I'd like to talk a bit about how we determine the reputation of different URLs and IPs and use this to protect against spam, phishing, and other abuse in Internet Explorer
and Windows Live Hotmail
Let's start with a bit of background. When an abuser–a spammer, phisher, or malware distributer–attacks someone, they have to do two things. First, they deliver a communication (often a spam e-mail), that entices the victim. Second, they "seal the deal" by actually selling the product, stealing the personal information, or installing the malware. (The second part is sometimes referred to as "collecting the conversion.") Dick Craddock
and I have talked about some of the steps we take to block abusers' initial communications in previous posts (Fighting the war on spam
, Spam, phishing, and other annoyances
, and Preventing spam and phishing using e-mail authentication
). I'm going to talk about some of the work we do to keep abusers from "sealing the deal."
By far the most common way abusers collect their conversions is using webpages, like the ones shown here: