REDMOND, Wash., Feb. 10, 2004 — It was the Year of the Spammer in 2003, as spammers and their pursuers intensified their battle. Microsoft’s full-court press against spam had impressive results last year, yet spammers were equally busy, doubling their efforts to get disguised or unwanted solicitations for a variety of products and services into people’s inboxes. Their increased activity, while frustrating for spam fighters in the short term, may signal spammers’ understanding that profiting from junk e-mail will soon be a thing of the past.
A critical component of Microsoft’s anti-spam combat plan is to stop spam at its source by filing lawsuits and by supporting law enforcement against the world’s highest-volume and most egregious spammers. Between January and December 2003, the company took 66 legal actions against spammers worldwide, including 36 lawsuits filed in the U.S. and an additional 30 actions in countries throughout Asia, Europe and South America. In that timeframe, Microsoft’s investigators and litigators documented an evolution in both the type of solicitations Internet users are receiving and the tactics spammers are using to circumvent filtering technology and avoid culpability under U.S. and international laws. In many of these cases, Microsoft partnered with governments outside the U.S. in legal action against spammers who violated fraud and electronic mail laws in those respective countries.
In June, Microsoft began teaming with government and law enforcement. First, the company partnered with Washington State Attorney General Christine Gregoire, champion of one of the most stringent spam laws in the country the Washington Commercial Electronic Mail Act and with Ian Bourne, Strategic Policy Manager of the United Kingdom’s Information Commission, to file 15 lawsuits on two continents. In December, following a six-month collaborative investigation between the company and New York Attorney General Eliot Spitzer, the state and Microsoft revealed the existence of a spam network that used compromised computers in New York and on six continents. Lawsuits filed by Spitzer’s office and Microsoft as a result of the investigation targeted a New York e-mail marketing company, a Colorado online marketer that has been dubbed the world’s third-largest spammer, and others allegedly responsible for spam that used false headers, subject lines, and transmission paths.
The Evolution of Spam
The type of spam Internet users receive in their inboxes evolved in 2003, ranging from traditional solicitations for a product or service to new, more sophisticated types of spam and spamming techniques designed to get through filters. Here is a look at a few:
Solicitations for Products and Services: The majority of spam still includes tried-and-true solicitations for everything from home-mortgage offers to adult-oriented products and services, and even pornography. As with most spam, the content and actual sender are misrepresented or concealed through misleading header information including the To, From, and Subject lines; obscured transmission paths, or spoofed domain names.
Free Gifts in Exchange for Personal Information: Some spammers drive traffic to advertisers’ websites with the offer of a free gift. Often, these online marketers require recipients to provide personal information about them and even agree to receive future solicitations to collect their “gift.”
Moving Operations Offshore: To circumvent U.S. anti-spam laws, spammers sometimes move all or a portion of their operations overseas. They might route the spam through compromised computers or “proxy servers” in another country, or establish parent companies outside the U.S. To track down the culprits, Microsoft targets U.S.-based individuals who direct the spamming activity, holding them accountable under U.S. law as well as under the applicable laws in the country where the offshore servers are housed.
“Phisher” Scams: Among the most fraudulent types of spam plaguing Internet users are bulk e-mail solicitations that contain links to phony “phisher” websites that ask recipients to provide personal information such as bank account, PIN, or Social Security numbers. The look and feel of these phony sites closely mimics the websites of legitimate, reputable companies, such as eBay or Citibank, whose customers have been targeted by these scams. Microsoft collaborates with such companies to help prevent consumers from being defrauded out of millions of dollars.
Spyware: To help sell products, gain information or otherwise support their online marketing efforts, some spammers send mail that downloads a software program onto the recipient’s computer. The spyware then tracks, compiles, and reports the consumer’s online activity back to marketers without the consumer’s knowledge or permission.
Malicious Code: A dangerous side effect of spam is that viruses, worms and other malicious and often damaging code can be sent and activated through spam. Entire emergency response and banking systems have been compromised by these worms and viruses, resulting in enormous financial loss to companies. A variant of the Sobig worm, launched this summer, was programmed to spread by e-mailing itself to every e-mail address on the host computer’s contact list.
Spam That Offers Information To Help Others Learn How to Spam: At Microsoft, MSN and Hotmail servers have processed spam which contains links to software or other information instructing recipients on how to conduct their own spam campaigns. The software contains e-mail addresses: the solicitations claim that purchasing the software will enable recipients to e-mail tens of thousands of consumers.
‘Spim’: Spam sent through Instant Messaging programs is known as “spim,” and is likely the result of spammers looking for new ways to avoid the spam filters guarding traditional e-mail platforms. Consulting firm Ferris Research estimates approximately 500 million IM spams were sent in 2003, double the number sent in 2002.
To confront these many forms of spam, Microsoft collaborated with international governments across the globe to file lawsuits or identify and drive enforcement. Actions last year included:
In Europe, Microsoft has been working with governments to protect consumers in 15 countries, filing or supporting a total of 11 cases. Microsoft filed three complaints with the Consumer Ombudsman in Denmark, as well as two complaints in France and one in Italy with the national Data Protection Authorities. Microsoft filed three lawsuits against alleged spammers in Germany, one in the United Kingdom and one in France, while settling with five individuals in Germany, one in France, and one in the United Kingdom.
Editors’ Update, Feb. 10, 2004: Due to a reporting error, the number of legal actions taken in Europe has been revised upward since first publication of this article. The numbers above are corrected.
In Latin America , Microsoft assisted local authorities in their pursuit of spammers promoting and selling illegally copied software. As part of its investigations of three of the cases in 2003, the Office of Judicial Intelligence of the Colombia National Police ( “DIJIN” ) concluded that the spammers gained illegal access to the e-mail address databases of magazine publishers and distributors, and used those addresses to send illegal software offers to unsuspecting consumers. This further illustrates the seriousness of the problem and its close relationship with other Internet safety issues. The partnership with the governments of Panama and Columbia resulted in four cases being filed in South America against spammers.
In Asia , Microsoft partnered separately with the Computer Crime Squad of Taiwan’s Criminal Investigation Bureau, the Korean Information Security Agency (KISA) and Japan’s Ministry of Public Management, Home Affairs, Posts and Telecommunications and the Ministry of Economics, Trade and Industry to take legal actions against spammers soliciting pornographic DVDs and directing recipients to a variety of websites advertising pornography and adult-oriented services. The partnerships immediately resulted in three enforcement actions in Taiwan, six in Korea, four in Japan, and two in Thailand — a total of 15 cases, with another eight referred to law enforcement in Thailand.
A growing volume of spam including spam in the Chinese, Japanese, and Korean languages — originates in Asia and targets Asian consumers, and this local spam is the focus of Microsoft’s North Asia enforcement efforts. Microsoft is the first non-Asian based company to join forces with Asian governments to target spammers. Microsoft has also worked to inform government agencies and business about known hijacked IP addresses in order to keep these open proxy servers secure from spammers. In Japan, Microsoft’s MSN teamed with Yahoo! to establish an anti-spam consortium to support government agencies and drive additional enforcement action against spammers in that region.
Microsoft worked closely with the Royal Thai Police on several investigations involving pornographic spam directed at MSN Hotmail users in Thailand. In Malaysia, Microsoft responded to the government’s discussion paper on spam describing the scope and proposing ways to address the problem. In Australia, Microsoft worked with local industry and government officials to help develop and support a strong federal anti-spam law that takes effect in 2004. Microsoft has also collaborated with the Singapore government and local industry on ways to address the spam problem in Singapore.
A Multi-Pronged Approach
Enforcement is one component of a multi-pronged approach required to solve the spam problem. Microsoft’s goal in bringing legal-enforcement cases is to decrease the incentive and increase the risk for spammers around the world.
Microsoft made significant progress in other areas of the anti-spam effort in 2003. At COMDEX Las Vegas 2003 in November, Microsoft Chairman and Chief Software Architect Bill Gates unveiled SmartScreen spam-filtering technology based on machine-learning, and also announced plans to complete the deployment of the new product with a specialized version for Microsoft Exchange Server 2003. In April, Microsoft spearheaded the establishment of the Anti-Spam Technology Alliance (ASTA) with other major ISPs and industry partners to establish e-mail best practices and attack spam through a united front. In December, U.S. President George W. Bush signed into law the federal CAN-SPAM Act criminalizing many of the tactics spammers use to conceal their true identity and providing ISPs and state attorneys general with strong enforcement tools to litigate against spammers.