The email in question claimed to be from a Concentric customer support representative. It asked recipients to respond with billing information, including credit card numbers.
"Concentric is absolutely fed up with this kind of abuse, both with its service and with its subscribers," said David Kramer, an attorney representing Concentric. "This [suit filed yesterday] is a way of bringing to its subscribers' attention the serious nature of the scam."
Because the identity of the sender remains unclear, the suit names ten "John Does" as defendants, Kramer said. "John Does" refer to unidentified parties, and the suit is going to allow Concentric to get court permission to begin investigating the origin of the email.
The alleged fraud, perpetrated earlier this month, is similar to a scam America Online reported recently, in which members received email inviting them to visit a Web page that seemed to belong to AOL CEO Steve Case. A link on that site prompted users for billing information as well.
According to Kramer, the messages sent to Concentric customers originated at Juno, a free email provider. A Juno spokesman said the company pulled the account in question as soon as Concentric brought the matter to its attention. Because the service does not confirm the information provided by its users, tracking the identities of Juno subscribers may require extensive investigation.
Such sleuthing "is difficult but not impossible, and Concentric thinks that the protection of its subscribers justifies the expense," said Kramer, an attorney at Wilson Sonsini Goodrich & Rosati.
Julius Finkelstein, who heads up the high-tech division in the Santa Clara County district attorney's office in California, agreed that tracking down email forgers isn't always a wild goose chase.
"It is possible to do it," he said. "I can't say it can be done in 100 percent of the cases."
Eric Schlachter, an attorney specializing in Internet law, said the use of forged email to send scam messages is the No. 1 problem his ISP clients face.
"Forged headers are among the nastiest because you can't find the bad actors," said Schlachter, who is with the law firm Cooley Godward. "They're an immense problem with no good solution."
When email is forged, the information carried in the header of the message is tampered with to alter the sender's identity. The underpinnings of the Internet's address system can make such forgeries a snap.
Sophisticated users may know how to detect forged messages, but spammers and scammers have ways of maintaining their anonymity.
One potential problem comes when the ISP targeted by a scammer resides outside of the United States. Search warrants and subpoenas generally are binding only on business within U.S. borders.
Aside from the technical and legal difficulties of tracing scammers, there are other problems. For one, prosecutors are backlogged with cases as it is. Given the pervasive nature of forged email that may contain some element of fraud, law enforcement has to pick its battles.
"It takes something that is serious enough for people on a jury to perceive [the case] as criminal behavior," Finkelstein said. "There has to be some element of fraud and some effort of financial gain or harm."
Companies also are often reluctant to report such scams out of fear of bad publicity. While suing over forged email is nothing new, Concentric's suit appears to be the first time anyone has taken legal action over a piece of email that impersonates the employee of an ISP.
Concentric, CompuServe, and a handful of other service providers have stopped bulk email advertisers from forging their addresses when sending spam, leading one attorney to speculate that Concentric's suit will succeed.
"There are a few legal hurdles that [Concentric] has to jump through," said Robert Hamilton, an attorney who handled a forgery case for CompuServe. "But ISPs certainly have civil remedies."