June 26, 2003 4:00 AM PDT
Microsoft urged to fry its own spam
Read more about spam
In the most recent example, Microsoft Chairman Bill Gates sent a letter Tuesday to customers in which he explained some steps his company is taking to reduce spam. The letter came a day after The Wall Street Journal published an antispam column penned by Gates.
But some companies and organizations working to curb spam accuse Microsoft of grandstanding, saying that the Redmond, Wash., company has demonstrated a preference for splashy press events over difficult technology fixes or product sacrifices. These critics have seized on the company's own statements that it is focusing on reducing the amount of spam its users receive, rather than the spam its users and servers send.
"Microsoft is behind the times," said Laura Atkins, president of the SpamCon Foundation. "In general it's nice to see them finally catching up with everyone else--and they are working hard to rein in abuse--but they have to work a lot harder," Atkins said."Microsoft has its own spam problem."
Microsoft, however, rejects those contentions, citing recent projects and the long-term nature of any effective solution.
"Spam is a central issue for our customers and we are taking a multifaceted approach to address the problem," a Microsoft representative said. "We did not get here overnight. It will take time to see the impact of the efforts we are making across technology, legislation, enforcement and self-regulation."
In February, Microsoft announced a series of lawsuits against spammers. In March it imposed a 100-message cap on users of its free Hotmail e-mail service (the restriction does not apply to paid Hotmail accounts). In May, Microsoft unveiled more antispam features for Hotmail and its MSN online service and submitted to the U.S. Senate written testimony by Gates urging legal spam restrictions. And last week the company called an international press conference to publicize more suits against spammers.
Critics: Spam traced to Microsoft servers
But even such a busy antispam schedule has failed to convince Microsoft's critics that it is doing enough to help stem the spam tide.
Deficiencies in Microsoft's spam behavior range across a number of its divisions that offer e-mail services, according to Atkins and others. These include the company's small-business-oriented bCentral portal; MSN, which has its own e-mail service; and Hotmail, a separate, Web-based e-mail service that uses many of the same systems as MSN but operates under different rules.
Perhaps the loudest hue and cry against Microsoft emanates from some network administrators tracking the spam problem, who claim that a sizable chunk of the spam now clogging the Internet's arteries emanates from Microsoft's own servers.
These spam watchers complain that while Microsoft has implemented badly needed controls on Hotmail, such as technology designed to identify software robots and prevent them from registering for accounts, Microsoft has left loopholes large enough to run rivers of spam through the related MSN e-mail service.
"Hotmail has the combination of daily limits and having to prove you're human, which makes it not useful for sending spam," said John Levine, author of several computer technology books and a board member of the Coalition Against Unsolicited Commercial E-mail (CAUCE). "MSN has neither of those, so we're seeing a lot of spam."
MSN e-mail is available for a free two-month trial. As a result, Levine said, someone could use a purloined credit card number to open the account, send torrents of spam, and then cancel the account before the credit card is charged and subsequently determined to be stolen. That process could be repeated several times a day by a single person, he said.
Levine and others further isolate the MSN spam problem to a protocol that Microsoft uses to integrate its various e-mail services and e-mail management applications, including Outlook. Called WebDAV, the protocol lets people write their own interfaces to an e-mail system, and it is through this protocol that Levine believes spammers are jacking up MSN's spam output.
Methods of using WebDAV to send e-mail through Hotmail's servers--but without going through the Web site or Outlook--are well documented online.
"With the right tools, a smart network engineer would be able to see that almost all of the e-mail coming from the Hotmail/MSN servers that are used for WebDAV is spam," wrote one spam expert who requested anonymity. "We have seen direct evidence of this."
Worse, WebDAV critics say, the protocol makes it easy for spammers to alter their return addresses and other header information--a chronic headache for network administrators trying to identify spam and its origins.
"If you have a Hotmail or MSN account, when you set up your account in Outlook Express, you can set it up with any return address you want, and the Hotmail/MSN mail servers cheerfully send mail with any old return address you want," Levine said. "Hence the problem."
Microsoft: We're working on it
However, MSN has its own outbound e-mail limit, said Larry Grothaus, MSN's lead product manager, declining to disclose any details. He also contended that the credit card registration safeguarded MSN e-mail against unauthenticated abuse, and that the credit card system prevented serial registrations under the same card.
"We agree that it's a very large issue for the entire industry, so we're doing what we can on both the incoming and outgoing basis to help customers," Grothaus said. While not disputing the technical details of critics' WebDAV complaints, he called the notion that most of MSN's outbound DAV e-mail was spam "absolutely incorrect...a very far stretch."
The degree to which Microsoft is working on the outbound spam issue remains a matter of debate. In a May 29 interview published on the company's Web site, the general manager of Microsoft's antispam technology and strategy group, Ryan Hamlin, said the company had prioritized incoming spam over outbound spam.
"Outbound is something we're looking at," Hamlin said. "We've had conversations both in Hotmail and MSN, and I would say that it's not something that probably in the next couple of months you'll see us be super aggressive about, because we feel like solving the inbound problem is a much greater issue right now than solving the outbound problem."
The amount of incoming Hotmail spam dwarfed the amount of outbound Hotmail spam by about 10-to-1, Hamlin said.
"So we're going after the big fish first and solving the inbound problem and then absolutely we'll turn and start to address the outbound issue," he said.
That philosophy doesn't sit well with the SpamCon Foundation, which accuses Microsoft of failing to regulate spam sent by its own customers.
"BCentral.com sends a lot of mail that is not necessarily solicited, and often they continue to send it even after you've told them to stop," Atkins said. "The problem is that bCentral has a number of customers who send mail through them, but Microsoft doesn't police them at all. They don't take action against their customers."
Microsoft-owned bCentral sells software and services such as e-mail to small businesses. A representative declined to comment on the issue of spam from the service.
While network administrators complain about the volume of spam originating with Microsoft servers, at least one e-mail provider sounded a sympathetic note.
"We continually have to improve what we are doing on our side as well," said Josh Mailman, vice president of marketing for Everyone.net, which hosts free sponsored mail for 35,000 domains.
"People will try to exploit free Web mail even to the extent of hiring people to go through human interface test--which we all have--and then send spam out one by one. Think of spam sweat shops," Mailman said. "Providers like Hotmail, Yahoo, AOL and us have to continually improve and be vigilant to the threat and work to keep e-mail clean."