New Microsoft Hotmail: E-Mail Security Reloaded

Microsoft gave eWEEK a deeper look at the security features it has planned for the upcoming version of Microsoft Hotmail. The security goodies are aimed not only at fighting spam, but also fighting phishing by improving authentication and account recovery features.

Microsoft is adding a number of security enhancements under the hood to help protect Hotmail users.

The changes will be rolled out in the coming months as part of a major overhaul of Hotmail and will cross a number of areas, including general account security and password recovery. In a conversation with eWEEK, John Scarrow, general manager of safety services at Microsoft, detailed the newest features protecting Hotmail inboxes.

In the area of account security, Microsoft has added the ability for users to have a one-time password sent to their cell phone via SMS message in the event they want to recover their account. In addition, this one-time password can be used when signing on to public computers at Internet cafes, public libraries and the like to avoid the possibility of password information being captured by keyloggers or other malware.

"If you give us your phone number instead of just an alternate e-mail account, we can send a message to your SMS, and it will come with a one-time code, and it will say in order to get your account back just type this one-time code in because we know that the spammer doesn't have that account," Scarrow said. "The spammer can't afford to have an SMS account for millions of accounts, even if he got in and put the phone number in on your behalf. ... It doesn't make sense for their business model," Scarrow said.

But perhaps the biggest changes are in the area of spam filtering. Microsoft has added a bunch of features designed to help users filter out junk mail and improve Hotmail's ability to distinguish junk mail from regular mail. By learning users' preferences based on how they interact with mail, Hotmail can help determine which mail is ham-stuff users want-and which is spam, Scarrow said.

To this end, the company will visually demarcate e-mails from specific senders that are recognized as legitimate (e.g., a padlock or shield icon). In addition, a sender can be safe-listed automatically based on how the account owner interacts with him-for example, if they regularly exchange e-mails. Likewise, mail from countries or senders or in languages the user doesn't normally deal with can be marked as junk mail.

"We're not trying to learn all your behaviors and start saying, -Oh, this guy doesn't like newsletters that have the word X, Y, Z in them, so this particular guy should never get that,'" he said. "If you try to get that smart, you end up typically not necessarily making users happy. But you can use that type of information to make sure you are reducing the mistakes that are made."

Users will also be able to "sweep" unwanted mail out of their inboxes and into their other folders to avoid clutter. Junk mail will be tagged so that when users find a message in their junk mail folder, they will know how it ended up there and can take action to keep it from happening to similar messages in the future.

The company is also adding support for DomainKeys Identified Mail (DKIM), and is following in Google's footsteps with plans for always-on HTTPS.

"A lot of people felt like Microsoft was biased, only doing SenderID because that's the one we had pushed early on. ...We think it's the right thing to do for the industry. We think it will encourage more people to sign their mail with DKIM," he said.