Original URL: https://www.theregister.com/2007/06/15/spam_nothotmail/

Why is Hotmail so bad at spam?

Tell me why, I don't like Hotmail...

By Guy Kewney

Posted in Channel, 15th June 2007 12:46 GMT

Column I'm trying very hard to be sympathetic towards Hotmail, and I'm failing, badly.

It's not the Microsoft connection that makes me fed up, it's just Hotmail.

Here's today's inbox:

From my contacts: 2 (2)
Marquita@viagra.com RE: Online Canadian Pharma...
admin@speedtrader.co... RE: Daily News

If you believe I have a contact called Marquita at viagra dot com, you're mad. I can't think of a single email provider who would not intercept ANY mail from that address and shoot it on sight. Letting the mail through is a trivial blunder, however, compared with allowing such a person to claim "contact status" with me.

A list of contacts in Hotmail is a list of people you acknowledge as contacts. Not just someone who writes an email saying; "I'm a contact!" in a bright cheerful voice, but someone whose credentials have been checked and validated by you.

In my inbox are some choice emails. One is from GIRLS WANNABE <girslwannaotjllluv288@yahoo.com>

Yes, Girls Wannabe - not in any way an unlikely name for a legitimate email sender, you're bound to agree? An offer of a Spanish camp for adolescents. All looks pretty innocent...I'm not going there to find out whether it is.

I have a letter from <admin@newloto.com> which may well be information about my recent enrichment. One more lottery win. I wouldn't know where to put the money if they were all legitimate.

Again, you'd think any spam service worth a damn would choke straight away on the word "loto" before it spotted the content. You'd certainly think it would recognise the content, because it's perfectly obvious that this was not sent just to me personally, but to a million recipients.

Then there's the message which begins: "gu?i quy?t d?nh vi?c n?m b?t hay không co h?i dó là tu?i tr? chúng ta. Thang giá tr? s?ng b? d?o l?n thì chúng ta ph?i l?p l?i. Khi phong bì tràn ng?p công s?, d? b? vào c? gi?ng du?ng và b?nh vi?n, thì l?p tr? chúng ta cùng si?t tay, d?n du?i t? n?n d?n t?n cùng."

It rather goes downhill from there, but again, any ordinary human would be able to detect this as spam, and an email provider as big as Microsoft Hotmail really ought not to have problems with it.

Hotmail also failed to recognise a known spam service provider, Lemuel Q Turner <ClevelandLidia@aera.net> who offered me marketing services to the US medical community, with a couple of sample deals:

Physicians: 700 thousand doctors in the US. Data is provided in Excel format and sortable by state or specialty. Over a dozen different fields and more than 30 specialties. Individual Cost: $349

Hospital Admins: 23 thousand in all with data for the CEO, CFO, CIO, COO and more Individual Cost: $220

Again, you can't believe that a functioning spam filter would let this junk through. But it did.

OK, you'll have got the message. It's clear that Hotmail is doing its duty to deliver emails to people, if there's any possibility at all that they might be legitimate. It's taking the view that if it filters too strictly, people will get on its case for filtering out legitimate business communications, and setting its target high enough that only the most obvious spam will get trapped.

A nice theory, that is completely blown out of the water by web expert Dominic Ryan at IIS Aid, who set up a test of popular emails.

It turns out that this chap can send email to all of the top ten mail providers - except to Hotmail where (he was told by Hotmail staff) "SmartScreen technology had identified email coming from my domain as being spam and had blocked my email server IP".

As he remarked, this is a symptom of a spam filter that simply doesn't work. If you can detect spam, you don't have to block entire domains: "Even if I was sending spam, somehow blacklisting the IP regardless of what other domains are sending email through that server does not seem especially 'smart' to me." Me neither.

Well, he wanted to fix it. Hotmail support "would not tell me why my domain was being flagged for spam, and when asked what the possible solutions were I was told I could sign up for 3rd party accreditation through Sender Score Certified (at a cost of $400USD start up, and $1000USD each year) who maintain the only whitelist service Hotmail use, and was also advised I could try tightening my SPF policy. Just to be especially vague, the footer on the email also stated that there were no guarantees that any of the solutions offered would work. Great!"

So he tightened up his SPF policy, only to find that Hotmail still wouldn't let legitimate mail through: "I came across this on openspf which pointed out that, in fact, the SenderID technology which Microsoft had championed (and Hotmail use) as another anti spam technology was in fact highly incompatible with SPF policies. Microsoft was apparently even made aware of this prior to the final release, but did not do anything to correct it - despite there being hundreds of thousands of domains with active SPF policies in effect at the time."

That much is old news. Since then, Dominic Ryan has gone sniffing into another possible area: what email client are you using to send mail? Here's what he found out:

"I started playing around with clients rather than concentrating on server setup, and I've had some interesting results. I can send to Hotmail without a problem using Outlook 2003, but no cigar with Mozilla Thunderbird. I think that this suggests that the headers the email clients add to an email also play a crucial role in determining if the mail gets through or not. This is BAD news because as a system admin there is generally very little you can do about this."

And he promises to keep testing. But (as several visitors to his site remarked) the overall impression is pretty stark: "It's more about getting subscriptions, than sending email."

Penny black one penny stampYou do have to ask if Microsoft really wants to be in the mainstream mail business. I keep a Hotmail account going simply in order to have a Passport - and, of course, to keep track of Hotmail. Twice now, I've come back to the office after a break to discover that I didn't check my Hotmail account for a couple of weeks before going on holiday, nor on holiday, nor for a couple of weeks after getting back. And as a result, Hotmail has quite simply deleted all my mails, settings, and data. You can re-validate (start from scratch) or pay.

By contrast, I have a Gmail account which I use two or three times every few months. It ticks along like a reliable Grandfather clock. Easy choice.

The reason I'm really trying to like Hotmail is that ultimately I do think the solution to spam is, quite simply, to make people pay to send mail. The more you send, the more you pay. Microsoft's Penny Black scheme came to nothing because of political questions about "if everybody pays a cent per mail, doesn't that impose an unfair burden on people in the Phillipines?" - which it does. And SpamDon'tBuyIt, going nowhere two years ago, is still as naive as ever in today's world where spammers aren't actually trying to sell things, but to phish and to pharm and to load Trojans.

It would be lovely to imagine that Hotmail's plan is to make free email too awful to tolerate, forcing us to go with Penny Black or some other "friction generation" system. Actually, it would be lovely to imagine that even that would work. It won't.

But the evidence is that Microsoft's top brass didn't see email as an important part of the main feature. For the past five years, Microsoft has had two obsessions - XML and DRM; and when those are working OK, then developer tools. And an email service simply doesn't play any part in either of those obsessions, or in advancing the developer business.

Sadly, my conclusion is that Hotmail is nothing more than the runt of the litter. If it can make itself work, fine - if it can't, who cares? Throw it out.

I wish they would. ®