Microsoft announced Thursday that it has filed a lawsuit against groups that use zombie computers. The software giant took the action after learning through a company experiment that use of infected PCs to thwart spam blockers and pass along immense quantities of junk e-mail is more widespread and disruptive than Microsoft expected.
A Microsoft statement said that the civil suit, filed in August in Washington State’s King County Superior Court, “for the first time specifically targets illegal e-mail operations that connect to zombie computers to send spam.”
Zombie computers, through the unwitting acquisition of bad code, allow computers in remote locations to use them to carry out illegal activities. PC World this summer examined the problem in the exclusive series “Web of Crime.”
PC Goes Wild
In a controlled experiment, Microsoft turned a PC into a zombie by infecting it with malicious code. The company then monitored how much spam and spyware the computer sent. After three weeks, the number totaled 18 million e-mail messages from 5 million different connections.
“The numbers were astonishing,” says Microsoft attorney Tim Cranton, who directs the company’s Internet Safety Enforcement Team. “Much higher than we expected.”
More than half of the spam currently being sent originates from zombies, according to Microsoft.
How Microsoft Measured
Cranton says that Microsoft used cross-referencing methods with multiple mail servers to narrow the scope of the lawsuit to 13 groups of spammers. The company did this by comparing e-mail messages sent to the infected computer with company-monitored Hotmail accounts designed to trap spam.
“In two to three months, we will amend the lawsuit to name the spammers who are taking advantage [of consumers],” says Cranton. He won’t go into details about the groups being investigated, but notes that “a fair amount” of the spammers are based in the United States.
“This is compelling information that will hopefully get people’s attention,” Cranton says. The lawsuit, filed as a John Doe suit because it doesn’t name specific defendants, alleges six counts ranging from trespassing to a violation of the CAN-SPAM federal legislation, which requires clear identification of a message’s purveyor and an opt-out clause to the recipient, among other things. Cranton says Microsoft plans to use the federal law as well as a Washington State antispam law to prosecute the spammers.
“We’re talking about criminal behavior here,” Cranton says.
Microsoft has sued spammers before. In 2004 the company filed lawsuits against eight alleged spammers under the CAN-SPAM federal legislation.