Junk Mail From Ms (microsoft)

[Guest Graham Lea]

Special report "Spammers are thieves... They're hijacking your

system to deliver their unrequested, unwanted advertising,"

says a new Microsoft web site paper by R'ykandar Korra'ti.

 

But Microsoft is on shaky ground when it comes to spam - in

recent newsgroup posting the company's own abuse manager Mike

Lyman has effectively been conceding that Microsoft sends out

unwelcome, unsolicited mail, and that company staff are

unwilling and unable to do much about it.

 

Microsoft's anti-spam stance is being undermined by a

combination of faulty software systems, bureaucracy and

incompetence.

 

Lyman means well, but getting Microsoft to deliver a service

that comes close to Korra'ti's objectives seems to be like

trying to push water uphill. This isn't helped by the greed

factor operating on top of the other problems.

 

According to Korra'ti, "The allegedly legitimate' spammers...

don't hide where their mail is coming from, and at least they

pretend to offer a way off their lists." As far as quite a

few users are concerned, that makes Microsoft a "legitimate

spammer".

 

Several mailing lists and newsgroups are currently discussing

complaints about Microsoft and spam, and there have been

several clear instances where the company has been at fault,

and where this has been conceded by Lyman. One of the problems,

he admits, is a "tainted" database that isn't being fixed, and

is still being used.

 

He also concedes that at least one mailing wasn't justified,

that some Microsoft staff aren't acting according to official

company policy when it comes to unsolicited mail, and that the

company is currently far more concerned with privacy, and is

therefore putting too few resources into cleaning up its own

act on spam.

 

The database problems often make it difficult for people to get

off the mailing list, which they could well have been put onto

without their agreement. This is by no means unusual in the

industry, but Microsoft continues to add people to its list, to

use databases that haven't been properly cleaned up, and to

transfer mailing lists to third parties without the knowledge

or permission of the people listed.

 

The emailing that caused most ire was one about Microsoft's

plans for Y2K (two copies of this one just this morning - Ed),

but other smaller volume efforts continue. Some people also

claim that visitors to Microsoft sites may find themselves

getting unrequested newsletters.

 

And last week Microsoft is said to have mailed MCSE training

course attendees who had specifically checked the 'no publicity'

box.

 

When Microsoft sold Sidewalk to Citysearch, it seems to have

sold its database without deleting those who had asked to be

removed but at the time were possibly only flagged for removal.

To their annoyance, they were then started hearing from Sidewalk:

"Since you previously registered with Sidewalk, we thought you

would like to know..."

 

Unsolicited email from Microsoft may say that the email is being

sent to "preferred members," but recipients frequently deny that

they have ever knowingly become a "member" of any Microsoft list.

 

It can however be very difficult not to wind up on one or more

Microsoft lists, via registration of OS or applications, or

through the (largely compulsory) registration procedure for the

Windows Update or Office Update services.

 

Microsoft inevitably gets its hands on details of a very large

proportion of PC users, and it therefore has a duty to be

serious, consistent and responsible in the way it handles this

data.

 

But on the contrary, from what Lyman concedes it would seem

Microsoft is inconsistent, irresponsible, and cavalier. Lyman

admits that all is not well with Microsoft databases. He said in

a newsgroup posting that "the data base was tainted and the

mailing wasn't justified".

 

But he seems to have little power to influence change at

Microsoft, where the current concern at the group where he

reports is privacy rather than spamming. He is unable personally

to get at the faulty database, and in effect blames Microsoft's

impenetrable bureaucracy. When challenged about unplugging the

offending servers, he wrote: "Physical ability does not equal

authority".

 

There are many examples of users taking all possible steps to get

removed, and finding it impossible. People were "working to fix

their messes," Lyman said, but even a threat to divert a $50,000

budget to non-Microsoft products was only likely "to impact the

local [Microsoft] weenie more than the guys at corp HQ who did

the spamming."

 

He was also brutally frank about what happens when email is sent

to addresses like abuse@microsoft.com: "you're probably hitting

some little peon in the organisation who has zero say in how

things are run. ... By the time the stuff gets to those who are

the decision makers it's probably been boiled down to numbers and

stats with maybe a few samples of the complaints. 600,000 messages

went out, 100 complaints came back, hmm, must be doing a pretty

good job.'"

 

Lyman notes that most Microsoft marketing people don't have

Internet experience, and so fail to grasp the implications of what

they're doing. As far as they're concerned what the recipients

regard as unsolicited spam are "informative announcements".

 

Lyman says: "The one thing that's kept my frustration over the

pace of things at Microsoft from completely boiling over is I

deal with the same people for privacy issues as I do with spamming

issues. They've been very focussed on piracy and frankly I'd

rather have them focussed on privacy."

 

One of the greatest fears for spammers (at least the "legitimate"

spammers who can be tracked and pilloried) is being black-listed

by the Mail Abuse Protection System (MAPS) founded by Paul Vixie

in 1997. MAPS has developed a Real-Time Black Hole List (RBL) used

by some 300 licensed subscribing ISPs (numbers have doubled each

year, so far) to block spam.

 

Nick Nicholas, the front man for MAPS, said there were 12 complete

nominations to list Microsoft, and many incomplete ones, when the

issue of black-listing Microsoft was raised. Lyman thinks that MAPS

is trying to become an "anti-spamming version of TRUSTe" but is

doing it from outside the corporate world.

 

This is true, and for the moment at least, MAPS does not enjoy too

much major league support. MAPS admits it has made mistakes in its

blacklists in the past. There were rumblings that Microsoft might

sue MAPS if Microsoft was placed on the RBL list (Lyman ominously

mentioned that "deep pockets usually win"), but Microsoft recently

concluded a deal with MAPS to use the product in Hotmail to cut

down on spam, making any legal action much less likely.

 

Ironically, Hotmail itself has taken legal action against what it

regards as the abuse of Hotmail. Lyman claims that Microsoft has

scheduled improving the database, but has no timing as to when this

will happen.

 

He noted that he took a firm line with Microsoft and has overcome

a view that persisted at Microsoft that people who complained had

forgotten they had registered to receive spam.

 

In one message Lyman said of old requests to be removed "the

database purge should clear them out", but it would be impossible

to find any culprits for previous abuses on the Microsoft staff.

But "if the harvested stuff is recent ["last year or so"], there's

a major problem with policy violation and heads need to roll." So

anybody getting junk mail from Microsoft to an email address first

used in the last year should take up Lyman's offer to sort the

matter out and contact him at usma87@hotmail.com.

 

He noted: "I hope other companies avoid the mistakes our folks

made and go straight for the confirmed subscriptions up front.

It'll save them lots of pain."

 

Lyman appears to be a Microsoft person who is actually trying to

sort out the spamming situation, but with little or no help. And

there are those who say that the anti-spamming cure by the net cops

is worse than the disease.

 

In Congress recently Rep Heather Wilson told a hearing that

"banning all spam "may be unconstitutional because it would ban

unsolicited mail that people do not mind receiving - or even want

to receive..."

 

There is a way to block Microsoft spam for MS Exchange users who

use Exchange to provide SMTP services, and it's described at

info.edu/Techdir/relaying-exchange.html. There are also spam filter

packages such as SLMail, MailShield, N-Plex, the Isode Message

Switch, VOPmail, and WorldSecureMail.

 

In view of what Lyman says, a column "written" by Bill Gates on

the subject of spam last year has a certain piquancy: "My company

is among many that offer regular emailings to customers and

potential customers. But we only send email to people who have

requested it, and we have easy ways for people to remove themselves

from the mailing list."

 

This is clearly untrue. Gates then described spam: "Sometimes spam

includes a purported way for you to remove yourself from the

mailing list, but it often doesn't work.

 

In fact, making the request may do nothing more than prove to the

spammer that your e-mail address is valid - prompting more

mailings."

 

Ahem. Gastronomic note: Spam stands for spiced ham, and is a

trademark of Hormel Foods' tinned luncheon meat, first introduced

in 1937. For this reason, spam is often referred to as unsolicited

commercial email (UCE). There is also a spam fan club.