BAD ENOUGH THAT Microsoft’s Hotmail service got cracked like a cheap china cup last week, thanks to an over-helpful tweak from a guy in Sweden whose days are so full he doesn’t have time to type in his password every time he checks his email. Now complaints are surfacing that Microsoft has been selling lists of Hotmail addresses to bulk emailers—that is, spammers.

According to various Hotmail-using sources, since late spring there has been an astonishing increase in spam volume to Hotmail recipients, many going from spam-free bliss to a flood of ads for weight-loss herbs, mortgage scams, pyramid schemes, and pictures of the unclothed. Most of us suffer under the same undeserved burden, but Mike Cantelon decided to do something about it: He tracked a spammer down and “gave them unholy hell.” Then, according to Cantelon, the spammer informed him that he’d purchased the list from Microsoft and if he didn’t want to be spammed he shouldn’t be on Hotmail.

Oh, really?

Microsoft denies the allegations, though not for any particularly lofty reasons like “spam is a civil offense in Washington state” or “really, we don’t need the money that bad.” (The latter one was shot down specifically in a conversation with internal PR folk at Microsoft, who snorted, “We’re a business; we’re here to make money. I don’t see you turning down any ads [at the Weekly].” For the record, they’re wrong—we turn down ads deemed racist or in other ways distasteful.)

The company suggests that the spam recipients might have posted demographic information on DejaNews or listed themselves in the Hotmail directory, to which one recipient retorted, “The only place my Hotmail email account is listed online is at my GeoCities site. None of my friends know about it. It mostly gets form responses and link submissions from my GeoCities site.” (That recipient declined to be identified for this article, since his GeoCities site is sex-related—hence the secrecy about the address itself, not to mention his certainty about his usage patterns.)

Recipients also deny replying to the “remove” addresses posted in such emails; responses to such addresses are generally regarded not as a tool for recipients to remove themselves from the spammer’s list but as a tool for spammers to confirm that a particular email address is, in fact, active and being read by a human. (In other words, asking for no more spam tends to result in extra helpings.) Other things recipients deny doing include making purchases online, posting to listservs, filling out product registrations, or signing guestbooks on other Web sites. Of course, it’s possible (but not likely) that Cantelon’s spammers were misinformed and that a new spamming house gathered the addresses from the Net—in which case, someone out there is doing spam business while claiming to represent Microsoft.

For two bits Bill Gates might let them be Microsoft right now, if they’re willing to take the heat. Microsoft is having a bad week on the security-and-privacy front, bad even for the Redmond Menace. As we went to press, a Net security company called Cryptonym had announced the discovery of an apparent NSA “back door” in Microsoft’s CryptoAPI architecture, the basis for cryptographic security in all versions of Windows. Turns out that not only can Microsoft load encryption/decryption services (including security programs that monitor or scoop up information from your machine), so can the US government. Since the Justice Department is currently petitioning Congress for the right to do this very thing without notifying the surveillance target (a procedure known in Nixon’s day as a black-bag job and usually granted only in extreme circumstances), the open-source and privacy communities are now justifiably screaming for blood.

Additionally, there’s been a steady stream of reports for the past two weeks on Internet Explorer security holes large and small, many bagged by indefatigable Bulgarian bug-hunter Georgi Guninski. Guninski’s made a name for himself in the past year with an array of finds pointing out the myriad vulnerabilities of both Internet Explorer and Netscape. Some of the holes are less troubling than others—for instance, the Cross Frame Navigate bug required that the intruder know the name of specific files on the machine he or she wanted to annoy—but end users, increasingly nervous as the security reports roll by, may be missing some of the niceties of that debate.

BUT BACK TO the Hotmail security debacle, from which fallout continues and which started out not as a hack but as a time-saver for Michael Nobilio, a Swedish programmer with enough time on his hands to find this hole but not enough to type his password. Nobilio discovered that you could access your Hotmail account by typing a URL containing your user name and a CGI command telling Hotmail to open your mailbox without asking for a password. Then he posted the code so anyone could use it—inadvertently making all Hotmail accounts accessible to nearly anyone.

The system vulnerability wasn’t something intentional on Microsoft’s part, according to experts; rather, it was simply sloppy coding that allowed Hotmail to trust any URL-based CGI commands telling it to open up the doors to users’ accounts, password or no. But when sloppy code is endemic, it’s that much harder to fix; most tech-industry observers say it’s a matter of time before the next big sinkhole opens up.

If Redmond readers would like a silver lining at the bottom of this article, here it is: When free email is concerned, for once Microsoft isn’t accused of having a monopoly on the market. With server space and bandwidth both cheaper than ever, it seems that every site around is offering free addresses; in addition, mega-sites such as Yahoo/GeoCities are cheerfully prepared to hand Microsoft its lunch on this one. As a spokeswoman for Yahoo smugly put it, “You can read our Terms of Service—we’d never sell addresses.” Maybe they’d like to buy a nice make-money-fa$$$t pyramid scheme instead?