Q&A: Fighting Spam at MSN Hotmail
Sept. 22, 1999
In a conversation with PressPass, Randy Delucchi, MSN Hotmail director of operations services, discusses the many steps the Web-based email service takes to protect its users from unwanted email.

REDMOND, Wash., September 22, 1999 — With more than 40 million members, the MSN TM Hotmail TM Web-based e-mail service -- the world's leading e-mail service -- has a great understanding of the effect of unsolicited commercial e-mail, or spam, on Internet communications. Thus, the service is committed to helping lead the fight against spam with efforts more extensive than mere statements of policy. Hotmail is fighting spam on two fronts: keeping spammers from using the Hotmail service to send unsolicited commercial e-mail and protecting its members from receiving spam. In addition, Hotmail is working to educate its members about spam. The efforts of Hotmail to fight unsolicited e-mail have been applauded by anti-spam organizations such as spam.abuse.net, the SAFE e-mail preference service ( "SAFEeps" ) and the Coalition Against Unsolicited Commercial E-Mail ( "CAUCE" ).

In its continuing effort to protect its users from spam, Hotmail has recently initiated a lawsuit against four defendants alleged to have engaged in a spam campaign designed to attract recipients to an online investing Web site and deceive them into believing that the spam was generated from a Hotmail account. PressPass spoke with Randy Delucchi, Hotmail's director of operations services, to discuss that lawsuit and Hotmail's other efforts to protect its members and its service from these and other tactics employed by spammers today.

PressPass: How big an issue is spam for Hotmail and other providers of on-line e-mail services?

Delucchi: A recent study commissioned by the e-mail filtering company Brightmail, Inc. determined that 90 percent of Internet users receive junk e-mail, or spam, at least weekly. That's unacceptable and that's why Hotmail devotes significant time, energy and resources necessary to prevent its service from being used by spammers. We also employ a variety of mechanisms and safeguards to protect our members from spam, and we are constantly evaluating new technologies to determine the latest and greatest mechanisms available to prevent spam from reaching our members' accounts.

PressPass: What does the Hotmail service include that directly prevents its use -- or abuse -- as a vehicle for spam e-mail?

Delucchi: Hotmail has engaged the following safeguards to discourage spammers from using the Hotmail service to send spam:

  • Terms of Service. The Hotmail Terms of Service (TOS) strictly forbids sending unsolicited e-mail -- and the TOS is enforced with zero-tolerance zeal. All reported accounts in violation of the TOS are terminated immediately and permanently. Hotmail publicly posts its closures of those accounts from which unsolicited commercial e-mail has been sent to anti-spam Usenet newsgroups on a regular basis. In addition, Hotmail recently instituted a "liquidated damages" clause in the TOS. This clause requires members who misuse Hotmail in connection with spam to pay $5 per spam message to Hotmail. This clause serves as a deterrent to keep Hotmail spam-free and will make it easier to pursue spammers.

  • Litigation. The company has recently taken, and is committed to pursue as necessary, legal action against spammers who attempt to use the Hotmail system to send unsolicited commercial e-mail, or who misrepresent the origin of any unsolicited commercial e-mail to be Hotmail. In the past year, Hotmail has successfully petitioned the courts to enforce injunctions against eight spammers and, most recently, Hotmail has initiated another lawsuit alleging that the defendants improperly used a Hotmail account in furtherance of an unlawful spamming campaign.

  • Headers. While Hotmail makes it difficult for spammers to use the service to send mail, the service is sometimes mistakenly associated with spam because spammers sometimes use the Hotmail name in forged headers. In response, Microsoft has made it relatively easy for users to distinguish true Hotmail messages from forged messages. Hotmail includes
    "X-Originating-IP: [xxx.xxx.xxx.xxx]" in the header section of each e-mail delivered. If an e-mail does not contain this line in the full header, it did not come from Hotmail.

  • Message limits. Hotmail members can send a limited number of messages during a rolling time period. The number of addresses included in a single piece of e-mail, which encompasses normal friend and family lists, is also limited.

PressPass: What safeguards does Hotmail have in place to prevent spam from invading your systems?

Delucchi: First of all, Hotmail has opted out the entire Hotmail domain from unsolicited commercial e-mail messages through SAFEeps (http://www.safeeps.com/). SAFEeps is a self-policing action taken by the direct-marketing industry, which maintains lists of e-mail domains and addresses whose owners do not want to receive unsolicited commercial mailings. Because the entire Hotmail domain has been opted out, Hotmail members who want to receive unsolicited promotions or advertisements must go to the SAFEeps Web site and opt back in for various categories of commercial mail. We are continuing to evaluate other methods that help protect members as they become available.

In addition, Hotmail stops incoming messages from known spam sources at the server level. Further, Hotmail users can protect themselves against spam by blocking messages from specific senders. Users need only open the message and click on "Block Sender." Hotmail also provides users with filters that they can use to direct incoming mail with subjects containing specific words to specified folders or the trash. Users can set up a filter such as "IF subject CONTAINS [specific word], then filter to trash." Filters can be set up for subject, from name and from address.

PressPass: You mentioned a recent lawsuit, what does that involve?

Delucchi: Hotmail recently filed a lawsuit in the United States District Court for the Central District of California alleging violations of the Lanham Act, the Federal Computer Fraud and Abuse Act, the California Business and Professional Code, California common law, breach of contract, and trespass to chattels. See Microsoft Corp. v. Franpro, Inc.; GTW Communications, Inc.; Ken M Hollowell; and Gregory T. Williams , No. 99-079269R (BQRx). Hotmail is seeking injunctive relief to prevent this abuse in the future, and monetary relief.

In its Complaint, Hotmail alleges that the defendants, owners and operators of certain Internet domains had sent unsolicited commercial advertisements via e-mail to a large number of e-mail addresses. The complaint also alleges that the defendants employed the Hotmail e-mail header to make it look as if the e-mail originated from a Hotmail account (which, in fact, could not be the case because of the volume caps and other safeguards in place at Hotmail). Many e-mail service providers, like Hotmail, instruct members who receive spam to report any such occurrence to the originating domain, which, in this case, appeared to recipients to be Hotmail. As a result, Hotmail received a large volume of complaints at abuse@hotmail.com from recipients who believed that Hotmail facilitated and condoned the transmission of these unwanted messages.

In addition, the defendants opened a Hotmail account for the purpose of capturing both the replies from recipients of the unsolicited e-mail, and the "bounce back" e-mails that were generated when the e-mail was sent to a non-existent e-mail address. Before Hotmail had a chance to shut down this account, over 4,100 bounce back and reply e-mails were collected in the account.

Defendants' actions resulted in the diversion of resources away from the legitimate activity of Hotmail's users. It also caused a number of people to associate Hotmail with the negative experience of receiving spam e-mail. We certainly would rather not have to resort to litigation to prevent this sort of abuse, but in some instances it is an unfortunate necessity. Hotmail will continue to use litigation, as necessary, as only one of many tools at our disposal to protect our users and our system from unwanted spam.

PressPass: What is Hotmail doing to prevent its users e-mail addresses from falling into the hands of a spammer?

Delucchi: Protecting members from spam is a top priority at Hotmail and we employ a variety of safeguards to protect our user database and our members' privacy. The company does not sell or share information about Hotmail users. Hotmail is a member of the TRUSTe privacy program. TRUSTe is an independent, nonprofit initiative with the mission of building users' trust and confidence in the Internet by promoting TRUSTe's principles of fair information practices. Its seal signifies TRUSTe's guarantee that the Web site's privacy policy meets TRUSTe's rigorous standards for the ethical collection and use of people's personal information.

PressPass: But doesn't Hotmail maintain a member directory that is freely accessible to other members?

Delucchi: Hotmail does not give out its users' addresses to anyone, including members who use the Member Directory feature to find other users. A member who uses the Member Directory can e-mail a person by name but is not given the person's address. The first member only sees the address of the second if the person receiving the mail chooses to respond.

PressPass: Are new laws the answer to this problem?

Delucchi: Hotmail is a vigorous advocate of anti-spam legislation and we will continue to evaluate and support worthwhile efforts by local, state and the federal government to help alleviate this problem. In fact, in the litigation we just filed we are relying in part on legislation adopted by the State of California to protect against spam and which penalizes persons engaged in spamming with damages equal to $50 for each spam e-mail initiated. At the same time, we also recognize that legislation by itself will not completely resolve this problem and that industry efforts and member education are and will always be vitally important.

PressPass: Is there any thing else Hotmail is doing to protect its members from spam?

Delucchi: Aside from the practices and features we've already discussed, the most important measure of Hotmail in the fight against spam is its commitment to educate its members and other Internet users so that they can be their own best defense. Hotmail has developed a list of simple tips for safe and savvy Internet and e-mail usage.

  • Users should not respond to spam. Responding to unsolicited mail only confirms that users have an active e-mail address. It could open them up to further solicitation and scams that can clog their e-mail inbox.

  • Users should forward spam to the customer service department of the source's e-mail provider (usually the address is something like abuse@[implicateddomain].com) as well as to uce@ftc.gov to alert the Federal Trade Commission.

  • For a comprehensive list of anti-spam and other security tips, Internet users can send a blank e-mail to securitytips@hotmail.com or click on the "Email Safety" link while visiting http://www.hotmail.com/.

Read More: