Microsoft: Can-Spam and Global
Efforts to Combat Cyber Crime
Key Points:
Microsoft has taken a leading role in partnering with government, industry and law enforcement to help
create greater protections for online privacy, security and safety by:
 Helping to craft laws such as the U.S. CAN-SPAM Act;
 Forming alliances with industry, law enforcement and government to identify and aggressively
prosecute cyber criminals, such as supporting the 3-year effort to prosecute Alan Ralsky, long listed
as the world’s number one spammer, and prosecution of “Spam King” Robert Soloway;
 Working with others in industry and with government to support both civil and criminal enforcement
actions in the U.S. and other countries, including more than 120 legal actions against phishers and
multi-million dollar settlements with notorious spammers such as Scott Richter;
 Encouraging the adoption of legal frameworks around the world that protect privacy, security and
safety while still being conducive to innovation and technological progress on the Internet.
 Create sophisticated tools, such as the “phishing” filter for Internet Explorer, which gathers massive
amounts of information and warns users that a particular website may be fraudulent.
 Hosting, and funding conferences, training sessions, and sophisticated data sharing tools designed
to help law enforcement, industry, and academics work together to defeat organized cyber criminals.
Background: Stopping Cyber-Criminals and Spammers
In the past, most threats to Internet security and safety were caused by lone “hackers”, often teens, seeking
notoriety. But as the Internet has grown and evolved, so too has the seriousness of cyber crime, which
increasingly has become a comprehensive, and organized, criminal industry geared toward: ID theft and
other forms of financial fraud, child pornography, software piracy, money laundering, and illegal distribution
of pharmaceuticals. Cyber-criminals and spammers in general are becoming ever more sophisticated in the
technology they employ. An example is the growing use of “bots,” which are third-party computers that are
taken over without the owner’s knowledge. Using “fast flux” technology, criminals quickly move their
fraudulent and illegal websites from infected computer to infected computer, thereby disguising their
operations. (Some “botnets” include more than 100,000 infected computers). Criminals also segregate
infected computers by country so that they further their scams. For example, they use Australian infected
computers to move money out of Australian banks to avoid triggering fraud sensors. The criminals are also
using increasingly sophisticated “lures” to bring people to a “phishing” website that impersonates email from
established institutions, such as banks or credit card companies, where they are prompted to give up
sensitive personal and financial information. To lure people to those sites, criminals are using VoIP
technology to make phone calls that appear to originate from the victim’s local area; they are collecting
information from large companies and online job sites to obtain details that make their scams more
personalized; and they are using new techniques to prevent their emails from being blocked. These
criminals have pioneered sophisticated, malicious code that can defeat even the most advanced protections
against online fraud. For all of these scams, fraudulent email is at the heart of the deception, and illegal
spam remains one of the most common methods for making money.
Support for CAN-SPAM Act and Global Legal Actions
Microsoft was a strong advocate of the CAN-SPAM Act, passed by the U.S. Congress in 2003 to create civil
and criminal penalties for fraudulent and deceptive spam. At the same time, we make use of all legal means
in the U.S. and abroad to stop the spread of spam and stop cyber crime. To date, these efforts include:
 Microsoft has filed 92 lawsuits in the US against spammers under CAN-SPAM, leading to more than
$1 billion in judgments and approximately $8 million in settlements;
 Worldwide, Microsoft’s anti-spam enforcement activity has produced more than 200 legal actions;

Microsoft has partnered with government, law enforcement and industry to file lawsuits against
spammers. Microsoft’s partners include: the State Attorneys General of Washington, New York,
Texas, Florida, California and Massachusetts; The United Kingdom’s Information Commission,
Strategic Policy Manager; the Federal Trade Commissions; and industry partners AOL, EarthLink,
Yahoo!, Pfizer, and Amazon.com.
Forming Alliances to Fight Cyber Crime
Realizing that one company can’t win the battle alone, Microsoft has formed partnerships with others in
industry, law-enforcement and government to fight spam and cyber crime, including:
 Microsoft Security Response Alliance (MSRA), joining several existing Microsoft programs under one
umbrella, including:
 Global Infrastructure Alliance for Internet Safety (GIAIS), an alliance of the world’s leading
Internet Service Providers;
 Microsoft Virus Initiative (MVI), established to share key technical details of Microsoft
technologies with security research partners;
 Virus Information Alliance (VIA), a collaborative effort between Microsoft and anti-virus
partners to exchange technical information on newly discovered viruses;
 Microsoft Security Cooperation Program (SCP), a worldwide program to enable governments
to respond more effectively to computer security incidents and emergencies;
 Microsoft Security Support Alliance (MSSA), providing timely information on newly
discovered security threats to our partners;
 National Cyber Forensic Training Alliance (NCFTA), a non-profit organization in Pittsburgh where
federal law enforcement (including the FBI), cyber crime investigators, and academics work together
to identify and stop cyber crime.
 Global Phishing Enforcement Initiative (GPEI), committed to bringing lawsuits against phishers
throughout Europe, the Middle East, and Africa;
 Law Enforcement Portal, a centralized resource where law enforcement can access Internet crimerelated information, as well as tools, training and technical support to assist in investigations; and
Canada’s Child Exploitation Tracking System, enabling investigators to share information and
evidence of online child abuse;
 Agis Project, promoting standardized training and information networks among 15 EU countries and
Interpol;
 Spotspam, a trans-European partnership aimed at limiting the spread of spam;
 Virtual Global Taskforce (VGT), working with the UK, US, Canada, Australia, and Interpol to develop
programs committed to Children’s online safety;
 Participation in The Internet Society of China’s Annual Spam Summits;
 Working closely with the National and International Centers for Missing and Exploited Children,
UNICEF, the UK’s Child Exploitation and Online Protection Centre, and the Romanian Center for
Missing and Exploited Children, among other organizations, and helping Interpol train over 2,500
international law enforcement personnel in the investigation of computer facilitated crimes against
children.
Encouraging the Adoption of Legal Frameworks Around the World
Microsoft encourages the creation of consistent and flexible legal and regulatory frameworks that protect
privacy, security and safety, such as the APEC Privacy Framework, the Council of Europe Convention on
Cybercrime, the London Action Plan and the Seoul-Melbourne Agreement. While there are no international
legal norms in this area, there are certain elements that have proven effective, including incentives for
legitimate marketers to adopt best practices and certify themselves as trusted senders so they can be easily
identified by consumers and filters; strong anti-fraud measures with significant civil and criminal penalties
attached; strong anti-harvesting measures; effective ISP and Government-sponsored law enforcement;
express language that preserves ISP’s right to combat spam; explicit “private right of action” for ISPs to
pursue alleged offenders; strong national preemption of state and local laws; and others.