How Microsoft is losing the war on spam

Bill Gates said junk e-mail would be history by 2006. His prediction's being buried by an avalanche of Viagra ads and Rolex pitches -- and his company's policies are a big reason why.

Published January 19, 2005 8:30PM (EST)

It was one of those unscripted moments that Microsoft's public-relations handlers probably wish they could have back. Speaking at a January 2004 conference in Switzerland, Microsoft chairman Bill Gates boldly predicted that "spam will be solved" by 2006.

But with 346 days remaining on that prognostication, spam still comprises over 60 percent of e-mail traffic. Microsoft is now backpedaling on Gates' vision of a spam-free near future. A spokesperson said last week that the company's goal is to help "contain" the spam problem by 2006.

Yet, according to many experts, Microsoft remains as much the root of the spam problem as the key to solving it.

Most junk e-mail today emanates from Windows computers that spammers have hijacked and turned into spam "zombies" using security holes in Microsoft's operating system. What's more, Microsoft is blamed for wrecking efforts this past summer to create e-mail authentication standards. The company also stands accused of trying to neuter state anti-spam laws. And Microsoft has yet to win a lawsuit against a major spammer.

A P.R. representative from Microsoft stressed that "there is no silver bullet" and that "it will take a combination of advanced technology, industry cooperation, user education and enablement, effective legislation and targeted enforcement against illegal spammers to significantly reduce and solve" the problem of spam. But with its huge installed base, deep pockets, marketplace clout and technology prowess, Microsoft is in a unique position to eradicate junk e-mail.

If, that is, the company has the will to do so. Microsoft says that it is working on new technologies that will help reduce spam, and denies that it is in any way responsible for the floods of junk mail coursing across the Net. "Spammers cause spam," says Microsoft.

But a review of what Microsoft is actually doing suggests that the company isn't pursuing the problem as vigorously as it could. Before Microsoft can make good on Gates' prediction, experts say, it must first stop worrying about what's good for its business, and concentrate instead on what's best for the Internet as a whole.

To hide their tracks, spammers have always misappropriated the computers of innocent third parties. But the rise of Windows zombies is arguably the gravest problem facing spam opponents today. By one estimate, over 60 percent of junk e-mail now originates from home PCs that spammers have commandeered with the help of virus writers and hackers.

With an ever-growing arsenal of Windows zombies under their control, spammers can evade some spam filters, which have trouble keeping current lists of the addresses of known zombie systems. What's more, spammers have used their networks of zombied computers to launch denial-of-service attacks on sites operated by blacklist services and other anti-spam organizations.

Solve the Windows zombie problem, and you're well on the way to eliminating spam, say the experts. And who better to provide a solution than Microsoft, which created the problem in the first place by shipping buggy software?

Two weeks ago, Microsoft released a free tool for detecting and removing infections caused by a handful of Windows-based computer worms and viruses. But some security experts say the company still hasn't adequately addressed the underlying security vulnerabilities exploited by such malicious software.

"Microsoft needs to lock down Windows so that rogue programs can't convert PCs into zombies or hijack applications to do spamlike things," says Richard Forno, a security consultant and commentator.

Yet Microsoft effectively created a ghetto of potential spam zombies last year when it refused to allow users of pirated versions of Windows to install a significant security update known as Service Pack 2 (SP2).

According to John Levine, chairman of the Anti-Spam Research Group, Microsoft acts as if guarding its software against piracy is a more significant issue than protecting users of unpatched Windows systems against worms and hackers.

"Microsoft, of course, has no responsibility to people who've stolen their software, but the security holes don't affect the user of the infected computer as much as they do the zillion recipients of the spam and worms that it emits," says Levine.

Levine's recommendation: Microsoft should give away security upgrades to unauthorized users of Windows, even if doing so undercuts the firm's campaign against software piracy.

Deterring the creation of new spam zombies would be a huge victory, says Joe Stewart, a security researcher with Lurhq. But he believes Microsoft also ought to go even further and hunt down the hacker-spammers who use existing zombies.

To accomplish this, says Stewart, Microsoft should build a network of decoy zombies, with the aim of attracting the miscreants who scan the Internet for compromised computers and send spam through them.

"Feed [the information] to the legal team that sues spammers," says Stewart.

What of Microsoft's legal team? They've kept the company intact despite antitrust lawsuits. They've protected Microsoft's intellectual property with countless patents. They've helped convict software pirates around the globe.

So when will Microsoft's lawyers get a big court decision against a major junk e-mailer?

In recent years, Microsoft has filed scores of lawsuits against spammers large and small. But unlike competing Internet service providers America Online and Earthlink, Microsoft can't claim any big trophies yet.

The company's most high-profile lawsuit -- filed in December 2003 against Colorado bulk e-mailer Scott Richter -- is still pending. But that litigation is unlikely to bring the $18 million judgment Microsoft boasted it would seek. Last summer, New York Attorney General Eliot Spitzer settled a parallel lawsuit against Richter for the paltry sum of $50,000.

In August 2003, Microsoft found itself in the embarrassing position of having to apologize to a British man after erroneously suing him for spamming. In a statement, Microsoft said the case against Simon Grainger "illustrates the difficulties and hazards of investigating the clandestine activities of faceless individuals operating on the Internet."

Microsoft lobbed an innovative lawsuit last September at Levon Gillespie, the operator of a company that provides "bulletproof" Web site hosting services to spammers. Soon thereafter, Gillespie's site went offline, as did, his online marketplace for junk e-mailers. But earlier this month, Gillespie's sites returned, now located on servers in China. A Microsoft spokesperson reports that the lawsuit is still in the discovery stage.

Anti-spam legal efforts can get results without making headlines, says Matthew Prince, an adjunct professor of law at John Marshall Law School, and chief executive of Unspam. If nothing else, Microsoft can force spammers to run up big legal bills, thereby wrecking the economics of spamming, says Prince.

Spam opponents see other behind-the-scenes opportunities for Microsoft. The company could use its enormous marketplace clout to pressure the biggest suppliers of Web site hosting for spammers.

Steve Linford, operator of the Spamhaus spam-filtering and information clearinghouse, says Microsoft's Hotmail service could threaten to block e-mail from China unless the Chinese government pressures rogue ISPs there to stop providing havens for spam suppliers such as Gillespie.

"AOL gets an enormous amount done simply by telling other providers that they won't accept e-mail from their systems unless they clean up their networks. Microsoft most certainly could use Hotmail as leverage in this same way," says Linford.

Similarly, Microsoft could shame MCI Wholesale Network Services, which currently hosts around 200 spam gangs, according to Linford.

Microsoft's anti-spam initiatives may be hampered, however, by what Prince and other experts describe as the firm's split personality over junk e-mail. Microsoft's MSN and Hotmail services appear determined to run spammers off their networks on a rail. But the company's other business units want to preserve Microsoft's ability to use unsolicited e-mail in, for example, cross-marketing to existing customers.

"AOL has a much clearer sense that spam is a problem that's unacceptable, and they are willing to go to the mat to solve it, whereas Microsoft is definitely of two minds on the subject," says Prince.

So even while Microsoft is an "impressive partner" in some anti-spam enforcements, according to Paula Selis, senior counsel for the Washington state attorney general's office, at the same time the company has lobbied for weaker versions of federal and state spam laws.

"It's struck me that sometimes their agenda is a little mixed," says Selis.

State lawmakers have publicly criticized Microsoft's aggressive lobbying against stringent anti-spam laws. After the company helped to defeat a do-not-spam registry proposal in Michigan, some legislators began referring to Microsoft as the "axis of inertia" in the press.

Microsoft's conflicted spam priorities are also blamed for a recent breakdown in setting e-mail authentication standards. Last summer, an international working group was close to hammering out a standard based on Microsoft technology, which would help in the battle against spam, viruses and other e-mail abuse.

But the working group hit a roadblock when Microsoft revealed that it had applied to patent its authentication technology, known as Sender ID. Some working-group participants balked at the idea of Microsoft's patent lawyers controlling an industry standard.

Levine says Microsoft could have offered a license that satisfied the open-source community without compromising its intellectual property protections. But the company made no such concession.

"Their best offer was a license that gives them the option to pull the rug out at any time, with vague assurances that they wouldn't do that," says Levine. As a result, the working group was disbanded in September without reaching an agreement.

Using its proprietary SmartScreen filtering technology, Microsoft's Hotmail service has made great progress in shielding users from spam. Indeed, Microsoft's best hope of defeating spam by 2006 may be within its own networks, if not the Internet at large, says Prince.

That's a long way to come for a service that, four years ago, was blacklisted by the Mail Abuse Prevention System for improperly securing its servers against spammers.

But recent organizational moves suggest Microsoft's priorities may have shifted away from a single-minded commitment to fighting unsolicited commercial e-mail.

The Microsoft Anti-Spam Technology and Strategy Group, created in 2002, was recently renamed the Safety Technology and Strategy Group. According to a Microsoft spokesperson, the company changed the name as a result of its taking a new view of spam as part of a broader problem of online safety that includes "phishing" attacks.

"To beat spammers, you've got to be unrelenting, and chase them 24 hours a day, 365 days a year," says Prince. He worries that Microsoft's broader focus might divert the company's attention from that task.

For Microsoft to play a leading role in solving the spam problem, it must ultimately rein in its own marketing for the sake of being a good netizen, says Levine.

"Compared to other big companies, Microsoft's anti-spam activities look far more to be shaped by their business interests. The other big players are doing things that are certainly good for themselves, but they're also good for the Internet community as a whole," says Levine.

Regardless of whether Microsoft makes such a commitment, Stewart puts the probability of a spam-free Internet by 2006 next to zero.

"The spammers are making big money at this game right now. There's no way they're just going to stop and say, 'Gee, Microsoft has introduced the final, ultimate solution to stop spam. Guess we should give up now.'"

By Brian McWilliams

Brian McWilliams is a freelance business and technology reporter based in Durham, NH.

MORE FROM Brian McWilliams

Related Topics ------------------------------------------