Kevin, a 40-year-old from Sacramento, Calif., likes to keep a tidy inbox. He's very deliberate about removing himself from mailing lists and anything else that might clog up his e-mail.  So recently, when he received a marketing pitch from his credit card company, Capital One, he quickly asked to be removed from its list. The response he got surprised him.

"We bring these offers to customers as part of our customer agreement and therefore do not provide a means to prevent this valuable information from reaching them," the firm responded. 

In other words: "No."

Kevin, who requested that we withhold his last name for privacy reasons, was surprised and disappointed by the rejection.

"They seem to be reserving the right to waste money by annoying me ... while my feelings about opting out make clear that I am not a valuable target of their marketing," he said.

Because Capital One has an established business relationship with Kevin, it has the right to contact him via e-mail under the terms of the CAN-SPAM Act.

And the e-mail Kevin received wasn't a marketing notice, but rather "account management communication," the firm says.  That's why Kevin can't remove himself from the list for future e-mails.

"Customers can opt out of marketing e-mails ... but cannot opt out of account management communications, such as statement notifications, rewards information," and similar notices, said Capital One spokeswoman Pam Girardo. "This is stated in the privacy notice sent to all customers annually."

Few would argue that credit card firms have the right to e-mail account statements or other notices to customers.  But the e-mail to which Kevin objected strains the definition of "account communications."

The e-mail offered Kevin a chance to transfer balances to his Capital One card at a teaser rate of zero percent for 12 months.  At the bottom of the e-mail, the firm stakes its claim that the notice isn't spam.

"This e-mail was sent to (you) and contains information directly related to your account with us," it says.

When asked to clarify the company's position, Girardo said the balance transfer notice was a service "directly related to his account."  Notices about rewards offers would also be permitted, she argued, because they involve "a key feature of a credit card." Customer like Kevin wouldn't receive offers from other Capital One units, such as the auto finance business, however.

Clearly, one person's account communication is another's unwanted marketing pitch.

'When my back is turned..." 
Kevin also objected to Capital One's snail mail marketing and received a similar rejection letter -- and more of those "convenience checks" designed to entice balance transfers. Many credit card consumers have trouble warding off those checks, which are notorious tools for identity thieves.  It's relatively easy for criminals to steal them and cash them, leaving the account holder to explain their way out of the fraudulent charges.

In fact, from a personal security standpoint, e-mail balance transfer pitches are probably much safer than snail mail convenience checks. On the other hand, given the continued prevalence of phishing spam, e-mail pitches from banks create their own problems.  It's not hard for a criminal to imitate the Capital One pitch Kevin received and link the e-mail to a rogue site that steals personal information.

Capital One is hardly alone in e-mailing balance transfer pitches and other offers to credit card customers. The Web site NetBanker.com, which covers the online banking industry, has examples of such pitches dating back to 2005.

"I can see both sides," said Jim Bruene, NetBanker editor and founder. "But balance transfer offers are clearly marketing, so I would think it would be Cap One's best interest to allow customers to opt out of just that. Some people get pretty upset about what they perceive as spam."

That was Kevin' reaction.  His main reason for maintaining his Capital One card was that the firm doesn't charge foreign transaction fees.  But he's already found an alternative and is dumping Capital One.

"It's not the time it takes to delete the spam or shred the checks, which is minimal," he said. "It's that I make my life simple by dealing with companies that I trust to look out for my interests when my back is turned. While this is a little decision on Capital One's part, it does indicate how they think about me as a customer."

Spammers have upped the ante in their efforts to trick news consumers, switching from e-mails with tabloid-style headlines to impersonating major online news services. On Wednesday, e-mails that appeared to be from msnbc.com landed in inboxes worldwide, promising breaking news and confusing some recipients.

The spam unleashed Wednesday follows a massive campaign last week in which spammers impersonated CNN.com. That campaign saw 250 million spam messages sent in one intense 24 hour period, according to spam-fighting firm MX Logic Inc. Those e-mails appeared to include links to CNN's top 10 stories, but Internet users who were tricked into clicking on those links were sent instead to Web sites overseas that were booby-trapped with malicious software.

Recipients should immediately delete any unexpected e-mails purportedly from CNN, msnbc.com or any other firm that they haven't done business with and authorized to contact them.

Users who open the fake CNN or msnbc.com e-mails and click on a link are in for a bad day if they fall for the ruse. Those who do are sent to Web sites that attempt to trick them into downloading what is described as a video player plug-in. Instead, the malicious software will infect the user's computer, ultimately giving hackers complete control over the machine. Infected computers are then used to send out even more spam.

"This new tactic is likely to be more successful than recent 'single-line spam' campaigns because it looks like a legitimate e-mail news update," said Sam Masiello, director of threat management at MX Logic.

After the initial top 10 headline spam, the campaign morphed into more focused e-mails purporting to come from "CNN Alerts," which included links to what appeared to be a single news story – with an actual headline lifted from the news site -- but was actually a booby-trapped link. In one such e-mail reviewed by msnbc.com, the e-mail was sent from a domain in Australia, and the links took clickers back to Australian Web sites.

MX Logic says it captured 850 million CNN spam messages since Aug. 4, and that the volume has steadily increased, suggesting that recipients have fallen for the ploy and their infected computers have been used to send out even more spam.

So far, MX Logic says, it's catching about 2 million msnbc.com spam messages per hour, but the rate is steadily increasing. Security firm Sophos said the msnbc.com spam spiked at one point on Wednesday morning and equaled the total amount of all other spam the firm was trapping.

The first msnbc.com spam was sent around 4 a.m. ET, MX Logic said.

Masiello said he believes the same criminal gang is responsible for both the CNN and the msnbc.com spam campaigns.

One of the msnbc.com spam messages, with the subject line "BREAKING NEWS: Americans love law suits for breakfast," appeared to come from a computer in Spain. The realistic-looking e-mail includes some actual links to msnbc.com in an attempt to confuse the recipient.

Spammers have impersonated major Internet sites -- including news sites -- for years. In 2006, a widespread spam campaign impersonated the BBC Web site, promising news about Russian president Vladimir Putin.

It's unclear why there's a sudden surge of fake news spam, but security firm Message Labs speculates that it's related to a cat-and-mouse game currently being played out between spammers and security companies. Most spam is sent out from hijacked computers known as "bots" that are connected in large networks called "botnets."

The largest is called the "Storm" botnet, created by a virus known as the Storm worm. Recently, researchers enjoyed a small victory against the worm, and shrunk the size of the botnet by about two-thirds, said Message Labs' Paul Wood. The aggressive news headline campaign is an attempt to reconstitute the network, he said.

"They are trying to do something to regain their power," Wood said.

RED TAPE WRESTLING TIPS
Spam campaigns like these are a real headache for companies that want to maintain e-mail relationships with their customers, as there are no foolproof tools for helping consumers tell real corporate e-mails from fake messages. Msnbc.com, CNN, and most news outlets maintain newsletters that readers use to receive timely bulletins. Such services are threatened by the widespread spam campaigns, which inevitably prompt IT departments to advise users to aggressively delete all e-mails that aren't personal.

The best advice: Think before you click. If you have any doubts at all about an e-mail, simply delete it. Also, keep track of your e-mails subscriptions and know when messages are expected to arrive.

Persistent internet users can check e-mail headers for signs that a message is suspicious, but that can require moderately advanced computer skills. Microsoft Outlook users can do this by right-clicking on an e-mail in inbox view, and then selecting "Message Options."

E-mail readers can also, in most cases, hover over a link before they click and see a pop-up showing where they will be directed if they click. If the link doesn't match the written link that's a good reason to question its legitimacy, but it's not fool-proof. Also, if you try this method, be careful not to accidentally click your mouse.

"Of course we all know that spam exists, but we certainly don't like it to invoke the brand name that is so meaningful to us and our readers," said Catherine Captain, vice president of marketing for msnbc.com. "We send out hundreds of thousands of legitimate email newsletters requested by our consumers every week. The key is not falling for the trickery of spammers and being able to discern what is real and what is fake."

CNN.com spokeswoman Jennifer Martin said that the company received phone calls and e-mails from viewers and users who received the fake e-mails and posted a notice on its Web site on Friday warning customers not to be fooled.

No, presidential candidate Barack Obama was not found dead in a "shock accident." John McCain was not "found unconscious in a toilet." Will Smith wasn't "found dead in bathtub" either. And Britney Spears has not broken her arm in a "freak poolside accident."

The truth is quite a bit more subtle. A Microsoft security upgrade in April largely dismantled a network of hijacked computers used by criminals to send spam, and the hackers are desperately trying to rebuild it. To entice users to click on the links that will infect their computers with the notorious Storm worm, they have dispatched an avalanche of e-mail with fantastic news headlines in recent weeks. The average Net user is getting about 60 of the phony news bulletins per day, says the security firm MessageLabs.

Here's a sampling of subject lines:
"Bill Clinton in today's Times - thank god Hilary didn't beat Obama."
"Beijing Olympics canceled upon the death of China's president."
"Obama bows out of presidential race."
"Scandal rocks Obama as lurid sex video leaked?"
"Dog digs grave for owner."
And perhaps the most fantastic of all,
"Oil falls below $100 a barrel."

No, spammers haven't hired a bunch of former supermarket tabloid writers. They're just doing what they do best – exploiting human nature.

The Storm worm is the Internet's version of Broadway's "Phantom of the Opera" -- the longest running hit show around. Storm first appeared in January 2007, teasing users with a headline about deadly storms that hit Europe -- "230 dead as storm batters Europe," it said, offering a link to a full story. Clickers found themselves infected with the Storm worm.

Storm was an immediate hit for the hackers, who managed to trick hundreds of thousands of recipients into clicking on the booby-trapped link. That enabled them to build an enormous network of hijacked computers, called a botnet, which they use to send out more spam or commit other Internet crimes.

There have been hundreds of Storm variants since the first one, sent by a loosely affiliated gang of computer criminals. Some estimates say that up to 10 million PCs have been infected with Storm at one time or another.

But in April, Microsoft updated its malicious software removal tool, much to the chagrin of the hackers. About four-fifths of the vast Storm network was cut off, said Paul Wood, a security researcher at MessageLabs.

"That really cut into (the hackers) business model." Wood said. "So they are trying to do something to regain their power."

That something is a huge spam campaign with over-the-top subject lines, all designed to be an irresistible click to recipients. Storm has always relied on fake news to entice e-mail recipients, but this latest surge is so creative it would be amusing if the e-mails didn't pack a very serious punch.

Storm's creators are believed to be in Russia, but it's obvious from the headlines that they have a solid understanding of U.S culture.
"Oprah Winfrey survives horror highway crash."
"Michael Jordan confesses to relationship with Madonna a decade ago."
"Martha Stewart found unconscious in home."
"Obama challenges McCain to a marathon race to see who is fit as the commander-in-chief for USA."
"Scientists estimate oil to run out earlier than expected in 2012."
"Lindsay Lohan crashes brand new Lamborghini."

Obviously, the strategy works -- or the spammers would have moved on to something else, says Dylan Morss, manager of business intelligence at Symantec.

"This is a tried and true social engineering tactic," Morss said. "These are almost incredulous headlines, but you kind of want to look. They are going for a common human vice here." Symantec says it has blocked 200 million of these spam messages since April.

Users who click on the link in the body of the e-mail are sometimes sent to a harmless-looking herbal supplement page hawking body part enhancement. Others are sent to a pornographic video Web site that imitates YouTube, and told they must install a plug-in to view the videos.

Agreeing to download any software from porn sites is a recipe for certain Web disaster. But even the supplement sites can be laced with malicious software, Wood says.

To stay safe, never click on a link in an e-mail, even If a subject line about presidential candidates or a Hollywood stars piques your interest. Instead, fire up your Web browser and go to a major news site like msnbc.com to check it out. If John McCain really has challenged Barack Obama to a duel in Weehawken, N.J., I promise our politics section will have the story. And if Madonna is linked to any other famous athlete, Courtney Hazlett and Scoop will be all over it.

Thank goodness the reminder popped up at 9:15 a.m., just a few minutes before my "meeting." Otherwise, I might have forgotten to claim my winnings.

"[Invitation] CLAIM PRIZE," the meeting reminder said. And when I opened the appointment, I was reminded of my good fortune. "Attn: Winner, We wish to congratulate you over your email success in our AMSTEL LOTTO balloting. ... You have been approve for the star prize of Euro 750,000."

I've received several such meeting invitations in recent days, and so have e-mail users across the Internet. Combine two of your least-favorite things -- unwanted meeting invitations and spam -- and you've got a major new Net nuisance. Computer security folks have taken to calling it "calendar spam."

Calendar spam arrives like any other spam – as an unwanted e-mail. But here's the problem: it also shows up as a meeting. That means the time specified on the spam will be blocked off on your online calendar, triggering an annoying reminder at the appointed hour. If you're a spammer, that's a major upgrade over your usual silent forays into consumers' junk mail folders.

Making matters worse, ignoring calendar spam doesn't make it go away. Because of the way Microsoft Outlook and Google calendars work, unanswered calendar spam will usually shove its way onto your calendar.

Calendar spam in your inbox looks like this.

While the technique first appeared about a year ago, it didn't become commonplace until a couple of weeks ago. Now, in the words of Message Labs researcher Alex Shipp, "We are seeing these by the truck load."

That means if you haven't seen them yet, you will.

So far, the messages aren't dangerous -- simply the usual fare featuring invitations to get burned in a Nigerian scam, announcements of fake lottery winnings and the like. While the spam I've received only hits Microsoft and Google calendars, other users report that their Yahoo calendars also have been attacked.

The spam is particularly effective because of the way scheduling software works. It's designed to give other people access to your schedule. When recipients get an invitation to a meeting, the time is immediately blocked out while the system waits for an answer. That makes sense from an organizational perspective, to avoid overlapping meeting invitations. If the meeting request is simply ignored, the time is still listed as tentative.

"It's by design," said David Cowings, a researcher at Symantec Corp. "Anything that's not in the deleted folder shows up as an unaccepted meeting."

An unwelcome reminder

Cowings said there's been a sharp increase in calendar spam complaints in recent weeks, but there's no sign of a massive outbreak. He's concerned, however, that the technique could catch on. "It has potential," he said. "It's so effective because of the widespread use of Microsoft Exchange."

He's also concerned that new versions of the spam could include malicious payloads such as computer viruses.

RED TAPE WRESTLING TIPS
Coming up with generic advice for handing calendar spam isn't easy. Google has posted specific instructions for changing the way its software handles unaccepted invitations, which helps.

Microsoft Outlook users have several options, but none are ideal. There are instructions on Microsoft's site for turning off automatic acceptance of meeting requests, but that's doesn't keep spam invitations off the calendar as "tentative" meetings.

A better method, says Cowings, is to have your Outlook Exchange administrator set up filters to turn away all meeting invitations that come from outside your domain.

In the meantime, the best advice is to ignore the invitation e-mail and delete the meeting if it shows up on your calendar. Deleting the invitation e-mail without opening it should work in most cases. You might be inclined to open the invitation and decline the meeting, but that's a no-no -- it's never a good idea to open anything unexpected from a stranger.