Microsoft's anti-spam plan 'hijacked by zombies'

One of Microsoft's plans to fight the spam epidemic is unlikely to adversely affect spammers or reduce the quantity of spam, according to security experts.

Microsoft's chairman Bill Gates has been calling for the IT industry to work together and eradicate the spam problem. About six months ago he unveiled an initiative called Penny Black, which was a method for reducing a spammer's ability to send large volumes of unsolicited emails using Hotmail and MSN accounts. He suggested making the senders' computer process a complicated mathematical puzzle, which takes approximately 20 seconds, before each message is released. The puzzle's result is attached to the email's header, so that a receiving gateway can recognise emails that have been through the process and allow them to pass.

A Microsoft spokesperson would not give any indication of a possible launch date, but admitted that the company has been "examining a number of possible anti-spam approaches", which include "computational puzzles, challenge response and micro payments, which are all very interesting," the spokesperson said.

Security experts welcomed Gates' plan in principal because it made sense to try and throttle back a computer's resources enough to stop it sending out enormous volumes of spam. However, they fear that in practice this approach might be flawed, because most spam is sent from zombie PCs,  computers that have been infected by a type of virus or Trojan horse. Infected machine may be owned by an innocent home user but they are controlled by organised criminals over the Internet.

Simon Perry, the vice president of security at Computer Associates, warned that if a consumer's machine was taken over by a Trojan that used Hotmail to send spam, it would cause serious problems.

"If the machine has been taken over by a Trojan, and assuming the Trojan is not using its own SMTP engine, 20 seconds could turn into 200,000 seconds," Perry said.

James Kay, chief technology officer at email security firm Blackspider Technologies, said he suspects that the technology will have a provision for users to create a "virtual book of stamps" by pre-solving the puzzles and storing them on the hard drive. This would help anyone that works offline and then connects to the Internet to send a batch of messages, he said.

But this system would allow spammers to tap into the zombies' vast reserves of processing power and pre-solve lots of the puzzles in advance. This would hit the functionality of users with infected systems, rather than the spammers.

"I suspect the number of machines in the zombie army is getting bigger at an incredible rate -- and they have lots of spare CPU cycles to generate these stamps at will," he said.