She is going to another service, driven away by the levels of spam she encountered and the complications of AOL's system for dealing with it. And also by a strange encounter with pro-gun lobbyists in Chicago. When the spam started she laughed it off: "Why are they trying to sell me Viagra? I can't use it." But that joke wore thin pretty quickly, and several other spams were not funny at all.
The obvious thing to do at this point was to set up a new screen name (that's AOL-speak for e-mail address). We have no idea how her first screen name became known to spammers, since she does not go into chat rooms and has not posted it in any public areas, but it leaked out somehow -- perhaps through a virus attack which ripped through a friend's address list.
Fortunately, AOL allows you multiple addresses, so we set up a new one and she prepared to use it. However, the very first time she logged in -- before she had even sent any e-mail to anyone -- she found a message urging her to protest against gun controls in Chicago. As a retired teacher living in London, UK, she had no interest in this; the very first e-mail to a new screen name was junk. And it was quickly followed by several in a similar vein.
It looked very much like the curse of junk mail had struck at her new address.
Now, this could be a very serious problem. AOL does not release screen names to junk mailers -- that would be commercial suicide. But the only other way for spammers to get hold of an unused screen name would be to hack into AOL's systems -- an even more serious concern for AOL users. I took this up with AOL's UK security chief Camille de Stempel, and between us we are working out how it happened.
First of all, we noticed that all the mail came from similar addresses, not throwaway accounts. It turned out to be from Yahoo! mailing lists run by the Libertarian Party in Illinois. I still do not know how my mother's address got onto their list -- and I want to know -- but I am ready to believe AOL did not have anything to do with it. Maybe the address is similar to a genuine member of the list.
The most popular way for spammers to "harvest" AOL addresses is in public areas, de Stempel told me. "Most often, people go by mistake into a public area," she explained, "without realizing that everyone else can see their screen name, even if they aren't posting messages." AOL has to make people's screen names visible in public areas, she explained, to safeguard the people in the chat room from unknown lurkers. It is a balancing act between the privacy of the people already in the room and that of the new arrivals.
"We recommend one ID for public areas and another one for private life," said de Stempel. This is good advice to anyone on any mail service -- but it is irrelevant to my mother, who never goes to chatrooms.
Another possibility she suggested is that spammers might be mailing to a massive list of guessed addresses -- with 33 million users, there's a pretty good chance that a mail to anything@aol.com will reach a real address, though whether they are interested in the spammer's dubious services is a different matter. Larger e-mail services could be more at risk of spam, if you follow that logic through.
Some of AOL's other advice is not so immediately useful. Users can block out all e-mail from anyone they haven't heard from before. But this would not suit my mother, whose children and friends are forever moving to new companies and mailing her from new addresses.
And she finds AOL's advice on dealing with offensive mails rather frustrating. AOL asks users to forward any offensive mail to special addresses. It also advises users not to open offensive mail. The problem is that AOL's user interface does not let you forward a message until you've opened it.
So if she gets a message with an obviously unsavoury subject line, what should she do? Delete it and not report it? Or open it in order to forward it? "Just delete it. Someone else will have opened it by mistake, and they will probably forward it," said de Stempel. She might also have said that, if it is from a throwaway ID, there's not much point reporting it anyway.
So, it looks like AOL probably does not have the huge hole in its security I thought it did at first. But it is clear that its very size creates issues about privacy. My mother is concerned enough about the likelihood of junk mail that she moved to another service anyway. But I would still like to know how a U.S. political party suddenly started mailing to an address in the UK that no one had ever heard of.
