Why Microsoft Fails at the Global Spam Issue

Update: 2012/11/06 – Fixed a minor typo and added a brief addendum below in regards to SPF.

I previously and elsewhere wrote about Microsoft’s going to court to shutdown a spam botnet. That’s a good move, no matter how little or big effect it makes. But, at the same time, I knew they were terrible at managing spam. Far worse than their competitors. Yet, I wasn’t quite sure why. Now, however, I know why.

The question becomes of do they filter at all? I’m not sure is the sad truth. Surely they scan somehow – they do have a spam folder on hotmail/live accounts. Yet, here’s an interesting story about Yahoo – who is under fire for scanning email. I don’t really care why they scan – whether it’s for adverts or not. Many more companies that are not under fire, actually do place advertisements – even if it’s something you don’t like. At least with Yahoo – it’s based on things you may actually like or send mail about. Yet, take this quote I just saw on the BBC :

“People should have the right to send messages without Yahoo! snooping through them,” said Sarah Kidner editor of Which? Computing.

Are you kidding me? A computer scanning through them is not snooping. It’s not like a person who works for Yahoo! is going around and reading their emails. And best of all – they have an opt out possibility. This equates to you not paying enough attention. I mean look at many social network sites – privacy is a joke. Why not bicker at them too? I guess you do but regardless: this is the correct thing to do (scanning email, that is). Don’t like it? Then blame those that spam and those that get hit by malware (e.g., worms that mail themselves) or those that mail out malware intending to spread. I don’t care what the reason is – the fact is, scanning mails is important. Only a completely foolish administrator would allow mail to go un-scanned in some form or another in this day and age. Security is the responsibility of everyone, not just those who actually realize there is a problem (which, sadly, Microsoft rarely if ever has). Sure – we all make mistakes and no system is 100% secure (even a computer that’s off is not 100% secure: it’s locked you say? What about a key or a locksmith? And remember folks – physical access is complete access). But to blatantly ignore issues that have been around for a long time, and very well known or demonstrated – is irresponsible at best.

And here we go – further in that article on the BBC, we see the following :

“Not only does Windows Live Hotmail not read users’ e-mails, but we protect your inbox from anyone else accessing your e-mail with advanced security features.”

Unbelievable.
Firstly, if a Microsoft Windows machine is secure, it’s definitely not the work of Microsoft. That’s a given.
Secondly, if you don’t read (read? We’re talking about scanning!) email, then why or how do you decide what goes into the spam folders? You just magically look at it by black magic and decide this is spam? Or is it the subject of the mail (would be a laughing matter if that is it)?

It most certainly is not black-listed hosts, unless of course you say black lists can never have your hosts. What am I getting at? Oh, it’s simple. I have on many occasions seen people using Microsoft (read : hotmail) servers to try to spam users on my domains – some that never existed while I owned them, and some that don’t exist any more. Among the IPs are the following:

65.55.90.39
65.55.90.17
65.55.90.38
65.55.90.35
65.55.90.16

Don’t believe me those are Microsoft owned IPs? Well then, look here at this query :

[06:18:27][root@xexyl ~ (0Mb)]# whois 65.55.90.0
[Querying whois.arin.net]
[whois.arin.net]
#
# Query terms are ambiguous. The query is assumed to be:
# "n 65.55.90.0"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=65.55.90.0?showDetails=true&showARIN=true
#

Microsoft Corp MICROSOFT-1BLK (NET-65-52-0-0-1) 65.52.0.0 – 65.55.255.255
American Registry for Internet Numbers NET65 (NET-65-0-0-0-0) 65.0.0.0 – 65.255.255.255
[snip]

There you go : Microsoft Corp. And I did not just come up with these IPs or do a reverse look up. No, sadly they were in my mail log over time trying to send mail (read : spam) to me. I’ve seen others from Microsoft too but I don’t have those (may be on back up disk, but aside from that it was rolled out over time).

And even more amusing (yet also more sad) – advanced security features? What would that be – password protection? That’s an incredibly weak form of security when you consider that it is the user that chooses the password and humans are the weakest link in the security chain. And don’t even forget that some sadly write down their passwords on paper!

This all coming from the company that said there is no such issue of a certain backdoor – after it was demonstrated! And although I cannot quote them on it, I do remember them saying it way back then. Yes, this would be related to the Back Orifice backdoor family.

This is also the same company that has a pathetic security system for their chat network – Microsoft Network chat. And when I mention an issue to them, what does one of their employees say to me (even after telling them Windows is completely irrelevant to me as I don’t use Windows)? I should go look at their antivirus page which (how ironic) tells me of Windows antiviral programs. Hello? I said I don’t use Windows. Yet, somehow someone was using MSN to spam. And that’s not unheard of with others – whether they use Windows or not. The irony is they have the SPF – sender policy framework – system in place; well, sort of, that is. It’s actually configured slightly wrong. I pointed it out to them and they just ignored it – it surely was my “fault” and it was because of a Windows bug. Wrong. And as for the system that is configured wrong, here we go :

hotmail.com text = "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"

Observe the tilde before ‘all’ – e.g., ~all? That means the following (and I’ll just quote the SPF page on the topic so it’s explained exactly as it should be) :

Mechanisms

Mechanisms can be prefixed with one of four qualifiers:
“+” Pass
“-” Fail
“~” SoftFail
“?” Neutral

SoftFail: The SPF record has designated the host as NOT being allowed to send but is in transition : accept but mark

Why the ? Why even bother? I can understand if this was for testing purposes, but once tested to make sure all hosts are configured properly, why keep it that way?
Okay, to be fair, they are a mail provider and they need to be less aggressive in some ways. I can see one use of having it this way but unfortunately it’s usually not going to make a difference. That use is that it will mark it as not a soft-fail in the mail headers. So if someone knows what to look for, that can be of use.

Yes, spam is guaranteed to at times pass. It is guaranteed there will at times be false positives. But you know, we ALL have to make the best of it. Sadly, Microsoft once again proves they think they are not included in all. And that, folks, is why Microsoft went to court to combat spam: that’s the only way they seem to think it can be fought. Security flaws exist and that’s the cold hard truth. Make the best of it and try to learn before any thing comes up. Else, you have yourself to blame too.

And I guess this is as good a time as any to introduce the…

The Microsoft Windows Paradox