Why are MSN and Hotmail Users Flooded with Spam?

The voluminous MSN/Hotmail spam problem has been a mystery. New research from the Spamhaus Project suggests an answer may have been found. They have discovered that MSN/Hotmail seems to allow spammers to run long-lived dictionary attacks, in one case extending over five months in duration.

During a dictionary attack, the spammer tries random combinations of characters, trying to guess email addresses that work. It's sort of like the old monkeys banging on typewriters problem, except they only have to compose a working email address and not a Hamlet soliloquy.

The data Spamhaus presents suggest the spammers may have tried as many as 51,840,000 address combinations during this attack. Most of them fail of course, but occasionally they will hit paydirt, and--bingo!--another MSN/Hotmail spam victim.

So although MSN/Hotmail may not be selling addresses outright, that does not mean they are inculpable for their customers' spam. First, they should be detecting and terminating these attacks on their customers' mailboxes. Second, they are ignoring the repeated attempts by the Spamhaus Project to bring this problem to their attention.

Microsoft is touting the new anti-spam features added to MSN, but this information suggests their spam problem is even more basic. It's no wonder Mom was willing to deal with the hassle of changing email addresses to escape the MSN/Hotmail spam flood.

Feb 22 Update: A new article discusses this entry.