Microsoft Plans to Thwart Spam
- Share via
Microsoft Corp. Chairman Bill Gates said Tuesday that the company was implementing a system akin to caller ID for e-mail to stem the flood of spam pitching blind dates and discounted medications.
The system aims to weed out e-mails that falsify their point of origin, a trick used by spammers to fool recipients into accepting their messages by making them look like they come from a reputable source. The increasingly common technique, known as “spoofing,” also allows spammers to hide their identities.
“Having e-mail come in and not really being able to identify where it comes from, this is a huge security hole,” Gates said at a computer security conference in San Francisco.
The Redmond, Wash.-based software giant began using some elements of the caller ID system Tuesday in its Hotmail e-mail service, Gates said. About 2.5 billion of the nearly 3 billion e-mails received each day by Hotmail are spam, according to Microsoft.
Some Internet experts noted that other means for verifying e-mail already existed.
Microsoft, which is often blamed for enabling computer viruses that propagate spam, “wants to be seen as doing something,” said Nick Shelness, an analyst with San Francisco-based Ferris Research, which provides e-mail consulting services. “My sense is that this is a marketing activity rather than a serious technical activity.”
The system unveiled by Gates, dubbed “Caller ID for E-mail,” is designed to stop e-mails from bogus addresses by requiring incoming messages to include the numerical address of the server from which they were sent. Computers receiving an e-mail would compare the numerical address to a known address to make sure it was legitimate.
On Tuesday, Microsoft’s Hotmail began making available to other e-mail providers the numerical addresses for Hotmail messages. Hotmail won’t begin checking the addresses of incoming messages until this summer, giving other services time to decide whether to configure their systems to use the caller ID approach. Gates didn’t say whether Microsoft would charge other services to use the system.
“We believe that over the next several years, with these various proof techniques ... that we can reduce spam to not being a huge problem,” Gates said.
Microsoft’s proprietary caller ID system is one of several proposals for dealing with spam by verifying a sender’s address. Anne Mitchell, president of the Institute for Spam and Internet Public Policy in Sunnyvale, Calif., and some other Internet experts prefer a system called Sender Policy Framework, or SPF, an open-source alternative used by Time Warner Inc.’s America Online and others.
“It’s as if a FedEx package comes to you from the White House, and you can check if it’s really from 1600 Pennsylvania Avenue,” she said. And, she added, with SPF, “there is no chance of being co-opted by a commercial entity” that would impose a licensing fee.
Chris Wysopal, vice president of research at AtStake, a computer security consulting firm in Cambridge, Mass., said Microsoft’s caller ID system would only be effective if widely implemented. That could happen if all corporations that use Microsoft’s Outlook and Exchange software to manage their e-mail adopt the method.
But if that doesn’t happen, he said, users could end up blocking legitimate e-mail because it didn’t include its numerical originating address: “People are worried about missing that one critical e-mail that caller ID didn’t pick out.”
Bloomberg News was used in compiling this report.
