Microsoft Stalks Super Spammers
Takes legal action after test PC is bombarded by 18 million spam messages in three weeks.
Eric S. Crouch, Medill News Service
Thursday, October 27, 2005
Microsoft announced today that it has filed a lawsuit against groups that use zombie computers. The software giant took the action after learning through a company experiment that use of infected PCs to thwart spam blockers and pass along immense quantities of junk e-mail is more widespread and disruptive than Microsoft expected.
A Microsoft statement said that the civil suit, filed in August in Washington State's King County Superior Court, "for the first time specifically targets illegal e-mail operations that connect to zombie computers to send spam."
Zombie computers, through the unwitting acquisition of bad code, allow computers in remote locations to use them to carry out illegal activities. PC World this summer examined the problem in the exclusive series "Web of Crime."
PC Goes Wild
In a controlled experiment, Microsoft turned a PC into a zombie by infecting it with malicious code. The company then monitored how much spam and spyware the computer sent. After three weeks, the number totaled 18 million e-mail messages from 5 million different connections.
"The numbers were astonishing," says Microsoft attorney Tim Cranton, who directs the company's Internet Safety Enforcement Team. "Much higher than we expected."
More than half of the spam currently being sent originates from zombies, according to Microsoft.
How Microsoft Measured
Cranton says that Microsoft used cross-referencing methods with multiple mail servers to narrow the scope of the lawsuit to 13 groups of spammers. The company did this by comparing e-mail messages sent to the infected computer with company-monitored Hotmail accounts designed to trap spam.
"In two to three months, we will amend the lawsuit to name the spammers who are taking advantage [of consumers]," says Cranton. He won't go into details about the groups being investigated, but notes that "a fair amount" of the spammers are based in the United States.
"This is compelling information that will hopefully get people's attention," Cranton says. The lawsuit, filed as a John Doe suit because it doesn't name specific defendants, alleges six counts ranging from trespassing to a violation of the CAN-SPAM federal legislation, which requires clear identification of a message's purveyor and an opt-out clause to the recipient, among other things. Cranton says Microsoft plans to use the federal law as well as a Washington State antispam law to prosecute the spammers.
"We're talking about criminal behavior here," Cranton says.
Microsoft has sued spammers before. In 2004 the company filed lawsuits against eight alleged spammers under the CAN-SPAM federal legislation.
At a news conference in Washington, D.C., today, Cranton, officials of Consumer Action, and representatives of the Federal Trade Commission discussed the suit and ways for computer users to avoid zombie-generated spam.
Consumer Action's Linda Sherry encouraged PC users to take a variety of steps to inoculate their computers in the face of this threat, including:
- Use a firewall, "and if you need to turn it off to access a Web site, make sure you turn it on again."
- Get computer updates.
- Use antivirus software.
- Be wary of attachments.
The FTC announced the creation of a spam education site, OnGuardOnline.gov. "This is our attempt to have a one-stop shop for consumers to protect themselves," said Dan Salzburg of the FTC.
One company from the private sector uses creative filters, based on the volume of mail sent and the reputation of the sender, to separate wanted from unwanted correspondence.
Ironport Systems believes that through a combination of throttling (setting rate limits for sent messages to more easily target zombie PCs that send extremely high amounts of e-mail in a short amount of time) and reputation filtering (applying different standards to e-mail based on the message's sender) it can more efficiently separate the wheat from the chaff.
"On the 'receive' side, we can block 80 percent of the stuff at the connection level by examining behavior of the mail server; we've bound the problem beautifully," says company spokesperson Tom Gillis. "The remaining 20 percent we're going to open up more carefully."
Gillis, who says that Ironport serves such top Internet service providers as Roadrunner, Sprint, and Verizon, admits that spam filtering is always ongoing.
"This is definitely a cat-and-mouse type game," he says. "We develop an algorithm to block [spam], and [the spammers'] engineers come up with something to get around it."
Printer Friendly Version