February 3, 2007.  After six months with virtually no spam, I am being deluged with the stuff.  I'm still trying to figure out what happened.

Before I acquired a new computer and changed my Internet Service Provider (ISP) last June, the percentage of junk mail that I received was ridiculously high.  Despite having a highly rated spam-killing program, setting up all sorts of filters, and following every tip in the books for preventing it, spam sometimes comprised nearly half of my incoming mail.  My spam-killer (Spam Cop by Cloudmark), which not only deletes spam but also keeps a running count of how much it has to dump, sent 99% of the stuff directly to the "Deleted" folder, but it was still coming in.

After I got the new computer and changed ISP last June, spam virtually stopped coming.  I loaded the same spam-killer, but it needed to remove hardly any spam at all.  In fact, I sometimes had to retrieve some legitimate messages that it mistakenly removed (which was all right with me – better that than the other way around).

Recently, though, spam has begun to arrive by the carload.  Interestingly, though my wife's computer is networked with mine and uses the same ISP, hers is virtually spam-free.  Apparently, the scumbags have located my mailbox and not hers.

Since the deluge has been recent, I have been thinking back through what I have done with the computer during the last few weeks.  All that comes to mind is that I registered for two immensely popular websites during that time, foolishly giving my main e-mail address instead of the "junk" address at Hotmail that I usually provide when I register.  I shall now review these accounts and either cancel them or change the e-mail address to the junk address.  I'll report back on what the outcome is.

February 4, 2007.  I'll start with spammers, but this is really about phishing and the holes in bank security.

It's still too early to tell, but I think that changing the e-mail addresses at those two websites may have cut down the spam a bit.  If it does the trick, I'll divulge later what those two sites are.

I've got to say – as I've said many times before – that I don't understand the motives of spammers.  I can sort of comprehend the reasoning of those who believe that they might be lucky enough to make sales to that fraction of 1% of the population who are dumb enough to respond to their transparently idiotic messages.  Still, the amount of spam that exists suggests that an awful lot of stupid people think that an awful lot of other people are really stupid.  I've met quite a few people in my life who are not especially bright, but I've never met anyone that stupid.

I've been told that most spammers aren't really selling anything but are just trying to harvest e-mail addresses to sell to people who are selling something.  That doesn't make sense either.  Who is going to pay for a list of random e-mail addresses compiled by randomly sending messages to random e-mail addresses?

"Phishing" is an entirely different story.  In case you don't know "phishing" is the term applied to the practice of sending a fraudulent message in an effort to steal confidential information, such as someone's credit card or account number.  Some of these messages are diabolically clever.  I have, for example, received several very authentic-looking messages purporting to be from a bank or some company with which I do business (e.g., my ISP) and telling me to go to a certain website to update or confirm account information.  The messages usually contain a threat that my account will be cancelled unless I comply.

Of course, I never do this, but I can understand that some people might – especially those who don't read or watch the news, which has frequently warned about these scams.  That makes it very profitable for the crooks who send out these messages, and it's very hard for the authorities to track them down.  A few hits can get them more loot than a well-planned holdup can, with considerably less risk.

I don't delete these messages but forward them to the bank or business from which they pretend to come.  (Almost every bank has an address on its website telling people where to forward suspicious e-mail.)  Why?  I figure it's my duty.  The only way to catch these electronic thieves is by electronic sleuthing, and the forwarded message may just give a clue to someone in a sophisticated anti-fraud operation.

Unfortunately, I don't think banks and other instututions are devoting much funding, manpower, or time to tracking these crooks.  My guess is that they devote more money, personnel, and time to advertising than they do to catching con artists.  Pardon my cynicism, but the company or the bank is not the primary victim when the crook succeeds; the customer is.  Why should the bank or company care?

It's not surprising that the crooks are always one step ahead of the banks.  Their security systems are full of holes.  Here's proof.  A bank with which I have a credit card (Chase) left a message on my answering machine, stating that there was a question about my account and telling me to dial a phone number.  When I dialed the number, a voice asked for my account number.  That was a red flag.  How did I know that the message that told me to call that number was from Chase?  I wasn't about to give my account number to a stranger, so I hung up.

Next, I called the Chase customer service number to try to confirm whether the call was legitimate.  Here's where it gets complicated.  Because of some glitch in the system, it would not accept my "security code" (first three letters of my mother's maiden name).  I tried again – still no go.  I was getting irritated, so I punched three random buttons.  That didn't work.  I really didn't expect it to.  Just on a whim, I hit three different random buttons.  I got through!  Somehow, I had hacked passed the security firewall by random punching of buttons.

Remember where this started – with an anonymous caller claiming to be from Chase and my return call where I was asked for an account number that I refused to give?  When I "hacked" through to Chase customer service, I found, to my surprise, that the initial call was legitimate.  Naturally, I asked the customer service representative how I could be sure of that.  "And wouldn't I be a fool to give out my account number when I returned that 'mystery' call?"  She conceded that it would indeed have been foolish, but she never answered the first question.

We took care of the question they had about my account.  At the end, however, I asked the representative, "How do you know you are speaking with Rich Turner?"  She hadn't asked for any information to prove that I was but just assumed that I had gotten through by punching the "secret" code (first three initials of my mother's maiden name).  Then I filled her in.  I told her that my code hadn't worked (though, when I told her what it was, she confirmed that it was correct and couldn't explain why it didn't work).  Then I explained that, after two tries with the correct code, I had gotten through by punching random keys instead.  "So," I said, "I could be Charlie the con artist from Arkansas and not Rich Turner at all."  She thought that was hilarious.

I wrote a letter to Chase describing this experience – from their "anonymous" phone call to my hacking into their system when it failed to recognize my correct code.  I said that their security system was a farce.  Chase never replied.

So, friends, the "phishers" give us plenty to be worried about, but we can probably escape their clutches by being very, very careful.  However, what I'm really worried about is the banks, the folks who are guarding the security of our money.  If they're as incompetent at security as my anecdote suggests, we're in big trouble.