JEFFREY BROWN: Call it a "spam scam." "Spam" is the popular term for the junk e-mail that many computer users are bombarded with. Yesterday, a 24-year-old employee of America Online was arrested for stealing and selling 92 million e-mail addresses. Also arrested was a 21-year-old Las Vegas man who runs an Internet gambling business. He allegedly bought the addresses, and sold them to other spammers. Joining us to look at this case and the anti-spam effort is David Bennahum, media and technology columnist for Slate Magazine. David, welcome. This was an insider named Jason Smathers who gained access to all these e-mails at AOL. How did he do it?
DAVID BENNAHUM: Well, apparently what happened is that he went to another employee's desk essentially, managed to get that employee's user I.D. And pass word and that employee had access to the lists of all of the accounts on A.O.L, meaning where the person lived, their zip code, all their different screen names and that amounted to about 37 million accounts on AOL He logged in without permission from AOL, Got all those names in batches, copied them on to discs or downloaded them and then sold them to this individual in Las Vegas who runs these Internet gambling sites.
JEFFREY BROWN: Explain to us why these addresses are so valuable.
DAVID BENNAHUM: Well, each address is a live address. It's a certified good e-mail address and that these are paying AOL Customers so, first of all, you're getting up to 37 million accounts that are good. There's no question that when you send an e-mail to that person there's no one there to receive it. That's at least the basic premise, so at that point you have 37 million valuable fresh e-mail addresses. It's unbelievably valuable. I can't think of any other way you could get it except illegally because who else would give you those addresses. They are closely guarded assets that belong to the company. So because of that, the value on these e-mail addresses just is probably much more than what was paid for them ultimately.
JEFFREY BROWN: Now as you said there was other information involved: street addresses, phone numbers, and I understand types of credit cards but not the actual credit card numbers. Are those numbers typically walled off somewhere more safely?
DAVID BENNAHUM: That's correct. The financial information connected to each customer is even more valuable in that if it's used for fraudulent purposes, i.e., stealing your credit card numbers, that would be even more problematic than someone getting junk mail, so thankfully those credit card numbers were separated out from the rest of the customer information, and this person at AOL couldn't get access to them.
JEFFREY BROWN: Now as you said, Mr. Smathers allegedly sells the addresses to a Sean Dunaway who uses them for his Internet gambling online.
DAVID BENNAHUM: Right.
JEFFREY BROWN: He passes them on to other spammers is this typically how the world of spam works? Give us some sense of who these people are, where they are, what are they selling?
DAVID BENNAHUM: Well, spamming is actually a big business in the sense that it's not mom and pop operations. They are very sophisticated operations that harvest, that's the language used, they harvest millions of e-mail addresses through all different sources and they consolidate those into massive e-mail data bases, so in that sense the idea that somehow these are small time operations, small time crooks is totally wrong. Most spam is generated by a very small number of organized groups that essentially resell these lists. Now the people marketing, using those names, might be varied, but the source of those lists actually isn't that best.
JEFFREY BROWN: Here we have one company, AOL, but there must be other large companies with big, huge e-mail listings like this. What are these companies doing to protect themselves?
DAVID BENNAHUM: Well, on some level this is an employee issue. When you hire a person to work at a company you trust that that person is going to not behave illegally, so it's tough for these companies to completely police this, because at some point you're making a gesture of trust because you're saying, yeah, you have access, you've got to manage these accounts and we trust you won't do something like resell all these names so the best thing a company can do internally is limit the people who can get access to it. I think AOL probably did that. Here's a case of an employee essentially stealing the other employee's access codes to get to that information.
JEFFREY BROWN: Do you know how he was caught in this case?
DAVID BENNAHUM: Well, in this case it started with AOL being very upset with the amount of spam coming through its users. It's perennial problem for all Internet service providers so they had begun an internal process to begin civil cases, as it were, to people who were sending junk mail to AOL users, and in the course of doing that they managed to track the junk mail to someone who is advertising I believe herbal sexual aids through the Internet, and that individual confessed to where he got his list, and that was from the individual in Las Vegas who ran the gambling sites and then he -- it became clear that he had to have gotten that list from inside AOL and he eventually gave up the internal person at AOL who had harvested this list illegally.
JEFFREY BROWN: Let me ask you a few questions that are in the category of where are we in this effort to slow on stop spam. What are companies first? What are they doing themselves to stop it? You just mentioned some of the efforts that AOL has taken. Tell us about them.
DAVID BENNAHUM: Well, there's two prongs of attack right now. One is the legal prong where there are now laws on the book making spam illegal. Congress passed the Can Spam Act this year which makes it illegal to send spam. Can you get up to a quarter million dollars in fine and up to ten years in prison if caught and convicted. That's what's happening now with this case of AOL; they are being essentially being prosecuted under this act.
JEFFREY BROWN: I think this is one of the first cases under that act, in fact.
DAVID BENNAHUM: That is correct, sort of the poster child for trying this theory out, that you can prosecute people for doing that. That's well and good and it takes a huge amount of effort and the amount of spammers out there exceeds the number of lawyers who want to prosecute this so the other side is the technology side. How do you create technological systems to essentially filter out spam? This is now very commonplace and most commercial e-mail providers, they create essentially programs that scan your e-mail and analyze the bottom of the message that says it looks like junk mail and essentially delete it or moves it to another folder and compares it to a list of name that you authorized to send that e-mail and if it doesn't match the list then it's shunted off to another folder and at some point the e-mail users is supposed to go in and go through all the e-mail and pick out the stuff that is not junk and train the system not to do it again.
JEFFREY BROWN: In the meantime, what can an individual do?
DAVID BENNAHUM: Well, the most important thing an individual can do at this point is to install junk mail filters on their computer. Now if you're using an e-mail program that runs off the web, oftentimes that's basically pre-installed. Like Yahoo!, A lot of these service provider will provide an e-mail filter within their service. If you don't have that, you can have a third-party service to do it. And this is a booming industry. There's hundreds of millions of dollars being spent each year on software licenses to run junk filters. That's probably the only thing a consumer can do at this point. Everything else is really up to other entities to deal with, whether it's the government or the people who organize and run the Internet policies that control how Internet mail is routed and programmed. There's some long-term issues that have to be solved there to help stop spam but in the short term it's up to you as user to get these junk mail filters installed on your computer.
JEFFREY BROWN: David Bennahum, thank you very much.
DAVID BENNAHUM: Thank you, my pleasure.