• United States



by Paul Kerstein

Microsoft Stalks Super Spammers

Oct 28, 20054 mins
CSO and CISOData and Information Security

Microsoft announced Thursday that it has filed a lawsuit against groupsthat use zombie computers. The software giant took the action afterlearning through a company experiment that use of infected PCs tothwart spam blockers and pass along immense quantities of junk e-mailis more widespread and disruptive than Microsoft expected.

A Microsoft statement said that the civil suit, filed in August inWashington State’s King County Superior Court, “for the first timespecifically targets illegal e-mail operations that connect to zombiecomputers to send spam.”

Zombie computers, through the unwitting acquisition of bad code, allowcomputers in remote locations to use them to carry out illegalactivities. PC World this summer examined the problem in the exclusiveseries “Web of Crime.”

PC Goes Wild

In a controlled experiment, Microsoft turned a PC into a zombie byinfecting it with malicious code. The company then monitored how muchspam and spyware the computer sent. After three weeks, the numbertotaled 18 million e-mail messages from 5 million different connections.

“The numbers were astonishing,” says Microsoft attorney Tim Cranton,who directs the company’s Internet Safety Enforcement Team. “Muchhigher than we expected.”

More than half of the spam currently being sent originates from zombies, according to Microsoft.

How Microsoft Measured

Cranton says that Microsoft used cross-referencing methods withmultiple mail servers to narrow the scope of the lawsuit to 13 groupsof spammers. The company did this by comparing e-mail messages sent tothe infected computer with company-monitored Hotmail accounts designedto trap spam.

“In two to three months, we will amend the lawsuit to name the spammerswho are taking advantage [of consumers],” says Cranton. He won’t gointo details about the groups being investigated, but notes that “afair amount” of the spammers are based in the United States.

“This is compelling information that will hopefully get people’sattention,” Cranton says. The lawsuit, filed as a John Doe suit becauseit doesn’t name specific defendants, alleges six counts ranging fromtrespassing to a violation of the CAN-SPAM federal legislation, whichrequires clear identification of a message’s purveyor and an opt-outclause to the recipient, among other things. Cranton says Microsoftplans to use the federal law as well as a Washington State antispam lawto prosecute the spammers.

“We’re talking about criminal behavior here,” Cranton says.

Microsoft has sued spammers before. In 2004 the company filed lawsuitsagainst eight alleged spammers under the CAN-SPAM federal legislation.

Protection Tips

At a news conference in Washington, D.C., today, Cranton, officials ofConsumer Action, and representatives of the Federal Trade Commissiondiscussed the suit and ways for computer users to avoidzombie-generated spam.

Consumer Action’s Linda Sherry encouraged PC users to take a variety ofsteps to inoculate their computers in the face of this threat,including:

– Use a firewall, “and if you need to turn it off to access a Web site, make sure you turn it on again.”

– Get computer updates.

– Use antivirus software.

– Be wary of attachments.

The FTC announced the creation of a spam education site, “This is our attempt to have a one-stop shop forconsumers to protect themselves,” said Dan Salzburg of the FTC.

One company from the private sector uses creative filters, based on thevolume of mail sent and the reputation of the sender, to separatewanted from unwanted correspondence.

Ironport Systems believes that through a combination of throttling(setting rate limits for sent messages to more easily target zombie PCsthat send extremely high amounts of e-mail in a short amount of time)and reputation filtering (applying different standards to e-mail basedon the message’s sender) it can more efficiently separate the wheatfrom the chaff.

“On the ’receive’ side, we can block 80 percent of the stuff at theconnection level by examining behavior of the mail server; we’ve boundthe problem beautifully,” says company spokesperson Tom Gillis. “Theremaining 20 percent we’re going to open up more carefully.”

Gillis, who says that Ironport serves such top Internet serviceproviders as Roadrunner, Sprint, and Verizon, admits that spamfiltering is always ongoing.

“This is definitely a cat-and-mouse type game,” he says. “We develop analgorithm to block [spam], and [the spammers’] engineers come up withsomething to get around it.”

By Eric S. Crouch – PC (US)