Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

12 Jun 2005

Microsoft and the spam problem Email

Brian McWilliams, author of the pulp favorite Spam Kings (which I must I admit I tech edited), has a new article in Salon called How Microsoft is losing the war on spam. He interviewed me by e-mail during the research on the article, and here's what I said.

1. Given the amount of spam being sent through Trojaned Windows proxies, do you think it's accurate to say that Microsoft is indirectly responsible for much of the spam problem today?

Definitely. In the past spammers used a variety of insecure mailers and web proxies, but now it's all zombies, Windows boxes completely controlled by the spammer, using worms and viruses that crawl through any of a zillion Windows security holes to install themselves.

Responsibility for dealing with zombies is shared by ISPs and Microsoft. ISPs hate to deal with it because it's a huge support expense. And it's a huge support expense because deworming a Windows box is really hard, and Microsoft has done nothing to help. Their new antispyware beta is OK, but it's about three years too late. I gather that some ISPs would like to automatically put their zombie customers into a sandbox where the only thing they can contact is an ISP web server (not running Windows I hope) where they can download repair tools and security updates, but Microsoft has, depressingly unsurprisingly, been uncooperative when ISPs have asked to redistribute updates on their own servers.

Also, do you think Microsoft is doing enough to improve the inherent security of Windows software?

Well, no. One thing that would make a large difference would be to make the Windows SP1 and SP2 updates work on machines with cracked licenses. Microsoft of course has no responsibility to people who've stolen their software, but the security holes that SP1 and SP2 patch don't so much affect the user of the infected computer as the zillion recipients of the spam and worms that it emits. Besides, if MS were smart they could make the updates work but pop up annoying windows from time time saying ``this would be a good time to buy a real copy of Windows for this computer.''

Beyond that, Windows is such a horrible swamp that it's hard to suggest how to drain it. Various Internet protocols have had their share of security problems so that, for example, an open mail relay can be used to send other people's mail. But only Microsoft has shipped an OS with thousands of ways to take over the whole fripping computer.

2. Microsoft obviously has a lot of clout in the marketplace and in the world. Do you think Microsoft could use its leverage to convince governments and ISPs in places like China and South America to shut down spammers?

Interesting question. I don't think they have all that much clout in the 3rd world since they're fighting both copyright and pricing battles there, viz. the cheap crippleware windows they're trying to sell in Thailand.

3. How would you rate the success of Microsoft's legal efforts against spammers, versus those of AOL? Given its size and courtroom prowess, would you expect to see more legal victories from Microsoft against spammers?

So far, AOL has been doing a lot better. Both VA and WA have pretty good state spam laws, so I think that says good things about AOL. As far as I know, few of Microsoft's cases have come to court so the jury, so to speak, is still out.

4. On the email authentication front, how would you rate Microsoft's contribution so far? Has the company hindered or helped the development of a standard?

Hindered. I watched the entire argument about the Microsoft Sender-id patent license, and I am firmly convinced that if they wanted to offer a license that satisfied the open source community, they could have done so without compromising any of the protections that they were concerned about. One of the biggest issues was sublicensing. A lot of companies like Yahoo have no problem with it. Even if Microsoft doesn't want to sublicense, they could have offered the substantive equivalent, e.g., agree to offer the same license to anyone designated by an existing licensee. But they didn't, their best offer was a license that gives them the option to pull the rug out at any time, with vague assurances that they wouldn't do that. But if they wouldn't do that, why was it so important that the license let them?

The disingenuous patent disclosures didn't help either, particularly when their applications were published and we found that they claimed much, much more than they'd ever mentioned. They knew the applications would be published, and the technology the applications covered wasn't secret, so it's hard to see a good reason for not clearing the air and publishing them six months earlier.

Beyond that, there's the technical issue that Sender-ID is in general a lousy way to verify mail. It only works well for organizations that send a lot of mail from a fixed point, like big bulk mailers. By remarkable coincidence, organizations for whom it works well tend to be big MS customers.

5. Bill Gates predicted a year ago that spam would be defeated by 2006. Do you think he's in touch with the true nature of the spam problem?

Doesn't seem that way.

How likely do you think it is that his prediction will come true?

I'd rate it about as likely as a balanced Federal budget in 2006. We'll certainly make progress, but we're not going to be anywhere close to done.

6. Any other thoughts about Microsoft's contribution to the fight against spam?

Compared to other big companies, MS's anti-spam activities look far more to be shaped by their business interests. The other two big players, AOL and Yahoo, are doing things that are certainly good for themselves, but they're good for the Internet community as a whole. I think the SP2 license issue is the best example. I think the number of people who say ``oh, I really want SP2 so I'll buy a legal copy of Windows'' is basically zero, and is unlikely to be more than the number who'd be motivated by nagware in SP2. But that would go against the company line about the mythical costs of piracy based on what their revenue would be if every pirated copy were replaced by a paid copy, so they'll never do that. I hope they prove me wrong, but I'm not holding my breath.

posted at: 16:11 :: permanent link to this entry :: 0 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Domain Name Registration Data at the Crossroads
55 days ago

A keen grasp of the obvious
My high security debit card
521 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.