Two weeks after Hotmail implemented a controversial junk-email filter, users are complaining that the flow of "spam" to their in-boxes has not slowed.
In addition, some Internet business owners contend that Microsoft has aligned itself with the online equivalent of "vigilante militants."
Microsoft's Hotmail, a free Web-based email service, last week said it had subscribed to the Mail Abuse Prevention System's (MAPS) Realtime Blackhole List (RBL). The list filters email coming from servers known to be conduits for unsolicited commercial email, or spam.
The MAPS blacklist is one of several to have gained notoriety on the Internet. Supporters hail them as powerful tools against spammers and server administrators who leave their computers vulnerable to use by spammers. Detractors tend to be businesses that have wound up on these lists, often, they say, without having been warned that they had fallen afoul of what MAPS considers responsible email policies.
Whatever MAPS' reputation, Hotmail users are questioning the effect of its list after two weeks of apparently unabated spam intake.
"I haven't noticed any decrease in the amount of spam landing in my in-box," wrote one Hotmail user in an email, representative of many solicited and unsolicited emails received by CNET News.com. "In fact, it's jumped from 11 per day (average) to 16 per day in November. High so far was 33 in one day. Catch so far for the month: 281 spams, 1.2MB of space consumed. That's over half my allotted space."
Others bolstered the claim that Hotmail's spam problem is not going away, and that it may even be increasing.
"I have received double if not triple the amount of spam email in the past two weeks," wrote another Hotmail user. "Many of the messages are duplicates sent on sequential days. I use my Hotmail account often, but the spam messages are a real annoyance."
Microsoft countered that by implementing the RBL, Hotmail has reduced spam by thousands of emails a day, but the company declined to disclose more exact figures.
MAPS did not return several phone calls and email inquiries today or yesterday seeking comment.
While users gripe that Hotmail's implementation of the RBL has had little effect on their spam intake, some businesses and advocacy groups are voicing concerns that Hotmail has aligned itself with what they term a "vigilante" group exercising inappropriate and possibly illegal control over Internet communications and business transactions.
"My concern about all of the self-appointed vigilante anti-spam groups is that they're sloppy," said Dave McClure, executive director of the Association of Online Professionals (AOP), an Internet trade association. "I do sympathize with people trying to fight the problem of unsolicited commercial email, which is a problem that the industry is going to have to find a solution to. But vigilante law is not a good solution."
Three different businesses backed up McClure's concern about the administration of the email blacklists. Web hosting company Digital Aquarius and marketing firm BBS Press Service said they had been blacklisted without first having been warned by MAPS. MAPS promises warn each offender with two email notifications and one phone call.
Another company, which asked not to be identified, said it lost thousands of dollars after MAPS blacklisted its credit card processor after another one of that company's clients was suspected of facilitating spam relay.
All three complained that MAPS did not respond in a timely fashion to their complaints about being put on the list.
"They have had numerous complaints over the years," McClure said. "I don't think it will be long before we see these services legally challenged on business interference or unfair restraint-of-trade grounds."
Although MAPS was not available to comment for this story, MAPS ally the Coalition Against Unsolicited Commercial Email (CAUCE) said MAPS welcomed a legal challenge.
"MAPS wants to get sued to establish that this is a legal boycott method," said CAUCE founder John Mozena. "The threat of a lawsuit is not going to stop them."
Mozena said MAPS had its share of critics who thought it was too lax with suspected spammers.
"There are plenty of people in the anti-spam community who think that the RBL doesn't go anywhere near far enough," said Mozena. "The more militant people in the anti-spam community think RBL is too nice to people. But while they might not be perfect, the reason they're so widely implemented is that by and large people trust their methodology."
Mozena said MAPS has acknowledged it needs to improve its response time in addressing complaints. He said the all-volunteer group was considering a number of funding schemes that would let them hire full-time employees to respond to complaints of those who think they were mistakenly put on the RBL.
"This may be a question of growing pains more than anything else," Mozena said.
Funding methods under consideration by MAPS include charging for a more advanced version of the service called RBL+. Another idea is to charge for consulting services for email administrators.
November 12, 1999
I wasn't stunned to discover that it rains in Seattle. It was raining when I got here. It's raining now. What did surprise me, though, was the relief - nay, vengeful glee - of the wo/man in the street over last Friday's Finding of Fact. Words like "just desserts" and "comeuppance" kept, um, coming up. And this was not at USENIX, where you'd hardly expect the Pope of Redmond to enjoy favorite-son status, but out among the common multitude - who (to judge by an unscientific, beer-swilling sample) aren't exactly standing in line to touch the hem of Mr. Bill's garment. Go figure.
Once I got back to the show floor, though, tolerance was once again the rule. There are numerous ways for NT to lie down with UNIX, and a good number of them are represented here. What caught my eye, however, was the MSN Hotmail booth nestled among the enterprise solutions. Anyone old enough to remember when MSN made it onto Paul Vixie's Realtime Blackhole List had their irony bit set by the news that Hotmail had become a subscriber to the RBL - and what with the recent BIND 8.2.2 release, and with the completely rewritten BIND 9 just around the corner, it seemed an apt moment to find yet another feather in MAPS' cap.
So it was in a festive spirit that I approached the booth to ask Microsoft's Gary Lin what was behind the decision. A desire to be cleansed? A quest for redemption? Hardly. As it turns out, it's all about money. Like any ISP, says Lin, Hotmail suffers from users who use their accounts to spam the online universe, and Hotmail's users see abundant spam in return. But beyond that, Lin added, "Certain parts of the Internet were specifically targeting us." Maybe it's the numbers - Hotmail's traffic (they have 50 million active users and an aggregate of 5 terabits of network traffic each day, says Lin) provides a pretty sizable crowd for a spammer to get lost in. Maybe it's the ease with which the appropriate headers can be forged. But whatever was drawing them, it was becoming a business problem: the hardware and bandwidth eaten up by processing unwanted traffic and storing spam ("we're holding 18 terabytes of user mail right now, and you can imagine what proportion of that is spam") was creating a scalability issue that could no longer be ignored.
With that in mind, Hotmail signed on to the RBL. Hotmail didn't want to mess with users' sense of privacy, said Lin, so content scanning was out, and the resources required to monitor and defend against sources of spam on their own were excessive. If Lin's own irony bit had been set, though, he managed to hide it well, portraying the whole thing as a straightforward, bottom-line-driven decision. And when I asked what MTA Hotmail was running to keep the open relayers at bay (sendmail, perhaps?), he replied: "We can't discuss that." I didn't ask twice.
Ben Johnson has been sending e-mail for months from his Hotmail account, but he just discovered that some of them were diverted to the trash before arriving at their destination.
Johnson, 24, an information technology worker at a major Illinois hospital, is one of millions of Hotmail subscribers whose outgoing mail has been blocked for at least five months while customers have been caught in the crossfire of a battle over spamming.
In an apparently overzealous attempt to prevent spam, Microsoft's Hotmail has been discarding e-mail sent to and from sites hosted by controversial Internet service providers--even if the sites themselves are not controversial. What's more, Hotmail didn't tell people that some outgoing mail was being discarded, instead saying the error was because of a problem connecting to the recipient--a practice that has particularly alarmed some customers.
"If Microsoft, one of the largest technology companies, can say who we send e-mail to, that really puts constraints on freedom of speech in the U.S.," Johnson said.
Microsoft defended its actions, saying it's only trying to prevent spam.
"MSN has been very aggressive and proactive in protecting our MSN Hotmail users from spam," Sarah Lefko, MSN product manager, said in an e-mail, noting that the company will review blocked sites on a case-by-case basis if a complaint is filed.
The quagmire illustrates the challenges of trying to prevent spam without interfering with legitimate email. After all, no one wants an in-box crammed with unsolicited porn and bogus plans to work from home for millions of dollars. E-mail services are struggling to find a fair way to prevent that from happening.
Still, to subscribers such as Johnson, the practice of blocking outgoing mail is extreme.
"It's like killing a fly with a shotgun," he said.
The controversy stems from Hotmail's membership in the Mail Abuse Prevention System (MAPS), an organization formed to crack down on spam. MAPS is the keeper of the Realtime Blackhole List (RBL), a list of ISPs known to host some major spammers.
However, many of those ISPs also host sites that don't send spam, and those sites often are blocked, too. MAPS hopes the practice will convince legitimate sites to abandon hosts that cater to spammers.
For example, ISP Media3 Technologies is listed on the RBL because it hosts half a dozen spammers. However, it also hosts sites such as Peacefire.org, which alerted members this week that Hotmail users have been unable to reach it for five months.
After Peacefire protested, mail to the organization was allowed to continue earlier this week.
Other companies besides Hotmail also may be blocking outgoing mail, but because they don't always notify customers, it's difficult to determine whether it's happening unless someone complains.
When a company signs onto MAPS, it has several options to control spam. It can use a method that compares each incoming message with a list of ISPs on the RBL. Or it can choose another, more sweeping approach that blocks e-mail, both incoming and outgoing, at the network borders. Companies also can tailor their systems to block only certain sites or just incoming mail. Hotmail apparently chose the most restrictive method.
Kelly Thompson, MAPS' RBL project manager, said most companies choose the least severe technique. Thompson acknowledged that blocking outgoing mail might be a little extreme, but given the huge load of spam that major services such as Hotmail must deal with, "they have the right to be as strict as they want."
The idea behind blocking outgoing mail is to ensure that people don't reply to spammers, who often offer recipients a fake option of unsubscribing from their list. Instead of removing people, spammers use the incoming messages as a signal that an e-mail address is an active one where they can send more spam.
Still, Web-based e-mail users are angry.
Kyle McCowin, a 21-year-old student, first learned of the blocks when he was alerted by Peacefire earlier this week. He said he could understand blocking incoming mail, but the move to block outgoing mail disturbed him.
"I was caught completely by surprise," he said. "As far as I'm concerned, there's no need to block outgoing mail."
McCowin also wishes Hotmail had made it more clear that it was discarding some of the messages he sent. "They just sort of pocket the e-mail and don't even tell you about it," he said.
Microsoft ran into a similar spam-related problem three years ago when it tried to block unwanted e-mails by filtering out incoming messages from Outlook 98 that contained certain phrases or grammar, such as a string of exclamation points or the words "for free." As a result, many people found that they never received messages from friends who were fond of multiple punctuation marks.
MAPS already has stirred plenty of controversy in its spam control attempts. In August, the organization was sued by Harris Interactive, which claimed it was being unjustly blocked. The suit was later dismissed. ISPs Exactis and Media3, which hosts Peacefire, have filed similar suits. Media3 lost the first round in its court battle Jan. 2, when a federal judge in Boston denied the company's request to be taken off the list.
January 19, 2001
Like many Internet service providers, Hotmail subscribes to the Realtime Blackhole List(RBL), a spam filtering service provided by the non-profit Mail Abuse Prevention Systems(MAPS).
But Hotmail is accused of being too heavy-handed in its use of the RBL by Peacefire, an anti-censorship site. Peacefire founder Bennett Haselton issued a press release Thursday announcing his discovery that Hotmail users have been unable to send or receive email to or from Peacefire for the past five months -- ever since its Web hosting firm, Massachusetts-based Media3 Technologies, had over 1,500 of its IP addresses, including Peacefire's, placed on the MAPS blacklist.
Media3 earned a place on the RBL in June because, according to MAPS, it hosts a number of companies that sell software for sending junk email. Media3 sued MAPS in December to get its block of IP addresses removed from the RBL. The lawsuit is still pending.
According to Peacefire's Haselton, the Hotmail incident illustrates that the RBL is doing more harm than good.
"Most people would rather delete nine junk emails than have one legitimate email get lost. Fighting spam is not the be-all end-all of the Internet," said Haselton, who reports that dozens of upset Hotmail users have contacted him after learning about the blockade. Some threatened to switch to a new Web-mail provider.
But some anti-spam activists Friday accused Peacefire of intentionally putting itself in the line of fire between Media3 and MAPS. Steve Linford, co-owner of the London-based Web design and hosting firm Ultradesign and operator of the Spamhaus Project, said Haselton was well aware that Media3 is considered the Internet's biggest spam service host, and that by staying with the ISP, Haselton is falsely trying to paint himself as an unwitting victim of the spam wars.
"People have offered Peacefire alternative hosting for free, and Media3 could move Peacefire in under three minutes by changing their DNS. But Bennett won't do that," said Linford, who noted that the Peacefire site was placed into the group of blacklisted Media3 IP addresses after MAPS added the company to the RBL.
Joe Hayes, Media3 co-owner, confirmed Friday that Haselton had not asked to be moved out of the blocked IP range. But Hayes said that's because such a move would disrupt the Peacefire site.
"If he wants to be moved off that machine we'll certainly accommodate him. But I don't think he's purposely staying there because he wants to make this an agenda. If there was spam on our network, he'd be the first to complain because he doesn't believe in spam," said Hayes.
According to Hayes, Media3 has a tough acceptable use policy and kicks companies off its network all the time for sending spam. But Hayes said his clients who sell bulk emailing software are not violating those terms.
"We don't have a billboard on our site that says, 'If you spam, come here.' Our AUP forbids it. Every hosting company has customers who send out spam. It's how you react to it. If I get complaints, there's justification for removing the accounts," said Hayes.
But John Levine, a member of the Coalition Against Unsolicited Commercial Email and operator of the Abuse.net site, said Media3 is infamous among anti-spammers for its hosting of spam software sellers.
"I'm disappointed that Peacefire, which has a long history of coming up with responsible technical ways to get around blocking software that they don't agree with, hasn't taken simple technical means to get around this accidental block at MAPS. I see no advantage to Bennett to continue claiming he's a victim by being associated with spamware vendors with whom he has no sympathy," said Levine.
While most ISPs use the RBL to block incoming connections to their mail servers from blacklisted IP addresses, it appears that Hotmail may have gone further and was using a router-based option MAPS calls BGP mode. Under that system, Hotmail users were prevented not only from receiving email from blacklisted sites, but also from sending messages to them. Hotmail officials were not immediately available for comment.
According to Haselton, after he complained Hotmail eventually enabled its subscribers to send mail to @peacefire.org addresses, although the outgoing block on other blacklisted IPs is still in place.
Hayes of Media3 said incidents like the one at Hotmail will cause support for MAPS among ISPs to erode, as they realize the anti-spam service is holding companies hostage.
"If people look at the whole story, they will really begin to understand that MAPS is testing the waters out there to see how much they can get away with, and they don't care who they hurt in the process," said Hayes.
Linford noted that ISPs are entitled to use the RBL however they see fit, but he conceded that he would be reluctant to block his users' outgoing mail. But Linford said Hotmail has an unusual spam problem, which required it to take unusual steps to protect its users.
"It all sounds terrible -- if I were an ordinary user reading that MAPS was binning my email, I'd be livid. But on the other hand, nobody wants spam. And the vast majority of Hotmail users would be thankful, because everyone has been screaming at Hotmail to stop the spam."
February 9, 2001
Cable outfit Telewest has endured the ignominy of being blacklisted by Hotmail for sending spam.
Earlier this month Hotmail blocked email coming from the mail servers of Telewest Blueyonder broadband service for around 22 hours. During the period of the problem Yahoo mail servers were not accepting commands from Blueyonder's mail servers, stopping the delivery of mail.
Blueyonder users were also informed they might also have problems connecting to Lineone email servers.
Chris Kilian, a problem management analyst at Telewest Communications, told users through the telco's Blueyonder support page: "We are presently being blocked by Hotmail from sending any mail to them from our SMTP (outgoing mail) servers.
"If any attempt is made to make an SMTP connection to a Hotmail mail server, it is immediately being cut off. Any connection attempt from any other public interface (eg web front end servers) is successful."
A number of Register readers wrote to us about the problem, and when we contacted the firm a spokesman said that a blacklisting by Hotmail of Telewest was "a rumour". However he confirmed that "a businessman has been relaying spam through our service and this was stamped out".
The admission of spamming through Telewest's mail servers points to a root cause, suggested to us by our readers, that the configuration of Telewest's servers allowed relaying of spam messages, a common security mistake but a surprising gaff for a service provider to make.
Technology failures could explain the inability to deliver email, but only lax security would explain both the misuse of Telewest's service for spamming and the subsequent blocking - especially in the absence of a credible answer from Telewest.
'Spam relaying', is the process of using third party 'victim' email servers to send junk mail, thereby protecting the spam sender from identification and receipt of angry replies. Spammers also use the technique to offload the work of sending bulk emails onto somebody else's machine.
It is responsible for overloading mail servers and Internet connections, potentially causing servers to crash and preventing the flow of genuine email traffic for the abused organisation.
Since last week we've repeatedly asked to speak to someone from Telewest for comment on whether the inability to send email to Hotmail was due to open relays, but it said a suitable qualified spokesman was not available.
Networking problems with Blueyonder have resulted in a service where users are regularly unable to access news group or browse the web, a subject of regular complaints to The Register which is documented on the service's support page here.
In fairness most of these problems, although occurring on an almost daily basis, are quickly resolved and Telewest is rolling out a program of upgrading its network infrastructure. The question is when will things improve - any answers Telewest?
Monday March 5, 2001
WASHINGTON (AP) - Hotmail, the free e-mail service from Microsoft, is divulging subscribers' e-mail addresses, cities and states to a public Internet directory site that combines the information with telephone numbers and home addresses.
Hotmail customers are automatically added to Infospace's Internet White Pages directory unless they remove the check from a box in their registration form and ``opt out,'' company officials said.
Critics say users may be putting themselves at risk of receiving junk e-mail, known as spam, because they overlook the check box. Once their information makes the directory, it is easily obtained by advertisers.
``Once your e-mail addresses get into the spammers' databases, you can't get it out again,'' said Internet activist Bennett Haselton, who made the discovery.
``We're clearly stating what this is,'' Lefko said. ``It's a consumer benefit.''
Hotmail provides an automatic deletion service which scans incoming messages to find unwanted spam, but it doesn't catch everything.
When people sign up for Hotmail accounts, each is offered an Internet White Pages listing. The site describes the listing by saying the user's ``name, location and Hotmail e-mail address will be automatically listed in one or more Internet e-mail directories.''
The option to have the Hotmail address listed with InfoSpace is prechecked. Lefko defended the default setting.
``Clearly when you're signing up for a new Hotmail account, you have the opportunity to uncheck that,'' Lefko said.
An Infospace representative declined comment.
Normally, InfoSpace shields a person's e-mail address. When a listing appears, there is only a ``Send E-mail'' link that leads to a form, which is then sent to the recipient. The sender never sees the recipient's address. The site explains: ``For privacy, we don't show the full email addresses of people listed in our directories.''
However, users and advertisers can easily obtain the addresses using two options: they can enter the search area through a ``backdoor'' page that is easy to find, or they can enter the search area using a Hotmail account. In both cases, e-mail addresses are shown.
With a small adjustment, the site also will display 100 listings per page rather than the default five, which also makes it easier for spammers to collect addresses.
John Mozena, spokesman for Coalition Against Unsolicited Commercial E-mail, said the public lists are a problem. ``Spammers never do anything one-by-one,'' he said.
Hotmail user Chris Livermore of Redmond, Wash., said he keeps one Hotmail address private, given out only to friends. But now he gets almost 20 unwanted e-mails per week. His address is on the White Pages list.
``Within a couple months, the account will be unusable,'' Livermore said. ``To try to wade through about 20 spam messages to get to your own messages, it's horrible.''