Microsoft spam suit involves old nemesis

If spammers are anything, they are persistent, as is the case with Boris Mizhen. Mizhen, along with Dimitri Kovalsky and Muhommad Mohsan-ul Moula were sued by Microsoft this week for creating bogus Hotmail accounts and using them to camouflage their spam.

Microsoft is very familiar with Mizhen’s antics. In 2004, the Connecticut resident paid the company $2 million to settle a lawsuit slapped on him for spamming Hotmail users.

Microsoft revealed the CAN-SPAM Act lawsuit, filed in federal district court in Seattle, in an item written by its General Manager of Safety Services John Scarrow in its “Microsoft on the Issues” blog. In the blog item, Scarrow wrote that the scheme hatched by Mizhen et al was “one of the largest-ever spam attacks on Windows Live Hotmail.”

Three of Mizhen’s companies were named in the litigation–Media Network, Inc., New Age Opt-In, Inc. and Permission, Inc. While posing as legitimate advertising companies, Microsoft alleges, the outfits are actually just launching pads for spam.

According to Microsoft, the spammers devised and implemented a plan to use Hotmail’s junk defense systems–Junk E-Mail Reporting Program (JMRP) and Smart Network Data Services (SNDS)–to legitimize their electronic effluent.

JMRP is free program that senders can enroll in. It’s designed to create reports for senders about how their messages are being treated by Hotmail. If a message is marked “junk” or “phishing” by the system, it, along with its headers, will be returned to the sender. The purpose of the program is to help senders avoid squirting unwanted messages to Hotmail users.

SNDS is another free service offered by Microsoft. It’s designed to give senders some insight into how Hotmail users are rating the email they receive from senders and how the system’s filters are treating those senders’ messages.

While both applications are meant to be helpful tools for legitimate marketers, like any tool, they can be used for both bad or good. Allegedly, Mizhen and his co-defendants apparently chose to use the tools as a means for nefarious ends.

“In our lawsuit,” Scarrow explained in his blog posting, “we allege that defendants opened millions of Hotmail email accounts and hired people to manually identify spam mails as legitimate mails in order to trick Hotmail into classifying spam as legitimate mail.”

“Such actions undermine the measures we’ve put in place to protect people,” he continued. “We take this abuse very seriously, and while Hotmail and our SmartScreen filter continue to work to block spam from this identified scheme, we’ll keep investigating and pursuing spam attacks to protect our network and our customers.”

“SmartScreen” is a way devised by Microsoft to use crowd sourcing to improve the efficiency of its spam  filtering. If a spam message arrives in a user’s Hotmail inbox, the user can mark the message as junk. That information is then sent to Microsoft, which will use it to classify similar messages in the future. If legitimate mail is misdirected to the junk mail folder, a user can mark it as “not junk” and Microsoft will take that information into account in the future, too.

Ordinarily, as a supplementary spam fighting system SmartScreen would work well. To undermine it, a lot of manual labor would be involved. Spammers, generally, aren’t into manual labor. They’d prefer to automate their misdeeds. Mizhen and company, though, appear to have broken that tendency and brute forced their attack on the Hotmail filtering systems.

Automation was used in creating the millions of Hotmail accounts used in the scheme to sanitize the junk mail sent into the account by the spammers. Once the accounts were created, the emails were sanitized by hand so the messages could reach legitimate Hotmail users unimpeded by Microsoft’s spam filters.

Opening a Hotmail account requires solving a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) puzzle. That usually requires typing in some words displayed on the screen in distressed type. It usually works very effectively at foiling the bots used by spammers to automate creating accounts.

However, spammers have become increasingly sophisticated in cracking CAPTCHA schemes, as was evident in this massive attack on Hotmail. Reportedly, one of the defendants in the case, Muhommad Mohsan-ul Moula, is able to create Hotmail accounts for $15 per thousand. Another well-known CAPTCHA cracking outfit, Decaptcher.com, says it can do it even cheaper at $2 per thousand.