Flooding the inbox is no longer enough.
Now spammers have gone beyond e-mail and are attacking instant-message services popular with teenagers, authorities said Friday as they announced the arrest of a young man suspected of broadcasting 1.5 million ads for pornography and cheap mortgages.
Federal prosecutors said it was the first criminal case involving this new form of spam -- known as "spim" because it targets so-called IM services.
"It's absolutely unsurprising that spammers would find a new way to spread their slime through any crack and crevice available," said Anne Mitchell, president of the private Institute for Spam and Internet Public Policy.
Anthony Greco, 18, was arrested Wednesday at Los Angeles International Airport, where prosecutors said they lured him from his upstate New York home for what he expected would be a meeting with the president of MySpace.com, a popular social-networking company whose users Greco allegedly spammed.
Greco had threatened to tell other spammers how he sent the unsolicited instant messages to MySpace users last fall if he wasn't given an exclusive marketing contract with the company, according to a sworn investigator's statement filed in Los Angeles federal court.
Los Angeles-based MySpace is similar to Friendster and other Web firms that connect people with shared interests or mutual friends. The service claims 9 million users and is popular with teenagers, investigators said.
MySpace spokesman Bennet Ratcliff explained that the company's messaging system is technologically more like regular e-mail than instant messaging, and users must click on a message to see its full content. The company's network has no serious spam problem, he said, and is "continuously adding deterrents to protect our users."
Nevertheless, news of Greco's arrest is "alarming," said Lawrence Orans, a Gartner Inc. analyst who follows computer security issues and this week warned companies to increase instant messaging safeguards. "He could have directed people to sites that spread spyware or other malicious code."
America Online, Microsoft Corp. and Yahoo Inc. all offer instant messaging programs, in which words typed by a sender immediately appear on recipients' screens. The rapid adoption of such programs has been followed by a rise in spam and computer viruses that spread through them.
Just last week, Microsoft required users of its messaging service to install upgraded software to fix a security flaw.
As lawsuits and criminal cases against spammers increase, hawkers of everything from drugs to work-at-home schemes are moving to new technologies as they become available. Spammers are already sending text messages to cellular phones, Internet phones and the comment sections of Web logs.
Some say efforts to combat conventional spam have led to the innovation.
"We're forcing spammers to look for other avenues to get their junk in front of members' eyes," said spokesman Nicholas Graham of America Online, which in the fall filed the first suit against an instant-message spammer. "They're getting more and more desperate." Graham said about 1% of traffic on AOL Instant Messenger is spim. He said AOL expected that to rise.
"There's definitely concern," said Scott Chasin, chief technology officer at e-mail security firm MX Logic Inc. "The industry needs to respond more aggressively to address these vulnerabilities -- not after the fact, but before."
Security experts said they expected spim to grow but not to become as common as conventional spam. That's because instant messaging systems -- unlike the Internet -- are closed loops, with central control. "It gives the provider the ability to address the issues more easily and track the offender more easily," Chasin said.
MySpace is among the companies offering their own instant messaging to customers or employees. Greco is accused of using software to automatically create tens of thousands of customer accounts and then sending the maximum of 500 messages per account per day.
Assistant U.S. Atty. Brian Hoffstadt said the arrest was the first over instant-message spam. "We're just beginning to get the tip of the iceberg. This could be a new wave as online communities start up."
MySpace users first complained about the initial deluge of messages in October. The company scrambled to delete more messages before they were read, and it made changes in the service to deter the program Greco allegedly used to create new accounts.
The next month, Greco proposed a deal to MySpace executives: He would pay the company $150 a day for the exclusive right to send advertising to MySpace users. Otherwise, "I have no choice but to just sell off my coding to other people and allow them to pick up the projects," he wrote, according to an affidavit by Los Angeles Police Det. Frank Schweitzer.
Company executives contacted law enforcement. Greco agreed to fly to Los Angeles to sign a contract and was arrested when he arrived Wednesday. He was charged with violating a federal anti-spam law, harming MySpace computers and attempting extortion. Facing 18 years in prison if convicted, he was released Thursday under a $25,000 bond.
"I'm not guilty," Greco said in a brief cellphone interview Friday. "I really can't talk about it." His lawyer declined to comment.
According to its website, Greco's company, TGCashin Inc., promotes adult photo and video sites. TGCashin promises marketers half of any income generated by visitors steered to the sites. It urges such partners to "link to us by any means that are legal. This includes pop ups, image links, text links, or anything else you can think of."
The site also recommends that e-mail marketers abide by the same spam law Greco is accused of violating.