AOL's Covert War On Pop-Up Spam

(AP)  Even more annoying than junk e-mail are all the spam messages that "pop up" through a little-used feature in Windows. As part of its spam-fighting efforts, America Online has been turning off that feature for its customers without telling them.

AOL spokesman Andrew Weinstein said the feedback has been all positive, and he knows of no complaints to AOL call centers about side effects on other applications that may need that feature.

Nonetheless, AOL's action worries some security experts who were told about it by The Associated Press.

"They are trying to do the right thing ... but you sort of feel dirty after you hear it," said Bruce Schneier, chief technology officer for Counterpane Internet Security Inc. "It's a very dangerous precedent in having companies go into your computer and turn things on and off."

"From there," he added, "it's easy to turn off competitors' services."

Pop-up spam differs from pop-up ads in that no Web browser or Web site visit is required. Instead, these ads take advantage of a messaging function built into many Windows operating systems.

The function, generally enabled automatically when computers are shipped, was designed for computer network technicians to, for instance, warn people on their systems of a planned shutdown. Some applications also notify users of such actions as a network printer finishing a task.

About a year ago, spammers figured out that they, too, could exploit it, making ads automatically appear on users' screens at any time.

AOL — along with other Internet service providers and makers of security firewall products — responded by closing many of the Internet ports used, but closing all could disrupt other applications.

AOL then developed a tool that users could run to turn off the feature entirely, but few bothered, even though complaints about such messages kept growing, Weinstein said.

So two weeks ago, AOL began turning the feature off on its customers' behalf, using a self-updating mechanism in AOL's software. But the setting changed is on Windows, not AOL's software. Users are not notified of the change, though they may manually turn the feature back on, and AOL won't change it again.

Weinstein said the company has changed settings for 15 million users already and will continue doing so over the next few weeks.

"Almost none of the users will ever need this functionality," he said. "Even in the office environment, it is rarely used."

Furthermore, he said, AOL won't change settings unless the user has administrative privileges on that computer — something employees generally don't have on their work machines.

Weinstein notes that besides blocking pop-up spam, it closes a Windows vulnerability that Microsoft Corp. deems critical and disclosed last week.

Microsoft officials did not immediately return calls for comment.

Lawrence Baldwin, president of the security Web site myNetWatchman.com, said that while AOL should be lauded for taking responsibility for ensuring computer security, "I certainly wouldn't want my ISP (Internet service provider) messing with my system."

For software to change computer settings on its own isn't unprecedented. Software from other vendors, for instance, can automatically make itself the main application for playing music files or surfing the Web. Any warnings are often hard to find.

Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.

"I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."