Originally created 02/22/99

When teens chat, spammers listen



It began innocently enough, but how things turned out was anything but innocent.

On a recent Saturday, my twin 10-year-olds and a neighbor decided the best place in the universe to find some fun was America Online, chatting with others their age.

They sought permission to upgrade the status of their AOL logons from "child" to "young teen," because they wanted to visit a chat room called Friends on AOL, frequented by many of their schoolmates. Until then, under a system that allows parents to limit their kids' online activity, they were only allowed to visit sites designed for younger children.

"Sure," I said. "But remember not to give your names or towns to ANYBODY."

"We know," they chimed from behind closed doors.

But what none of us knew at that point was that the Internet name they share, which serves as both an online identifier and their cyberaddress, was about to be used by so-called "spammers," online hackers with the ability to harvest hundreds of e-mail addresses a minute. Spamming, I learned, is the art of using those e-mail addresses to send junk mail to hundreds, even thousands, of e-mail accounts daily, no stamps required.

Since then, the girls' mailbox on AOL has been stacked with about 20 sex e-mails a day, XXX-rated messages that carry added weight for any curious child who sees the message: FOR ADULTS ONLY. And soon, I began getting these messages under my user name, as well -- from people with return handles such as "POPPASMAK"and "sexinhim00."

But even though their access changed back to kid status the next day, the e-mails kept coming to the girls. "We are hot, young, very nasty and love to show and tell," one message read.

Using my own user name, I decided to play sleuth. I jotted down some of the names of the senders and, if they were AOL members, as some were, I tried to find them through the service. Although I knew it was a longshot, AOL does allow members to post profiles, including some personal information.

As might be expected, most of the sender names turned out not to be profiled. But there were a few -- including one user described as a 43-year-old man living in Chicago, and another described as a 70-year-old retired schoolteacher from Aptos, Calif., who said she enjoys quilting, genealogy, dolls and stamps.

Could these be the people who were sending X-rated e-mail to my children? Maybe, maybe not. They didn't answer my e-mails questioning them about it, and AOL administrators have since told me that spammers often play hide-and-seek with regulators by rerouting mail using random addresses they've stolen along the way.

When I called America Online, I talked with Tricia Primrose, a company spokeswoman who walked me through the typical spamming operation -- a problem the company is fighting with a team of 10 online sleuths, lawyers and programmers. And sex mail isn't the only issue with spammers, Primrose said. They're also pushing miracle diets, baldness cures, bogus cancer therapies and other money-making schemes.

Overall, she said, spamming "is one of the biggest problems on the Internet."

America Online processes 45 million e-mails a day. And although the company won't read your e-mail, it has devised a system to help weed out the junk. If you get inappropriate e-mail, AOL recommends that you immediately send it to Tosspam, which is an address used by the company to gather spam from its subscribers. The company then promises to track as best it can where the mail came from, block their mail from gaining entry into the AOL system in the future, and advise the e-mailer of the legal options available to block them from the system in the future.

She said the company blocks millions of junk e-mails a day, but acknowledges that millions more manage to get through.

Primrose introduced me to Randy Boe, associate general counsel for AOL and top spam sleuth. He said the company has been fighting spammers, both technologically and legally, for almost two years. Legally, Boe said, it's considered computer fraud to gather addresses of AOL members for the purposes of sending junk mail. AOL has brought suits against 40 individuals and companies involved in spamming. Losers can be fined and forced out of business. So far, AOL has not lost a suit.

In addition to computer fraud, Boe argues that spamming occurred only after the individual or company "trespasses" into the AOL system. If they have legal access to the system, he said, they must break the company's "terms of service" in order to accomplish their goals. Nine other suits have just been filed by AOL, Boe said, including one against a New York City company selling apricot seeds as a way to fight cancer.

But it isn't easy finding spammers. "They are a dubious lot," Primrose said. While many leave electronic tracks that are easy to follow, some use transmission software that hides their geographic origin. This is key because before the company can file suit it must be able to find the spammers to serve them with court documents.

"One of the first cases (brought by AOL was against) a spam software seller who lived in a trailer in Kentucky," Boe said. "He found out that AOL was after him, revved the engines and headed for the highway." He called Boe every so often from phone booths along his way, Boe said, promising that he's "out of the spamming business entirely."

There was also a case in Louisiana, he said, where two brothers and a friend were just about to be served with court papers when one of the brothers threw the computer -- the evidence -- into the bayou, where it disappeared for good. Generally, though, "we get a lot of very surprised looks when we show up," Boe said, noting that AOL generally hires professional investigators to find and serve the spammers with legal papers.

Internet providers can only block unsolicited mail if they know where it comes from. I thought that replying with an angry message stating that they are mailing pornography to children would be enough to stop the next piece of mail, but Boe said that replying may be worse than doing nothing.

The angry messages go to a mailbox and are flagged as "read mail," Boe explained. "Then, these domain names are sold to others."

Additionally, Boe said, there are "chat" groups where spammers can compare notes. The company recently obtained the address book of a well-known spammer, and is using it to track down and stop "less than a thousand and more than hundreds" of spammers.

Another way to avoid getting spam, the AOL insiders said, is to use mail controls in which you designate who you'll accept mail from. But that means you have to create an approved address list, which may be fine for my children, but not for me or many other adults, particularly those who receive work-related mail at their home e-mail address.

Primrose recommends that people bothered by unsolicited mail change their screen names often, or create a screen name (AOL provides you with five screen names) to surf the Net.

Boe said when you see a message asking you to "reply here" to have mail stopped, don't reply. If you do, he says, the odds are that your name will be sold on the spam market. Instead, just forward the mail to Tosspam, and the company will respond.

I, for one, intend to take his advice with the hopes that some day an AOL detective will find the people sending sex e-mails to my children, knock on their door, hand an envelope over, and say: You've got mail.