Preserving and Enhancing the Benefits of Email -- A Progress Report
Published: June 28, 2004
I'd like to update you on the progress that Microsoft and our industry are making to curb the epidemic of junk email. Since I sent a message to customers on this subject a year ago, we've made significant advances against spam. It's still a major problem--an invasion of privacy, a costly drain on time and resources and, as a carrier of worms and viruses, a significant threat to computer security. The good news is that billions of junk emails are being blocked every day, and spamming has become a more difficult and less rewarding business.
Much of the improvement Microsoft customers have experienced so far has resulted from broad deployment of SmartScreen, our advanced spam-filtering technology. SmartScreen has provided a significant benefit to users of MSN 8 and MSN Premium, MSN Hotmail and Outlook 2003. Since Hotmail deployed it six months ago, SmartScreen has been blocking more than 95 percent of all incoming spam--an average of nearly 3 billion messages every day. Because we believe that SmartScreen is crucial to the war against spam, we recently began making it available free to all users of Exchange Server 2003, via a download of the Exchange Intelligent Message Filter from www.microsoft.com/exchange.
Nonetheless, the actions of spammers over the past year have reinforced our conviction that current filtering technologies are not enough. Knowing that only a small percentage of their output will get past today's filters, spammers have responded by significantly cranking up the volume of emails they send. So networks are burdened with even more junk than before. According to some surveys, email traffic now consists of nearly four spam messages for every legitimate one.
Clearly, we must find additional ways to counter spam. Microsoft is working on a number of new technologies and strategies that we believe will bring significant improvement.
Microsoft's Anti-Spam Technology Vision
A critical milestone in this effort was achieved just recently by the Anti-Spam Technical Alliance--an industry group that includes AOL, Yahoo, EarthLink, Comcast, British Telecom and Microsoft. Alliance members, who provide a large majority of the world's email inboxes, endorsed a set of anti-spam best practices for email service providers and large senders. Microsoft and other leaders of the Alliance also agreed to promote broad industry testing of proposals to combat email forgery, known as "domain spoofing"--the use of false "From:" addresses to make a message appear to be from a legitimate sender.
Wide agreement on the need to check messages for signs of forgery is a key step toward eliminating a favorite spammers' trick--one used to defeat spam filters and entice unwary recipients into opening attachments that may contain harmful worms and viruses. Domain spoofing is involved in half of all of today's spam.
Many people are surprised to learn that today's email systems cannot verify whether messages actually come from the source shown on the "From:" line. One way to make this possible is through the Sender ID standard that Microsoft and other industry leaders have developed and are testing. It will not only help block spam but also help curb other abuses, such as fraudulent promotions or email that tries to lure recipients into disclosing their credit-card numbers or other private information.
By combating domain spoofing, Sender ID will also help us use other anti-spam measures more effectively. When combined with recipients' continued use of "safe" lists for legitimate senders, wide adoption of Sender ID will mean that wanted email from known senders can pass into inboxes with minimal filtering, and email from unknown senders can be filtered more thoroughly.
As filtering is further refined, new technologies and accreditation systems will provide ways for senders to prove they're not spammers, to ensure that legitimate email from unknown senders is accepted. Together, these changes should dramatically reduce the volume of junk email arriving in inboxes.
A comprehensive approach to curbing spam therefore requires a combination of things:
These multiple efforts will dramatically reduce the costs of dealing with spam--especially when combined with civil and criminal enforcement. Let me explain the key elements of our comprehensive approach in more depth.
Enabling Proof of Identity and Purpose
As I mentioned, spammers often use false addresses on the "From:" line of messages. But the sender's actual Internet Protocol (IP) address is harder to fake, and if it could be checked by a server receiving a suspect message, a lot of domain spoofing could be eliminated. This is the idea behind the Sender ID standard. It involves publishing the IP addresses of outbound email servers in the Internet directory--the Domain Name System--that controls all email delivery, and embedding each sender's IP address in the email "envelope"--the hidden routing information that guides email to its destination. Recipients' email systems will then be able to check a message's authenticity. More information on how Sender ID works can be found at www.microsoft.com/senderid.
We're also developing ways by which senders unfamiliar to recipients could choose to "qualify" their email in order to guarantee its delivery, such as by demonstrating that their PC performed a special set of computations in the process of sending the email. This would involve an expenditure of computing time that would be trivial for most senders, but would cause a dramatic slowdown in spammers' operations, given the massive volumes of email they send. Conversely, servers receiving suspect email could reply to the sender with a challenge, perhaps a computational puzzle or one solvable only by a human sender. If the sender responds appropriately, with human interaction or by expending a small amount of computing time, only then would the email gain access to the recipient's mailbox.
Some have suggested that such systems might open the door for service providers to charge senders a fee for email delivery. We firmly believe that monetary charges would be inappropriate and contrary to the fundamental purpose of the Internet as an extremely efficient and inexpensive medium for communications. The goal instead is to thwart spammers' misuse of the Internet, so that everyone else can continue to enjoy its enormous benefits.
Businesses and other organizations that send large volumes of legitimate email, such as banks, have a special need to distinguish their messages from spam. Third-party accreditation services could help by certifying such senders' identity and good behavior. In May, Microsoft's MSN Hotmail successfully completed a pilot test of Bonded Sender, an accreditation program developed by IronPort Systems and overseen by TRUSTe, a nonprofit privacy organization. To gain accreditation, a sender must meet stringent standards for good email practices, and also post a bond with IronPort. The bond is forfeited if a sender fails to adhere to the standards. We think that this and other emerging accreditation programs, such as Brightmail Inc.'s reputation service, are very encouraging developments.
Preventing and Protecting Against Spam Attacks
Increasingly, technology can help prevent spam, viruses and other threats from ever entering and overburdening networks. This approach is the basis for Microsoft Exchange Edge Services, a new technology that insulates networks from incoming spam and hacker attacks. Edge Services will incorporate our latest filtering and security technologies, and will enhance our platform for third-party anti-spam solutions.
We're also working on other ways to foil spammers' favorite ploys. For example, spammers often assemble lists of valid email addresses through "dictionary harvest attacks"--sending spam to a large assortment of user names within an organization or email service, and then targeting much more junk email at the valid addresses (i.e., those that do not bounce back as undeliverable). We're developing software to detect these dictionary attacks and enable network administrators to block them before much of a network's valid names can be harvested.
Similarly, spammers often hide their identities by routing their email through unwitting third parties, whose outbound email servers are misconfigured in ways that allow email to be relayed from outside. We're working on software that would enable administrators to block email from such servers, or subject it to special screening before it gets inside the network.
In addition to preventing spam attacks from outside networks, network administrators must be able to detect whether viruses or worms have infected desktop machines inside their networks and programmed them to spew spam around the world, without the owners' knowledge. Within the past year, this technique has been employed in distributed spam storms, in which massive volumes of email are sent simultaneously from many PCs. We're working to address this problem by adapting SmartScreen technologies to enable organizations to screen their own outbound email for spam.
Over the next 12 months, we will be adding important new features to the SmartScreen filtering technologies to make them even more effective. Any filter is only as good as the data it uses to tell good email from junk. SmartScreen has the advantage of drawing upon millions of messages that hundreds of thousands of volunteer MSN Hotmail customers have contributed and marked as either spam or non-spam. We'll be adding a wider range of data to make SmartScreen even smarter. And because spammers are always shifting their tactics to try to evade filters, we plan to enable SmartScreen technologies with automatic update capabilities so customers can stay current with the latest filter protection.
The Benefits of Innovation and Collaboration
The progress we've made underscores how much can be accomplished through innovation and broad collaboration by industry, government and consumers.
Since January 2003, Microsoft has collaborated with government agencies around the world to bring enforcement actions in 14 countries against the perpetrators of illegal, deceptive or fraudulent email. We have joined with others in our industry to actively support new laws, such as the U.S. CAN-SPAM Act, which provide better tools to help stop spammers. In March, we joined with other leading email service providers in filing the first major lawsuits under the new U.S. law against hundreds of individuals allegedly responsible for some of the world's biggest spamming operations. And we assisted the federal agencies who, in April, filed the first joint criminal and civil actions against a group of alleged spammers. With another 17 lawsuits that we filed in June, Microsoft's anti-spam enforcement activity has resulted in more than 90 legal actions worldwide.
As legislative, enforcement, technological and industry efforts have progressed, there's also been a growing recognition of the important role that customers can play in reducing spam--by using anti-spam filters, never responding to spam, and being careful to share email addresses only with people and businesses they know and trust.
I believe that the lessons we're learning in this fight against junk email will lead to many other benefits. As we work to help isolate and block spammers, we're also helping to build an infrastructure that will enhance the reliability, efficiency and safety of email, of the Internet, and of computing in general. Microsoft is committed to continuing these efforts until spam is no longer a major problem--a goal I'm confident will be achieved. More information about our efforts is available at www.microsoft.com/spam.