November 9, 1999

Hijacking of Errant E-Mails Grows,
Leading to Some Embarrassing Tales

By MICHAEL MOSS
Staff Reporter of THE WALL STREET JOURNAL

On Oct. 15, New York telemarketing consultant Geri Gantman resigned in protest from her trade association and fired off an angry e-mail that detailed her gripes.

The message fell into the hands of Russell Smith, a consumer activist and arch-foe of telemarketers, and Ms. Gantman figured someone leaked it.

In fact, she sent it to him herself. The group's e-mail address is ataconnect.org. But she typed ataconnect.com -- which is a spot on the Internet that belongs to Mr. Smith.

He acquired the look-alike address last winter and set it up to accept any e-mail that comes in. Since then, he says, he has received a pile of messages intended for people at the telemarketing association. "Even their own staff types .com," Mr. Smith crows.

Already, the Internet is awash in Web sites that trick people into clicking on by using addresses that vary only slightly from the sites being mimicked: an extra letter here, a dropped hyphen there.

Now, in near secrecy, some of these same look-alike Web sites are grabbing e-mail as well. A convenience of the Internet makes this easy to do: Most firms and organizations run their e-mail systems from the same addresses they use for their Web sites.

E-mail pirates don't even need to know software code. For an extra $3, the outfits that set up Web sites will throw a few switches so the sites collect e-mail, too. Then all it takes is a sender who mistakenly types the look-alike address, and the message gets snagged.

This trickery is so new that it isn't yet clear whether it can be stopped. Nor is it easy to avoid getting tripped up. Lawyers are e-mailing memos to the very people they are writing about. Voters are sending offers of money to their candidate's foe. Companies are losing customers, and perhaps even more. The technique is so seamless that computer experts assume that some firms use hijacked e-mail to snoop on competitors.

Not all misdirected e-mail is being pirated. The proliferation of Web sites has made innocent confusion commonplace. Adams Capital Management Inc., a venture-capital firm based in Sewickley, Pa., evidently shares a look-alike address with a mutual fund, whose clients occasionally e-mail Adams by mistake. "I write back and say you've got us confused," says office manager Lynn Patterson.

Some people trying to reach the mayor of New York are getting a different reply. Rudolph Giuliani's senatorial campaign had snapped up a bunch of Internet names before settling on RudyYes.com for his campaign site. Then he let his registration on the others expire.

In July, a free-spirited group that lampoons companies and public officials picked up one address it says the mayor let go: YesRudy.com.

Now, half of the 30 e-mail messages that the group, RtMark, receives each day at this and another look-alike Giuliani site are intended for the mayor, says the group's spokesman, Frank Guerrero. "Wanted to send a contribution," one e-mailer wrote last month.

Mr. Guerrero says he generally fires off a mischievous reply. "It is not often that one barrels headlong into a difficult race full of unanswered questions, even less often that one barrels headlong into a difficult race full of unasked questions. I am doing both," reads one such reply, signed "Rudy."

Bruce Teitelbaum, spokesman for the mayor's political committee, says he didn't know the YesRudy site garnered e-mail intended for the mayor. "There is nothing we can do," he says, citing the group's right to free speech.

Is e-mail snagging legal? It's murky. Some pirates liken their act to picking up the phone when the caller has dialed a wrong number. They also point fingers at the e-mail sender for not being careful enough.

Those who get snatched say it is more like a toll-free number that has been created to resemble another, in hopes of siphoning off calls. They also point out that it is already a crime merely to open regular mail that is sent to the wrong address and that other criminal statutes might apply to misdirected e-mail. Some companies have successfully argued that their Web names are trademarks and that anyone who uses a look-alike address is creating confusion by being deceptive.

"Regardless of whether it's a violation of electronic espionage law, I do think you can make a case for trademark violation if you can show that someone hijacking e-mails is causing real confusion," says David Bernstein, a Debevoise & Plimpton attorney who chairs the American Bar Association panel on Internet law.

"One element of damage," Mr. Bernstein adds, "is that the sender never knows their e-mail is missing."

Neither does the intended receiver. For months, Jews for Jesus had lost e-mail to a New Jersey man named Steven Brodsky who opposed the San Francisco religious group. He received the messages through an Internet name that was identical to the group's Jews-for-Jesus.org -- except his didn't have any hyphens. "I was blessed when one of your people came to our church," wrote a Baptist man from Portland, Ore., who left out the hyphens.

Mr. Brodsky hadn't intended to hijack the group's e-mail, says his attorney, Ronald Coleman. Rather, in creating his Web site, Mr. Brodsky purchased software that automatically included the feature of accepting e-mail, Mr. Coleman says.

The group discovered about a dozen lost messages when it sued Mr. Brodsky last year for trademark infringement. Then, in battling Mr. Brodsky, the group's own lawyers failed to use the hyphens on one e-mail they intended to send to the group.

"In the middle of the litigation I get an interoffice communication from the San Francisco office of my adversary," says Mr. Coleman. "It was to his client, but he used the wrong address, and it went to my client."

"That is true," sighs attorney Paul Winick, whose colleague actually sent the errant e-mail, which Mr. Coleman returned. "It is really a cautionary tale."

In court, Mr. Coleman argued that Mr. Brodsky's acerbic site could not be mistaken for the religious group. But Jews for Jesus prevailed last year when a federal judge in New Jersey ruled that Mr. Brodsky deceived the public through trickery.

Still, fending off look-alike Internet names can be so costly no matter who wins in court that Mr. Coleman advises his corporate clients to buy up all the names they can. "You have to register 60 paces in every direction," he says. "Even the likely typos. With hyphen and without hyphen. It's absurd."

E-mail hijacking has added new urgency to the game of stockpiling Internet names. A southern California firm that sells goods through an Internet catalog says it is struggling with the owner of a similar name, who is seeking to sell it for a six-figure sum.

For now, the look-alike name's owner is replying to the firm's customers who misdirect their e-mail to him -- without disclosing that they have reached the wrong place, says the catalog firm's attorney, Neil Smith of San Francisco. "He insults them," says Mr. Smith. "He is driving the customers away." He declined to name either firm because of possible legal action.

Russell Smith, the consumer activist based in Alexandria, Va., says he has registered as many as 600 Internet names, which he swaps or sells or links to his own Web site that promotes consumerism. Most of his stock is generic, like Merrychristmas.org, which he hopes will prove valuable someday.

He also has Web names resembling those used by three telemarketing groups, including American Teleservices Association, of North Hollywood, from which Ms. Gantman -- a senior partner with the consultant firm Oetting & Co. of New York -- resigned last month.

"This smacks of Big Brother," says Ms. Gantman, who had not known how her e-mail strayed to Mr. Smith until she was contacted by this newspaper. "We're going to be real careful with those dot-orgs from now on."

Donna Bryce, a telemarketer and the association's communications director, says she also was unaware of Mr. Smith's e-mail system. "It would concern me when things go astray," she says. But, she adds, "it's a free country, and he has a right to his Web mail." She declined to discuss Ms. Gantman's letter.

Mr. Smith says he routinely sets up all his sites to receive e-mail and did not target the telemarketers. But when their messages began streaming in, he decided to keep them coming as a weapon in his battle for consumer rights. "I want the messages," he says. "They sc- me, and I want to sc- them. It's revenge."

Much of the telemarketers' e-mail, he adds, consists of jokes being passed around. "It's mostly a waste of time," he says.

One exception arrived in January. It was an e-mail from attorney Roger Kirkpatrick, a consumer marketing specialist with Time Warner Inc., with whom Mr. Smith had been fighting.

Mr. Smith had been pressing Time Warner to detail its consumer-privacy policies, and Mr. Kirkpatrick wrote an e-mail to his legal colleagues and an official at the Direct Marketing Association, a New York trade group to which Time Warner belongs.

Mr. Kirkpatrick in the e-mail laid out his strategy to curb Mr. Smith's inquiries. "This guy is EXTREMELY obnoxious," he wrote. "We ... have nothing more to say or send to him."

The e-mail went straight to Mr. Smith, when it was mistakenly addressed to his look-alike Direct Marketing name.

"Clearly the e-mail was not intended to go to him," says Mr. Kirkpatrick, adding that he had not known how Mr. Smith had obtained his e-mail.

Mr. Smith, for his part, replied to Mr. Kirkpatrick's misdirected e-mail, refuting some matters, agreeing with others.

"One final thing," Mr. Smith wrote. "I would like to take this opportunity to welcome both you and the DMA to the Internet."