Junk mail from MS: whose spam is it anyway?
Why it keeps coming
Special report "Spammers are thieves... They're hijacking your system to deliver their unrequested, unwanted advertising," says a new Microsoft web site paper by R'ykandar Korra'ti. But Microsoft is on shaky ground when it comes to spam - in recent newsgroup posting the company's own abuse manager Mike Lyman has effectively been conceding that Microsoft sends out unwelcome, unsolicited mail, and that company staff are unwilling and unable to do much about it. Microsoft's anti-spam stance is being undermined by a combination of faulty software systems, bureaucracy and incompetence. Lyman means well, but getting Microsoft to deliver a service that comes close to Korra'ti's objectives seems to be like trying to push water uphill. This isn't helped by the greed factor operating on top of the other problems. According to Korra'ti, "The allegedly legitimate' spammers... don't hide where their mail is coming from, and at least they pretend to offer a way off their lists." As far as quite a few users are concerned, that makes Microsoft a "legitimate spammer". Several mailing lists and newsgroups are currently discussing complaints about Microsoft and spam, and there have been several clear instances where the company has been at fault, and where this has been conceded by Lyman. One of the problems, he admits, is a "tainted" database that isn't being fixed, and is still being used. He also concedes that at least one mailing wasn't justified, that some Microsoft staff aren't acting according to official company policy when it comes to unsolicited mail, and that the company is currently far more concerned with privacy, and is therefore putting too few resources into cleaning up its own act on spam. The database problems often make it difficult for people to get off the mailing list, which they could well have been put onto without their agreement. This is by no means unusual in the industry, but Microsoft continues to add people to its list, to use databases that haven't been properly cleaned up, and to transfer mailing lists to third parties without the knowledge or permission of the people listed. The emailing that caused most ire was one about Microsoft's plans for Y2K (two copies of this one just this morning - Ed), but other smaller volume efforts continue. Some people also claim that visitors to Microsoft sites may find themselves getting unrequested newsletters. And last week Microsoft is said to have mailed MCSE training course attendees who had specifically checked the 'no publicity' box. When Microsoft sold Sidewalk to Citysearch, it seems to have sold its database without deleting those who had asked to be removed but at the time were possibly only flagged for removal. To their annoyance, they were then started hearing from Sidewalk: "Since you previously registered with Sidewalk, we thought you would like to know..." Unsolicited email from Microsoft may say that the email is being sent to "preferred members," but recipients frequently deny that they have ever knowingly become a "member" of any Microsoft list. It can however be very difficult not to wind up on one or more Microsoft lists, via registration of OS or applications, or through the (largely compulsory) registration procedure for the Windows Update or Office Update services. Microsoft inevitably gets its hands on details of a very large proportion of PC users, and it therefore has a duty to be serious, consistent and responsible in the way it handles this data. But on the contrary, from what Lyman concedes it would seem Microsoft is inconsistent, irresponsible, and cavalier. Lyman admits that all is not well with Microsoft databases. He said in a newsgroup posting that "the data base was tainted and the mailing wasn't justified". But he seems to have little power to influence change at Microsoft, where the current concern at the group where he reports is privacy rather than spamming. He is unable personally to get at the faulty database, and in effect blames Microsoft's impenetrable bureaucracy. When challenged about unplugging the offending servers, he wrote: "Physical ability does not equal authority". There are many examples of users taking all possible steps to get removed, and finding it impossible. People were "working to fix their messes," Lyman said, but even a threat to divert a $50,000 budget to non-Microsoft products was only likely "to impact the local [Microsoft] weenie more than the guys at corp HQ who did the spamming." He was also brutally frank about what happens when email is sent to addresses like email@example.com: "you're probably hitting some little peon in the organisation who has zero say in how things are run. ... By the time the stuff gets to those who are the decision makers it's probably been boiled down to numbers and stats with maybe a few samples of the complaints. 600,000 messages went out, 100 complaints came back, hmm, must be doing a pretty good job.'" Lyman notes that most Microsoft marketing people don't have Internet experience, and so fail to grasp the implications of what they're doing. As far as they're concerned what the recipients regard as unsolicited spam are "informative announcements". Lyman says: "The one thing that's kept my frustration over the pace of things at Microsoft from completely boiling over is I deal with the same people for privacy issues as I do with spamming issues. They've been very focussed on piracy and frankly I'd rather have them focussed on privacy." One of the greatest fears for spammers (at least the "legitimate" spammers who can be tracked and pilloried) is being black-listed by the Mail Abuse Protection System (MAPS) founded by Paul Vixie in 1997. MAPS has developed a Real-Time Black Hole List (RBL) used by some 300 licensed subscribing ISPs (numbers have doubled each year, so far) to block spam. Nick Nicholas, the front man for MAPS, said there were 12 complete nominations to list Microsoft, and many incomplete ones, when the issue of black-listing Microsoft was raised. Lyman thinks that MAPS is trying to become an "anti-spamming version of TRUSTe" but is doing it from outside the corporate world. This is true, and for the moment at least, MAPS does not enjoy too much major league support. MAPS admits it has made mistakes in its blacklists in the past. There were rumblings that Microsoft might sue MAPS if Microsoft was placed on the RBL list (Lyman ominously mentioned that "deep pockets usually win"), but Microsoft recently concluded a deal with MAPS to use the product in Hotmail to cut down on spam, making any legal action much less likely. Ironically, Hotmail itself has taken legal action against what it regards as the abuse of Hotmail. Lyman claims that Microsoft has scheduled improving the database, but has no timing as to when this will happen. He noted that he took a firm line with Microsoft and has overcome a view that persisted at Microsoft that people who complained had forgotten they had registered to receive spam. In one message Lyman said of old requests to be removed "the database purge should clear them out", but it would be impossible to find any culprits for previous abuses on the Microsoft staff. But "if the harvested stuff is recent ["last year or so"], there's a major problem with policy violation and heads need to roll." So anybody getting junk mail from Microsoft to an email address first used in the last year should take up Lyman's offer to sort the matter out and contact him at firstname.lastname@example.org. He noted: "I hope other companies avoid the mistakes our folks made and go straight for the confirmed subscriptions up front. It'll save them lots of pain." Lyman appears to be a Microsoft person who is actually trying to sort out the spamming situation, but with little or no help. And there are those who say that the anti-spamming cure by the net cops is worse than the disease. In Congress recently Rep Heather Wilson told a hearing that "banning all spam "may be unconstitutional because it would ban unsolicited mail that people do not mind receiving - or even want to receive..." There is a way to block Microsoft spam for MS Exchange users who use Exchange to provide SMTP services, and it's described at info.edu/Techdir/relaying-exchange.html. There are also spam filter packages such as SLMail, MailShield, N-Plex, the Isode Message Switch, VOPmail, and WorldSecureMail. In view of what Lyman says, a column "written" by Bill Gates on the subject of spam last year has a certain piquancy: "My company is among many that offer regular emailings to customers and potential customers. But we only send email to people who have requested it, and we have easy ways for people to remove themselves from the mailing list." This is clearly untrue. Gates then described spam: "Sometimes spam includes a purported way for you to remove yourself from the mailing list, but it often doesn't work. In fact, making the request may do nothing more than prove to the spammer that your e-mail address is valid - prompting more mailings." Ahem. Gastronomic note: Spam stands for spiced ham, and is a trademark of Hormel Foods' tinned luncheon meat, first introduced in 1937. For this reason, spam is often referred to as unsolicited commercial email (UCE). There is also a spam fan club. ®
Sponsored: Global DDoS threat landscape report