Partilhar via


Spam at Microsoft

A major challenge for Microsoft IT and pretty much all other IT organizations around the world is how to handle spam. Microsoft literally handles millions of spam emails a day. It’s a major concern because the sheer volume of spam now has caused it to become a serious headache whereas in the early days of the internet it was more of a nuisance. I thought some people might find it interesting to learn more about the kind of spam issues we have to deal with.

The basic process looks like this:

Spam Funnel

Connection Filtering:

Connection filtering is useful and the “hammer” rather then the “scalpel” approach. It blocks all email regardless of content from known or suspected SPAM mail servers. There are various organizations on the Internet that track these servers so getting this list of IP’s is relatively easy. The jump in effectiveness around 9/30 in figure 2 is because we were able to increase the frequency of updates resulting in us being better able to block newer suspicious IP’s.

Sender / Recipient Filtering:

This basically does what you’d expect it to do, it checks to see if the person that the email is addressed to actually exists at Microsoft and also to see who actually sent the message and if it seems “spammy”, it will be filtered out.

Intelligent Messaging Filtering:

This is basically a “smart” filter that looks for and removes messages that appear “spammy” by content instead of sender. So lots of dollar signs, promises of unnatural bodily growth etc. will be removed at this layer.

Outlook 2003:

Any message that does get through all of the above will be sorted by Outlook as well; things that you may very well have signed up for are delivered but sorted into your Junk Folder. Items in the Junk folder are converted from HTML to text, all pictures & tags being stripped.

Chart

Legend:

  • Blue: Connection Filtering
  • Purple: Sender/Recipient Filtering
  • Yellow: Intelligent Messaging Filtering

Figure 2 is interesting just to see the sheer numbers of the problem, not to mention that closer to the holidays; Microsoft can average 25 – 30 million emails a day (mostly spam!).

Spoofed Headers & Zombies

We also regularly get questions about Spam ORIGINATING at Microsoft (specifically Hotmail). One thing that you should know is that it is very very easy to make an email look like it originated from anywhere you want, and spammers like to make their emails look like as if they came from a valid individual’s email (e.g. joe@xyzhotmail.com). This does not mean that Microsoft allows this to happen or that the email even started from Hotmail! See here for more info on spoofed headers.

Spoofed headers however, are not enough to send huge amounts of spam. The problem spammers run into is that most ISP will note the increased email volume (remember a spammer needs to be sending hundreds of thousands if not more emails regularly for it to be worthwhile) and block the offender. Therefore spammers either need to have their own or access to someone else’s zombie network. Zombie computers are computers that have been hacked, usually with a Trojan, virus or some other malware and then are being used without the user’s knowledge to send out spam. According to this site, close to 40% of spam originates in the US, with Korea and China being the other top two offenders.

What Microsoft is doing & How to protect yourself

Microsoft has been at the forefront of proposing several technical and legal initiatives to stem the tide of spam. Admittedly a lot more work is needed and we’ll keep fighting the good fight started back in 2003 and is ongoing.

To reduce the amount of spam you get individually in your inbox, check out this article: “Top 10 spam-fighting tips” for more details, here’s the quick gist:

  1. Use Outlook to manage junk e-mailers

  2. Avoid replying to the sender

  3. Alter your e-mail address when you post it

  4. Don't give out your primary e-mail address

  5. Make use of laws against spam

  6. Don't post your address on your any Web page

  7. Review Web sites' privacy policies

  8. Don't list yourself in Internet directories

  9. Ditch that clever profile

  10. Do not forward chain e-mail

I’m not sure if I agree with all the suggestions, and there are definitely some worth more then others but overall not a bad guide. If you’re a corporate Email Administrator, or work for an ISP and need help with Hotmail issues, check out the Hotmail Postmaster site.

To ensure your PC doesn’t get hijacked into a zombie, make sure that all the latest patches are applied (set it to automatic if you can’t be bothered to go to Windows update regularly), use a firewall, don’t trust unknown senders and websites, have an up to date anti-virus scanner running, use an anti-spyware tool like the Microsoft Anti-Spyware software. Also something new, IE 7 will have a built in anti-phishing filter, if you can’t wait for it, you can download this add-on for the MSN toolbar.

Ahmad Mahdi

Security Technologist

Microsoft – ACE Team

ahmad.mahdi

Comments

  • Anonymous
    November 30, 2005
    Yeah that IMF filter needs a lot of work though. It should also have a message store option. Several times in recent past I have sent legitimate emails to different people at microsoft.com some of them quite lengthy long to type with detailed errors in apps, bugs, to have them bounced back to me as spam. To when then the ones that I have saved I then copy and past into notepad and save as a text file then attach the text file as an attachment. Others long and lenthy detailed emails that I sent off then emptied my sent mail something sent from my PDA through thier blog since I do not have an email client on my PDA only to find the next day it bounced as well. So then I sent them an email asking them if there was any way for them to retrieve it because I do not want to type something that took me an hour to compose again. They say nope. I say well tough luck, someone else will find the bug then.

    I mean that is just rediculous. I can understand blocking spam at the first 2 levels. However the 3rd level, even me on my home setup and at home store all those blocked emails elsewhere for 30 days. So if later someone sends me an email asking me if I got it I can possably go retrieve it if needed. I do not and never have sent spam and in fact hate it. My home personal email address has existed since 1994 so you can imagine the amount of spam I get. My current success rate in my emails to friends of mine or to some teams I am on that go to anyone at ms.com is about 50% lately. Both my home and work as the 3 layers as well however the IMF layers for both my places are more intelligent than MS. I can as a user go in and see messages blocked there. I can let just one go on through to my inbox. I can let all go from a specific domain on through or all from a specific user. IMF is not perfect but it helps. Unfortunately MS's is getting rediculous. Some of the teams I am on if there ware people on there from ms when I hit a reply to all I remove them and keep them out of the loop cause I do not know if it is going to bounce or not for spam. I don't need the headache and extra mail it generates telling me it is bounced. Anyway can you tell as a customer and someone that communicates with people at MS daily I am frutstrated with yout IMF to the point I am about |--| that close to giving up on sending emails to anyone at MS again. I am really serious about this as well. All those email I have sent are legitimate some even replies directly the person at ms that sent it to me, resent to them as an attached file they also can not see any reason why it would be blocked as spam. Anyway if I am having that much trouble anymore getting legitimate emails through to microsoft.com I can only imagine anyone else. I would send you samples of the conversations but well I doubt they would get to you.

    Anyway thanks for letting me vent on something I have been complaining about for a while now. But when your sitting there having a pleasant conversation back and forth like a message or two a day with someone about programming a microcontroller and then mid conversation the big MS Spam filter comes down and slaps you in the face, and then you have to work through all kinds of hoops from trying to rewrite your message, change certain phrases, trying to determine what seems spammy about this message. Just to get to the next part of the conversation. Just leave a bad taste in your mouth and MS spam technology. You want a real thrill turn your IMF filter inward and make it filter every message everyone in MS sends besides recieve in a day and dogfood it that way. You will soon see what I am talking about.
  • Anonymous
    May 26, 2009
    PingBack from http://castironbakeware.info/story.php?title=ace-team-security-performance-amp-privacy-spam-at-microsoft