Business Impact

Microsoft Declares War on Spam

The once insular superpower is enlisting the help of allies.

Yes, Bill Gates gets spam, just like everyone else. The difference between him and everyone else is that he can do something about it – really. If you roam around www.microsoft.com/spam, you’ll find a war chest of information on the subject – backgrounders, press releases, primers on anti-spam technologies. There’s even a personal update from Gates himself, written last June. “It’s still a major problem,” he tells us.

That inauspicious revelation aside, the maker of the world’s most widely used in-boxes – think Hotmail, Outlook, Outlook Express, Exchange, MSN, and Entourage – has indeed proclaimed all-out war on the electronic scourge on productivity. Leading the offensive is a little-known cadre of some 50 spam fighters, the first of whom came out of Microsoft’s research lab in March 2003. This Safety, Tech­nology, and Strategy group has since helped bring lawsuits against some 100 spammers, and Microsoft claims that the e-mail-filtering technology the group has developed blocks several billion spam messages daily. Now Gates and company are beginning to deploy two new tech­nolo­gies that target the servers and e-mail programs of spammers themselves. “This pushes the battle to fight spam all the way out to the point e-mail is sent,” says George Webb, business manager of the spam-busting team.

The Safety, Technology, and Strategy group is housed in Red West, a satellite campus about a mile from Microsoft’s sprawling headquarters in Redmond, WA. The spam-fighting effort took root after a background paper written for Gates by Microsoft researchers outlined how new technological approaches could stem the growing tide of spam. At the time, various Microsoft product groups were independently pursuing their own anti-spam programs – and the new unit was chartered to unify those efforts and build a single technology that could be broadly deployed.

In a move that might seem at odds with Microsoft’s image, the group also reached out to legislators, law enforcement, Internet service providers such as AOL, Yahoo, and Earthlink, and e-mail security firms like Brightmail to help draft legislation, set standards, and launch consumer education efforts to fight spam. “We realized that we could not work in a vacuum, even a big vacuum like Microsoft,” says Webb, and “we knew that it would take more than just technology.”

Building on such coöperation, he says, the group joined with Microsoft’s government affairs unit to help legislators shape the CAN-SPAM Act of 2003, which limits the transmission of unsolicited commercial e-mail. It also worked with the company’s digital-integrity team, whose members include veterans of Interpol and U.S. law enforcement, to identify illegal spammers. As a result, the 100-odd legal actions include suits against five of the world’s top 10 spammers.

On the technological front, the anti-spam group developed SmartScreen, a proprietary filtering technology based on statistical probabilities and machine learn­ing that analyzes keywords, time sent, and other characteristics of e-mail to identify likely spam and siphon it off to a junk-mail folder like those now familiar to most e-mail users. Webb claims the amount of spam reaching Hotmail in-boxes dropped 60 percent after SmartScreen’s late-2003 introduction.

Sender ID, one of the two new technologies Microsoft is readying for release, takes aim at two of the biggest problems largely missed by SmartScreen: spoofing and phishing. A spoof message pretends to be from a real source, such as a friend, colleague, or familiar organization. Phishing employs a spoof, such as the bogus Citibank message to Gates, to bait someone into revealing financial details or other key information. Sender ID compares the address of the server transmitting a message against a list of machines authorized to handle the sender’s e-mail. Messages that don’t line up can be flagged for filtration.

Computational proof, the second technology, is a more generic anti-spam weapon. The idea is to equip e-mail programs with software that forces any computer sending a message to work a little puzzle before its transmission is accepted. Each puzzle is unique – derived from elements of the message such as the time stamp or “from” line – and takes several seconds to compute. That’s not a problem for servers sending normal volumes of e-mail, but it could really slow down a spammer trying to Uzi out millions of messages a day.

So will all this work? Others involved in the fight against spam credit Microsoft for its outreach and its technology, which will be incorporated into Hotmail, Outlook, and Exchange, beginning early this year with Hotmail. But their praise, predictably, is guarded. “Well, they’re Microsoft. What they’d really like is for everybody to do things their way. But the spam problem is so awful that they’re willing to work with other people for a broader solution,” says John R. Levine, author of The Internet for Dummies and chair of the Internet Research Task Force’s anti-spam research group.

Levine says Microsoft’s struggle with its inner nature slowed the spam fight last year, when its initially broad patent claims on the Sender ID technology and onerous requirements for licensing the program caused standardization talks to break down. Since then, he says, Microsoft has narrowed its patent claims, “but they haven’t fixed the license.” And while the computational-puzzle technology is brilliant, he says, spammers’ growing ability to activate tens of thousands of ­virus-hijacked “zombie” PCs at a time mitigates its potential effectiveness.

Still, Microsoft is Microsoft – and by dint of its ability to deploy its technologies to millions of customers, the company is raising the bar for spammers. In some situ­ations, SmartScreen and other commercially available technologies can already block as much as 95 percent of spam. If Microsoft can effectively work with customers and rivals to create powerful blends of its own and other emerging technologies, the threat to produc­tivity posed by spam could soon be a thing of the past.

Then Gates will finally be able to update his online spam update, with “it used to be a problem.”