Insight from Microsoft’s Spam and Phishing Guru

John Scarrow, General Manager, Anti-Spam and Anti-Phishing Strategy Team, Microsoft Technology Care and Safety Group spoke to a gathering of Manhattan Chamber of Commerce businesses this week. Below are notes from his presentation and of course my own comments.
Spam and Phishing are two online epidemics that are causing mistrust in the use of the Internet by consumers and businesses. This mistrust is leading to a noticeable decline in the Internet’s use, which is NOT good for the technology industry overall. This is one major reason why technology vendors, such as Microsoft, are working so hard to reduce spam and phishing attacks.
Spam, as many of you know, is email you receive unsolicited. This does not include email received from a company or person who has some relationship with you or that thinks you really might be interested in their offer as you can simply ignore the email and/or choose to not receive any more email from them. However, spam is the dozens of messages per day you receive offering you a mortgage. There is no way to tell the sender “stop sending me email” and if you do, it would encourage them to send you more.
John explained that imagine if you were a car manufacturer and it rained every time your customers went to their car. Wouldn’t you be concerned and do what you could to stop the rain? The rain would cause people to use their cars less.
Phishing is when you receive an email message that requests you to do go to a web site and do some action that results in harm to your finances, identify and/or etc. You might receive an email from “PayPal”, “eBay” or your local bank asking you to click on the link below to confirm your password or your account will be closed. Well, you click on the link and “confirm” your password, including your account number. Although the web site you went to LOOKED like the web site of the real vendor (eBay, Paypal, etc) it was actually the web site of a hacker who just stole your information and will now use it for illegal purposes.
Phishing, John explained is akin to a car blowing up one in every five times it’s started up. While rain would be a simple annoyance for customers and auto makers, cars blowing up would be an entirely new threat and would DRASTICALLY reduce the amount of people buying cards. In the same way, phishing reduces the confidence people have in using the Internet.
John explained that since Microsoft Hotmail has millions of customers, Microsoft has a bird’s eye view of the world of spam and phishing and there are several technologies Microsoft implements to better secure its customers. These technologies are not necessarily specific to Microsoft but are done by other online companies as well.
Some email servers are known to be hotbeds of activity for spam and phishing. In this case Microsoft can simply block all email received from a certain email server based on its uniquely assigned internet address or “IP” address.
Amazingly 90% of email into HotMail is spam!
Spam takes a HUGE toll on businesses and on average businesses spend $164 per user to combat spam. If there are 300 employees in a business that’s $49,200!
Because the cost and technology needed to conduct spam and phishing is very low, anyone with an evil mind and rudimentary technology skills can obtain millions of email addresses, setup a scam web site for phishing/spam (note in spam’s case it MIGHT not be a scam but you MIGHT actually receive a product you have ordered) and email millions of people at little or no cost to the spammer. If only a small percentage of people respond to the spam/phishing attack the spammer has succeeded.
The harder vendors fight to create solutions to combat spam and phishing the harder spammers/hackers fight to defeat the solutions. “Phishers are the Mafia of the new millennium”, John said.
Many people use the same password and login for many of their accounts, as no one wants to remember dozens of different user names and passwords. If a hacker can get a login/password for one person, most likely if the hacker tries the combination at any of a number of popular online destinations (book stores, banks, clothing stores, etc) they can access the account details of their victim.
For large email hosts such as AOL, Hotmail and Earthlink, a spammer/hacker can blast millions of email messages with randomly selected names (,,, etc) and will often succeed in sending email to an active email address.
John also touched on “Zombie PC’s”, PC’s that contain a malicious program (or more than one) to enable a hacker to use YOUR computer for attacks or just for advertising pop-up messages. A hacker can only get so much done with the processing power of 1 computer, but if he has 50,000 Zombie machines around the world, he can direct them to each send a few hundred email messages (or something else) on his (or her) behalf.
SenderID is a technology that Microsoft is working on to enable “good” email servers to authenticate and/or link their IP addresses to domain names. If an email comes that reads “Lands End” in the from line, this does not mean it REALLY is from Land’s End, it could be from a hacker pretending to be from Land’s End. This is called email spoofing. However with SenderID and other competing solutions, the real Land’s End would link its domain name “” to its IP address. Therefore the receiving server at Hotmail, AOL, Earthlink or your own company could match the IP address to the domain name to authenticate the email message.
Another tool that Microsoft and other vendors use is to analyze the contents of email to better determine what a spam or phished email looks like. If thousands of Microsoft customers report to Microsoft what email messages they receive and classify as spam, then computers can begin to “learn” the characteristic’s of spam and prevent most spam from ever reaching your inbox. Think of this like a “spam” focus group of sorts.
Of course, John acknowledges, maybe your Dad, Mom or customer is sending you an email that LOOKS like spam. As often happens some “good” email is flagged as spam and blocked from being received by you.
As spam/phishing protection technology evolves, Microsoft and other vendors want to build technology so that is knows a trust source from an untrusted source.
At the end of the day, the BEST protection is that YOU would be careful what email you open and BE VERY careful what web sites you click to from email addresses.
Get more information on security solutions at
Today, USA Today writes Bank of America’s new system was created by PassMark Security (, a Redwood City, Calif.-based company that manufactures authentication systems aimed at blocking identity theft and other fraud. Bank of America is offering it to online customers at no fee.
Instead of the traditional user name-password setup, SiteKey users select one of a thousand different images, write a brief phrase and pick three challenge questions.
The challenge questions ó all things that only the customer would be able to provide, such as the year and model of their first car ó are then used along with a customer ID and a passcode to guard access to the account.
Read the full USA Today article here