contributed to this report.