Insider Arrested in Spam Scheme
Welcome! You’ve got spam.
An America Online employee accused of stealing at least 92 million e-mail addresses and selling them to a spammer for more than $100,000 was arrested Wednesday at his home in Harpers Ferry, W.Va.
Jason Smathers, 24, was charged with violating federal computer fraud and anti-spam laws. AOL said after his arrest that it had fired the computer engineer.
Smathers’ alleged accomplice, 21-year-old e-mail marketer Sean Dunaway, was arrested in Las Vegas on the same charges. He was accused of buying the e-mail addresses -- all the handles of every AOL subscriber as of May 2003 -- using them to promote his online gambling business and selling them to other spammers for tens of thousands of dollars.
The case underscores the difficulties that Internet service providers face as they fight to keep their networks free of spam.
AOL, the country’s biggest ISP, with more than 30 million customers, has sued dozens of spammers and blocked billions of their messages. But the actions of a single rogue employee may have delivered AOL’s entire member list into the hands of online marketers.
“It’s a black eye,” said Rob Sanderson, an analyst with American Technology Research.
Smathers didn’t enter a plea Wednesday and was expected to remain in jail overnight. A woman who answered the phone at his home said that no one there would comment and that an attorney had not been hired.
Dunaway couldn’t be reached and his lawyer couldn’t be identified. Dunaway was released after appearing in U.S. District Court in Las Vegas late Wednesday.
He and Smathers each face up to five years in prison and a $250,000 fine.
AOL, a unit of Time Warner Inc. based in Dulles, Va., said it suspected it might have been the victim of an inside job and alerted authorities.
“We deeply regret what has taken place and are thoroughly reviewing and strengthening our internal procedures as a result of this investigation and arrest,” an AOL spokesman said in a statement.
Smathers and someone using the handle “The Brews” began plotting the theft in early 2003, using AOL’s instant messaging program to discuss the value of a list of bona fide AOL e-mail addresses, according to a criminal complaint filed in federal court in New York.
Smathers expressed some reservations about spamming AOL members and said he didn’t have access to the database where their user names were housed, the complaint says. “The Brews” responded that the lists he used were compilations of self-reported e-mail addresses, “thousands and thousands” of which were fakes.
“If you have a database of REAL emails, that were fresh, the ratio of sign ups would be sooo much greater,” “The Brews” wrote, according to the complaint.
Smathers replied that he had found AOL’s member database but warned, “It isn’t going to be easy,” the complaint says. Later he wrote, “OK, I got it figured out.”
Investigators said they found an e-mail Smathers had sent to himself with the user name and password for an AOL employee in Tucson who had access to the sensitive database. Smathers allegedly used that account to extract the e-mail addresses.
It’s unclear how much Dunaway may have paid Smathers for the first round of 92 million names, but Dunaway is accused of selling them to another junk e-mailer for $52,000.
Dunaway later allegedly paid Smathers $100,000 for an updated round of 18 million screen names, which included the telephone numbers, ZIP Codes and credit card types of AOL members but not their credit card numbers. AOL keeps that information in a separate database.
An attorney not involved with the case said it would be difficult for AOL users to succeed in a suit against the company over the security breach.
AOL has traditionally “done a fairly good job of protecting their users’ privacy,” said Cindy Cohn, legal director of the Electronic Frontier Foundation. “If you’ve got a bad actor in your company ... the company isn’t always liable.”
