Vulnerabilities / Threats
01:52 PM
Connect Directly

Spam Turns 30 And Never Looked Healthier

One e-mail security company estimates that spam, initially a nuisance, now makes up 95% of all e-mail.

Thirty years ago, on May 3, 1978, Digital Equipment Corp. engineer Carl Gartley sent the first spam e-mail message on behalf of Gary Thuerk, a DEC marketing representative, to promote the new Decsystem-20 line of computers.

Thuerk's message has been preserved and can be seen on the Web site of Brad Templeton, chairman of the board of the Electronic Frontier Foundation, along with details about how the first spam came to be and the reaction it generated.

While the message appears to have been composed on May 1, 1978, Templeton's record of the event indicates that the e-mail was sent on May 3.

In 2004, Bill Gates predicted the spam problem would be solved in two years. Four years later, there's more spam than ever, though many end users only see a fraction of what's out there because of the diligence of their e-mail service providers.

Sophos, an e-mail security company, says that 95% of all e-mail today is spam. Symantec says that figure is more like 80% to 85%. However you count it, there's more spam than most people want.

Initially, spam was a nuisance. Today, it's more like the Internet's version of an environmental catastrophe, not to mention a security risk. Clicking on a link in a spam e-mail can initiate an attempt to install a keylogging Trojan or other malware. Should one's computer become compromised, a possible consequence could be the theft of funds from an online bank account or identity theft.

Graham Cluley, senior technology consultant at Sophos, believes that Internet users need to do their part and refuse to purchase goods or services advertised through spam. "Gary Thuerk could never have imagined what he was starting when he sent that mass email 30 years ago," said Cluley on the Sophos Web site. "The Internet community needs to do what it can to make sure that spam doesn't celebrate a 40th or 50th birthday. That means educating the public about never buying goods sold via spam. If you receive an unsolicited email message advertising goods to you -- don't buy, don't try, don't reply."

Unfortunately, that message bears repeating, despite its simplicity, because not everyone complies. A small number of people do buy, they do try, and they do reply, making the Internet worse for everyone except for those who profit from spam.

Dave Marcus, security research and communications manager at McAfee Avert Lab, said that having read some of the original complaints from Arpanet users about Thuerk's spam message, he was struck by the fact that people said and did more or less the same thing they do today. "The original spam and the reaction to the original spam generated the same reaction we see today," he said. "They were pissed at him, but he sold product."

And given the economics of spam, Princeton computer science professor Ed Felten expects spam will continue. "Thirty years later, there is more spam than ever and no end is in sight," he said in a blog post on Thursday. "This shouldn’t be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent."

On his Web site, Templeton observes that the ongoing spam arms war is doing damage to e-mail as an effective medium for communication.

In response to the blacklisting of spam senders, spammers have resorted to botnets -- networks of compromised computers. Thus, instead of one machine sending millions of spam messages, we have millions of machines sending one spam message, Templeton explains.

Because botnets circumvent sender-based filtering, content-based filtering has emerged. But spammers can still get their messages through. (Templeton himself uses a challenge-response filter, which is perhaps the most effective means of spam avoidance.)

As spam continues to flood mailboxes everywhere, Templeton sees people turning to mediums like SMS and sites like Facebook, though he concedes part of the disdain for e-mail may be a function of differing generational communication preferences rather than flight from spam.

Looking back over the years, Templeton said in a phone interview that he wished that when the time came to write a law against spam, specifically the Can Spam Act of 2003, lawmakers had crafted something more specifically targeted at the worst spammers. "If they had said, 'Let's focus on legal remedies that would find these two dozen people who are sending literally billions of spam,' then they could have had a law with some teeth," he said. While he acknowledges that a stronger, more specific law might just have driven the worst spammers overseas, he said that such a law would still be better than current federal legislation.

Marcus observes that technology can help. But, like Cluley, he sees spam as a social problem. "Filtering and multiple layers of defense have certainly gotten a lot better over the years," he said. "But at the end of the day spam is something that requires a lot of awareness on the victim's part. That is certainly the most challenging aspect of spam."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to

Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.