The Case of the Mistaken Spammer

by Chris Oakes

12:43 p.m. May. 4, 1998 PDT
On a recent business trip, Thomas Cameron got a call from his wife, who relayed a message from UUNet, the Internet service provider that supplies online access for his network consulting business. The message was blunt: Cameron's account had been canceled.

"No explanation, no request for information, nothing," Cameron said. "Just an electronic 'death sentence.'"

The message said only that the cancellation was for violating UUNet's acceptable use policy. A spam-related provision of the policy prohibits the sending of unsolicited email messages, the technical description of spam. And as ISPs try to stem the overwhelming flow of spam through the Internet, the rule appears to be guilty until proven innocent.

"It definitely makes sense to disconnect somebody and not let them reconnect until you've confirmed whether it was them or not," said J.D. Falk, a director of The Coalition Against Unsolicited Commercial Email. Especially if the spam is ongoing at the time of discovery, he said. A half an hour's time can mean a flood of spam proliferating across the network.

Falk said he once discovered a spammer using his own Internet domain as a launching pad for spam. "I was able to get the person disconnected, but they'd been sending out mail for three hours already. If [the ISP] had gone through an additional process [of confirming with the customer], it could have meant millions more messages."

But the problem in Cameron's case was that, as far as he knew, he hadn't sent any spam. And after some remote analysis of his mail server through the ISP he uses for travel, he found no evidence of anyone else having used his account to send spam, either. "All my log files were clean." He spent the better part of a night combing his electronic records to confirm this.

Cameron left UUNet's Internet Abuse Investigations team after-hours messages explaining the results of his overnight research, but still no go. "The security team member called me the next morning and told me that even though it was only one complaint, that was all it took, and my account was canceled," he said.

Electronically stranded, Cameron would have to force an analysis of the incident to get the ISP to see the real cause of the problem: a simple case of mistaken identity, with an electronic twist.

The mistake came when UUNet sought to match up the originating Internet address of the offending spam and the owner of the account. When a business account is opened, UUNet assigns businesses a set of Internet Protocol (IP) addresses for the often multiple computers that will connect using the account. There are 255 distinct numerical addresses available within each set, the so-called "class C" IP address.

But many businesses only have a dozen or so machines hooked up to their networks, so many extra numbers go unused. For that reason, UUNet divides a single address set among multiple customers. When that's the case, two or more customers' IP addresses will share the same beginning address, such as The final three digits -- the "xxx" -- will be the only numbers that differ among these customers.

When UUNet's security team went to match the offending spam's originating address with the customer that owned it, they used only the first three sets of numbers. Those numbers turned up Cameron's name and, ignoring the possibility of a shared address, they assumed they had their man.

They "didn't drill down deep enough to find out whether it was the top or bottom half of the class C address," Cameron said.

As Cameron's UUNet contact explained to him later by email: "I searched our database using the class C as an argument -- 208.236.138 -- and retrieved your account.... I realized that this was in error after I spoke to you. I added on the fourth octet: ... and retrieved the correct information."

Irksome to Cameron, of course, was that she only did this at his prompting, and only after the initial cancellation had been ordered. When his claim of clean server logs hadn't convinced her, he requested the spam's originating address and asked her to trace it, which proved that the IP address in question was not his.

The security team member owned up to her carelessness and promised to intercept the cancellation order. But even then she was too late, and it took several days of emailing and tech-support calls to get the canceled account reactivated.

"Three days of downtime for something our company didn't do," Cameron said. "Without any verification, without oversight, and without an apology. My network consulting business's connection to the Internet was cut."

In the end, the ISP proved very responsive, apologetic, and compensatory. Not only did UUNet pay Cameron for the three days of down time, but he received a month of UUNet service, gratis.

Harris Schwartz, team leader of UUNet's Internet Abuse Investigations, wrote Cameron by email and said the team would be changing its procedures for such situations, "making sure that there are double and triple checks in our investigation to ensure that this type of accident does not happen again." He also insisted that this "type of thing does not occur very often."

A Rare Event?

Those close to the issue agree that Cameron's case was highly unusual.

"It's rare that I've heard any accusation like that, where after further research it turned out the [accused] spammer was innocent," said Falk. And for the moment, anyway, he said it's an unfortunate necessity that spammers be considered guilty until proven innocent.

But Cameron wishes he'd gotten a chance to respond before he'd been shut down.

"I'm a member of CAUCE," he said. "I can't stand spam. It drains resources even on our network. We process probably 50 or 60 junk emails a day. So I'm a big proponent of giving the death penalty to spammers. But it should definitely be investigated. The person should be given a chance to respond before their account is disconnected."

Cameron said it was fortunate that his business doesn't rely heavily on the Internet. Were his a more Web-intensive operation, he said, the interruption "could have been catastrophic."

"I definitely believe that anti-spam work is a noble cause. It just kind of sucked that I got caught in the middle of it."

No one from UUNet's Internet Abuse Investigations unit replied to requests to be interviewed for this story.



[ ]