The two things that hackers do is (1) run a debugger so that when a program they use crash (like Firefox or IE) they can figure out why, and (2) run a sniffer so that they can look at their own packets.
While sniffing my MSN connection, I saw a small XML file being transfered from the server. It has a bunch of Policy.Shield.Config.Block elements consisting of regular expressions (the ones I got are listed below). Microsoft blocks messages containing these strings.
Googling items on the list find a bunch of interesting information. To start with, you find links to anti-virus information for trojans/worms/viruses named in the regexp. I also found this story on Slashdot that calls this filtering "censorship" (because, of course, everything that Microsoft does is a conspiracy). This blogger found a much longer list back in August: apparently, Microsoft is constantly editing the list. This other blogger found a different list 12 days ago. the changes found in only a few days suggests that Microsoft is constantly monitoring what's going on, and as threats appear, they quickly move to counter them.
Apparently, Microsoft blocks these patterns on the server. I wonder why this list is sent to the client. Is it so that the client can display the server policy to the user if they are curious? I couldn't find where this list is displayed in the client, although I wasn't looking very hard. The earliest reference to this list I can find is 2005, maybe I need a newer client to display the list.
The items in this list identify "wormable" messages. There are several types of MSN-worms.
Another worm is more like a virus. It sends a file, or a link to a file on a server, to everyone in the MSN buddy list. Once the a victims infect themselves, the program then scans the new buddy list and sends a copy to those friends as well. Thus, the worm spreads from friend to friend, leaving a virus or trojan or botnet behind.
Another worm is even easier. The last filter on the Microsoft list is a simply a website that promises to list all the people who have deleted you as a buddy -- if you just give them your username/password. Of course, what it really does (probably) is send a message to all of your buddies advertising the website. I would guess that it also uses the same login credentials to get into your HotMail or other Windows Live services. My guess is that it's ultimately trying to harvest lists of e-mail addresses, which are worth money in the hacker economy (for use in phishing attacks).
I find attacks interesting because what it teaches us about human nature. Presumably Microsoft added a filter to "blockdelete.com" because it was being effective. This means a lot of people are insecure about being removed from a buddy's buddy list.