Interesting Coincidences

A slow beginning

On Saturday November 19, 2005 around 5:00pm I received two phone calls to my cell phone from companies that had received my name, address and phone number with a claim that I was interested in home and vehicle lending. At the time I thought it was an odd but simple mistake, let them know that I had not made any such requests and asked them to remove me from their databases.

When I arrived home I found 30 emails in my in box for things ranging from a membership to the Poet's Workshop on through car loans and requests for contact lenses. It was clear that someone had used my personal information to subscribe me to a number of opt-in style mailing lists and service requests.

That evening and on Sunday November 20th I received 35 more spam emails similar to the first set and a few more sales calls on my home and cell phones.

Opening of the flood gates

On Monday November 21st things changed for the worse. At 9:00am I received the first of what quickly became a steady stream of phone calls on my work, home and cell lines and by 10:30am it was clear that I was going to have to spend a significant amount of time on the phone gathering information to track down who was doing this to me and to safeguard my credit account. I was receiving calls from questionable lending institutions, equally questionable universities, credit repair shops, diabetic supply houses. (Them: "we'd like to send you a free diabetic meter", me: "No thanks, I'm not diabetic. Where did you get my contact information?") And so on and on.

I went home and proceeded to answer call after call and question each person so that I could find out as much information as possible about the person that signed me up for these products and services. I also spent time searching the Internet for information on the companies involved as I found out about them and eventually identified LowerMyBills, CoolSavings and ZipSearch as the sources of most of the calls.

IP address identification

Luckily for me some of the companies were willing to help track the person responsible and halfway through the day I had an IP address of the user (67.164.xx.190) and the time of day the fraudulent requests were made to a few of the companies.

With the IP address in hand I set about finding as much information as I could about the person and what I should do in response. Tracing the IP address revealed the user was a Comcast customer in Oregon and thanks to my Google Desktop cache I found that I had contact with that IP address several times in the last two months.

IP address contacts

• Sept 12, 2005 23:04 - The IP address was found in a comment posted to my blog from "Dr. Steve Prescott at steve...hotmail.com." The content of the posting was:

"Thank you for sharing your experience Michael. I found to be an interesting read. I also purchased a long life battery from batterygeek.net however my experience was quite different than yours. The battery I purchased from them gave my laptop an additional 12 hours of run time per charge which far exceeded my expectations. Additionally, the battery I received is very small in size and durable which makes it ideal for my frequent travels. They also included some extra nifty free gifts which I thought added a nice touch. My experience of the customer service level at batterygeek was quite different from yours. I found the customer service that I received from both Sean and Melissa at batterygeek.net to be exceptionally good. They both responded very fast to all my questions and concerns on three seperate occassions and I also received amazingly fast same day shipping. Personally, I would not hesitate to refer this company and thier products to anyone. Cheers, Dr. Steve Prescott."

I attempted to contact him via email on Nov 23, 2005 2:50pm and the email was returned undeliverable.

• Sept 15, 2005 1:04 through Sept 23, 2005 14:19 - The IP address was found in the headers of seven emails from Sean Murray of BatteryGeek.

His initial email was sent to me in response to my first review of the BatteryGeek battery pack that I bought last June and some additional reviews I had posted to other sites on the web such as Amazon.com. The general content of other emails is covered in my follow-up review.

• Oct 10, 2005 3:53 - The IP address was found in a comment posted to my blog from "Susan” at www.jensense.com. The content of the posting was:

"Your picture sure is ugly. LOL."

I contacted the owner of jensense.com on Nov 23, 2005 at 5:16pm and she confirmed that she did not post the comment.

• Oct 10, 2005 4:02 - The IP address was found in a comment posted to my blog from "Jenny” at www.jennycum.com. The content of the posting was:

“YOU SURE ARE UGLY."

A check of DNS records shows that the domain is bogus.

• November 19th at 12:08:19 -8:00gmt the user at the IP address came back and spent much of the day trolling dragonseye.com such as my blog and other personal pages. The user also downloaded a PDF copy of my resume which had my address, home phone number, company name and cell number. The user's last access on the 19th is at 21:49:14 -8:00gmt.

• Nov 19, 2005 14:35 - The IP address was found in a comment posted to my blog from "Ted Williams ted...hotmail.com" The content of the posting was:

"I bought a battery pack from batterygeek just the other day and it's giving my IBM ThinkPad 7+ hours of additional run time per charge. Not bad. Also, after I placed my order they shipped it out same day and I received it the next day with some free gifts. Not bad either. So far so good."

I attempted to contact him via email on Nov 25, 1:36am and Dec 9, 11:05am and as of this writing I have received no response.

• Nov 19, 2005 18:26 the IP address user submitted a request in my name for help with starting a home business.

• Nov 20, 2005 5:03:01 the IP address user submitted a request in my name to Service Magic for kitchen remodeling help.

At some point during the weekend of November 19th the user submitted my information to CoolSavings. This was likely one of the first submissions on Saturday afternoon as the first phone call came in about 5pm that day.

According to my web site logs, from September 12 through November 23 the user at the IP address accessed the two BatteryGeek articles on my blog on average once a day. Very few other articles are accessed by that user.

Filing complaints and getting help

On November 22nd I sent an email to the Comcast abuse department containing an overview of the harassment and my contact with the IP address responsible. I got an autoreply back saying my complaint had been received and not to expect any other response.

Based on everyday definitions this problem seemed to fall under the categories of interstate fraud and harassment so on November 23rd I filed complaints with the IFCC (which has apparently changed names since and is now called IC3) and with the Portland FBI. I sent them each essentially the same overview I had sent Comcast.

On November 23rd I contacted the owner of the blog JKOnTheRun, explained the situation and that I believed the person responsible had posted a comment on his blog containing:

"Dear jkOnTheRun Fans,
We really care about our customers. As a result, maintaining superior customer experience remains one of the most important issues for us. As part of our ongoing dedication to our customers satisfaction we have recently hired a great guy named Jimmie who is our new and highly valued client support specialist from Texas. I personally guarantee your complete satisfaction with any of our products and services or your money back period. If any of our customers are not happy with something then they can simply email us at sales[at]batterygeek[dot]net or as a last resort send an e-mail to me directly at sean[at]batterygeek[dot]net for the fastest possible resolution. Please note that Mr. Harrison was offered a full money back guarantee a long time ago even long after his 30 days return policy expired however he chose to keep his batterygeek battery pack. Regarding Mr. Harrison, Battery Geek is still happy to talk with him as a customer.
Happy Holidays to all with Best Regards,
Sean M. Murray
Founder & CEO
Battery Geek Inc.
Lake Oswego, Oregon
http://www.batterygeek.net
Posted by: Sean M. Murray | November 20, 2005 at 02:49 PM"

I asked if he would verify that the person did or did not post from the IP address. I received the following from James Kendrick:

"The comment you have referred to was made by the owner of Battery Geek who sponsors one of my podcasts and I seriously doubt that he was the cause of your problems. However, in that comment he mentioned that a disgruntled customer of his was pointing the finger at Battery Geek and posting disparaging remarks about something that was purchased from them. He went as far as naming the individual, so that is far more likely to be the cause of the spoofing that has slammed you."

Mr. Kendrick appears to be saying saying that I either signed myself up for all the calls and emails I was receiving or that I deserved the harassment based on my "pointing the finger and posting disparaging remarks." I replied with:

"Thank you for your reply. Had it been only spam I would have simply ignored it. Once it moved to an unstoppable flood of phone calls on all my phone lines, that brought it up to the level of harassment. Being a personal friend of Mr. Murray I hope you'll see the value of verifying the IP address used in his comment. If it's not the same address as the one used to impersonate me, then it can be shown that perhaps he was not the person responsible for the harassment.”

I never received a reply in return.

On December 4th I contacted the owner of the site where JKOnTheRun is hosted, Six Apart, and asked them for confirmation or denial that the post was or was not made from the IP address. After several emails and a certified letter sent to their offices, the ultimate answer was that they would not release that information without a subpoena.

At the beginning of December I contacted a lawyer to see what could be done and the recommendations were pay $200-400 to have him send a warning letter to the likely perpetrator telling him to stop the harassment or pay $2,000-3,000 each to subpoena the server logs of Comcast and/or Six Apart so that legal action could proceed against the person responsible. I wasn't ready to spend that kind of money at the time so I continued to attempt to get positive identification in other ways.

By December 5th I hadn't received any response to what was now two emails to abuse@comcast.net and so did some digging and obtained the phone number for their abuse department. Their normal support people won't give that out but you can find it by doing a DNS lookup on comcast.net. I called on the evening of the 5th and left a short message about the problem I was having with one of their subscribers. On December 6th I received a phone call from Joe in the abuse department asking for more information on the problem. I sent the latest information and waited for a response. After a several more emails between me and Joe, I was assigned a ticket number and given a contact in their legal department on December 12th. I was also contacted on the 12th by a higher level abuse tech named Mike, where I was given the option of having Comcast warn off the IP user or holding off in favor of filing a harassment complaint with my local law enforcement. Mike cautioned me against having Comcast call and warn the user off as that sometimes causes people like that to raise the level of harassment even more. He also would not tell me how often their server logs are purged, saying that information was private and that I should definitely treat this issue as time sensitive. Unfortunately I took his advice and contacted the Plano Police Department (PPD) to file a harassment charge. This was unfortunate because the delay caused by going through the PPD meant that the Comcast server log entries I needed were purged by the time I found out how often that purging is done.

Along with speaking to Mike on December 12th I also called the PPD to file a complaint. By the 16th I was put in contact with the detective assigned to my case and filled him in on the situation and forwarded my summary of the investigation I had done to date. He was more than willing to help me out but was also clear that according to the law this probably wouldn't fall under the heading of harassment since the perpetrator hadn't called me directly, stalked me or threatened me with bodily harm. The detective was willing to go to the grand jury and try to get a subpoena for the Comcast server logs, which he expected I had be able to retrieve according to the open records act. He asked me to put a written statement together and bring it in to the station on the following Wednesday. I prepared the statement over the weekend and went in on the 21st to give it to him along with 1/3” of printed documentation I had on the problem.

On December 22nd I contacted Comcast legal to tell them that I had given a statement to the PPD and I would like to have them warn off their customer. It was at this point that I was informed that their logs are purged monthly as well as that information not being at all private. I had lost any chance of obtaining the server logs for that IP address on November 19th and 20th.

I attempted to get the PPD to send a letter to Comcast to preserve the remaining logs for the 22nd and 23rd but since the harassment happened on the 19th they weren't willing to do this and it later turned out the grand jury wasn't willing to issue a subpoena to Comcast or Six Apart since the perpetrator wasn't the one sending the emails, making the phone calls to me or actively signing me up for the various subscriptions I had received. The law around here still hasn't quite caught up with the times. I have since also found out that you cannot get subpoenaed information through the open records act unless charges are filed. Even if I had confirmation that a particular person was leased that IP address at the time the impersonation started, the police wouldn't be able to say that a specific person was using the computer at the time and they wouldn't issue charges. Since charges wouldn't be issued, there would be no records available for me to request.

Winding down

The phone call rate has dwindled to a trickle of one or two a week but I have received more than 3000 spam emails since November 19 and the tide hasn't begun to turn. I know other people get more spam than this in the same period of time but up to this point I had been able to keep my rate of spam down by changing my email address a few years ago and taking great care how I release it. Now I am back to the same place I was a few years ago thanks to this person.

To date I have been signed up for the following subscriptions:

• BMG music club at home and work.
• Columbia House DVD club once at home and twice at work.
• Sprint wireless service three different times.
• My non-existent daughter Sara was signed up for Brighter Vision Learning Adventures.
• Reader Service book club.
• Black Enterprise magazine (I am white) at home and work.
• A nationwide vmail fee was tacked onto our phone bill through CoolSavings.
• ESPN magazine at home and work.
• Better Homes and Gardens at work.
• Readers Digest at work.

Scans and photos of several of these items are available here.

I have sent these all back with a note that I did not request their product and to remove me from their databases. So far all seem to have complied. Time will tell.

Closing

While the evidence appears to converge on a particular computer in Oregon, I do not have confirmation from Comcast of which of their subscribers was using the IP address on the day this all began. On the other hand based on accesses over several months from that IP address to my own web site, basic knowledge of how IP address leases are obtained and verification of my own Comcast IP usage it is very unlikely that any other person could be responsible for the impersonation and harassment. The reason for the end of accesses on the 23rd of November is most likely that the user turned off his cable modem long enough to lose his IP lease. In any case, it is an interesting set of coincidences that lead from the harassing IP address in Oregon to very specific articles in my blog, comments left in that blog and emails I have received.

If this sort of thing happens to you and you're able to get an IP address as well as the date and time of impersonation, make sure you get the relevant ISP to reprimand their user according to the ISPs Terms of Service. Comcast at least will not look up the IP subscriber information unless they intend to penalize their subscriber, and doing this will help to preserve the log information you'll need for final identification. I would also recommend that you simultaneously contact the IC3, FBI, the harasser's ISP and your local law enforcement. Don't wait for any avenue to dead end before moving to another. Get them all moving on your case as soon as possible so that the culprit is less likely to get away.

If any of you have any further recommendations on how to handle this sort of situation I would be grateful to hear from you.