Flash! Intelligent Life Found at Microsoft

After posting the item about spam and the recent relationship between Microsoft and whitelist provider IronPort, I got a letter from Reeves Little of Microsoft. Initially, he asked for some clarification about my opinions involving whitelists, but as we traded letters, we got into a pretty good discussion about Microsoft’s efforts to do something about spam and e-mailed viruses. I think that the whole thing is worth reading, since it reveals a side of Microsoft that outsiders seldom see. I’m going to edit out some personal items that have nothing to contribute and paste in the rest-

Hi Jeff,
I wanted to get a clarification from you on your objection to our use of IronPort. My read of your post is you object to the idea of using white listing as the anti-spam solution. The other possible read is that white listing should not be used at all as a part of an anti-spam strategy. To restate: are you objecting to using only IronPort or are you objecting to using IronPort at all?

Thanks,
Reeves

(a Program Manager @ MSN Hotmail)

Here’s my reply-

I have no objection to whitelists, per se.

But, is IronPort’s version of a whitelist valuable? I’m still on the fence about it. I’ve yet to see software that relies on whitelists alone and works well. Now, the news article I was commenting on made it appear that Microsoft was relying on IronPort as the only spam control. If that’s not true, I hope you will set the record straight. I’ll be happy to post your letter of explanation.

My opinion, for what it’s worth, is that the software that works best is one that uses a long list of methods and blends them all. When I consider how IronPort works, I get a little edgy. Companies can post a bond that backs up their claim that what they’re sending out isn’t spam. I can think of two things that make that a poor approach IF it’s used as the backbone of an antispam control-

1- A spammer makes so much money off spam that a simple posted bond is the last thing he’ll worry about.
2- A small company or even a private citizen who sends out a few hundred to a few thousand newsletters to people who want them may not be able to afford such a bond. Where does that leave them?

Oh, and while I’m at it, let me say that the very worst thing you could do is to wipe anything considered spam without giving the user a chance to weigh in on the decision. Shunt the spam off into some bulk mail folder or something and let the user build his own whitelist/blacklist. My own ISP has installed an antispam program at its level, but I refuse to use it for just that reason. Once their software identifies e-mail as spam, it’s toast. You never see it, so there is no way to whitelist it.

In summary, I guess that using a whitelist as part of an antispam effort isn’t necessarily bad, as long as it’s not the ONLY criteria used and it doesn’t take control away from the user. Lord help us, but there are actually people out there who have subscribed to porn. I find that unpleasant, but their right is to get what they want. Any definition of spam has to take all kinds into account.

Then he came back with-

Thanks for the clarification. I agree, the press release was a little light on the details and made it seem like we’re simply using white lists. As you pointed out, that would be a really bad idea. :) We’re using IronPort to complement our existing array of anti junk e-mail tools, while many tools identify junk, IronPort aims to identify valid mail to reduce false positives.

As of yet, there is no perfect tool and every tool has short comings, we just hope to stem the flow of garbage by overlapping several tools. Junk e-mail costs us a ton in equipment, staff and customer satisfaction. If the tools we use reduce the junk but are so aggressive they also reduce customer satisfaction, we’ve failed.

Thanks for the feedback and thanks for making your original post. I think it’s great that people call foul if they think we’re doing the wrong thing… we know we’re working hard to make cool software but we don’t always know how that work is perceived. Please keep it up and don’t hesitate to ping me if you have questions.

Cheers,
Reeves

Never one to waste such an opening, I wrote back to him-

I’ve also been wondering, as have some other people, why ISP’s and services like Hotmail don’t filter incoming and outgoing e-mail for virus infections. For example: I’ve had to keep a working Yahoo! e-mail account because I belong to several of their online groups. Then they went paid subscription for their e-mail accounts above the basic level and everything very quickly went down the drain. I don’t use their services for day to day e-mail, so I declined the offer to pay them $30 a year for “Advanced” levels of service. At that point, or shortly thereafter, I started to see virus-infected e-mail hit the inbox. Sometimes as many as 4 per day. Spam levels had been rising steadily, but this was a little too much for me to stand. Now, if an occasional user gets 4 per day, imagine how many hit a high-use account. Yet they don’t do anything about it. I must be missing the bus, somewhere.

I realize that it might affect performance or at least the speed of mail delivery, but with the current load that security puts on Microsoft operations and resources, it might be something to think about. After all, you save a few million here and there and pretty soon you’re talking real money :).

He wrote back-

Heh, yeah, the costs can really add up when you’re talking about a user base the size of Hotmail, Yahoo or AOL.

In terms of anti-virus (AV) protection, we scan files for infection at the time or upload or download rather than put the load on our inbound or outbound mail connection (though we still do filter for some big attacks on the inbound). One of the big wins from this strategy is AV companies don’t typically get a heads up from hackers before a virus is released on the world. If we scanned entirely at the mail gateway we would miss the first onslaught. The lag time between a virus being released and the user logging in tends to mitigate the danger.

I should also point out that the typical worm or virus today will not send itself “from” the infected user. Many viruses use the strategy of scanning a user’s IE cache folder and their e-mail address book for addresses then randomly construct the “to” and “from” lines of the outbound attack. If you get a virus claiming to be from someone you know, most likely that someone isn’t the infected party.

The next note from me-

Oh, very true. But the viruses seldom claim to be from a Yahoo! account, even though they come through Yahoo!. Even when the return address says Yahoo!, it’s more than likely a non-existent account name. I run a group on MSN and the easiest way I have of keeping that trash from hitting my members is to send off a short ‘who are you?’ note. If it bounces, then I can just delete the applicant.

And his closing note-

Right-o. Thanks. You can let your readers know you found signs of life at MS. Intelligence is still in question but the ability to operate a keyboard is self-evident. :D

Cheers,
Reeves

I’m happy to do just that. There is indeed intelligent life at Microsoft!