Vulnerabilities / Threats
5/2/2008
01:52 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Spam Turns 30 And Never Looked Healthier

One e-mail security company estimates that spam, initially a nuisance, now makes up 95% of all e-mail.

Thirty years ago, on May 3, 1978, Digital Equipment Corp. engineer Carl Gartley sent the first spam e-mail message on behalf of Gary Thuerk, a DEC marketing representative, to promote the new Decsystem-20 line of computers.

Thuerk's message has been preserved and can be seen on the Web site of Brad Templeton, chairman of the board of the Electronic Frontier Foundation, along with details about how the first spam came to be and the reaction it generated.

While the message appears to have been composed on May 1, 1978, Templeton's record of the event indicates that the e-mail was sent on May 3.

In 2004, Bill Gates predicted the spam problem would be solved in two years. Four years later, there's more spam than ever, though many end users only see a fraction of what's out there because of the diligence of their e-mail service providers.

Sophos, an e-mail security company, says that 95% of all e-mail today is spam. Symantec says that figure is more like 80% to 85%. However you count it, there's more spam than most people want.

Initially, spam was a nuisance. Today, it's more like the Internet's version of an environmental catastrophe, not to mention a security risk. Clicking on a link in a spam e-mail can initiate an attempt to install a keylogging Trojan or other malware. Should one's computer become compromised, a possible consequence could be the theft of funds from an online bank account or identity theft.

Graham Cluley, senior technology consultant at Sophos, believes that Internet users need to do their part and refuse to purchase goods or services advertised through spam. "Gary Thuerk could never have imagined what he was starting when he sent that mass email 30 years ago," said Cluley on the Sophos Web site. "The Internet community needs to do what it can to make sure that spam doesn't celebrate a 40th or 50th birthday. That means educating the public about never buying goods sold via spam. If you receive an unsolicited email message advertising goods to you -- don't buy, don't try, don't reply."

Unfortunately, that message bears repeating, despite its simplicity, because not everyone complies. A small number of people do buy, they do try, and they do reply, making the Internet worse for everyone except for those who profit from spam.

Dave Marcus, security research and communications manager at McAfee Avert Lab, said that having read some of the original complaints from Arpanet users about Thuerk's spam message, he was struck by the fact that people said and did more or less the same thing they do today. "The original spam and the reaction to the original spam generated the same reaction we see today," he said. "They were pissed at him, but he sold product."

And given the economics of spam, Princeton computer science professor Ed Felten expects spam will continue. "Thirty years later, there is more spam than ever and no end is in sight," he said in a blog post on Thursday. "This shouldn’t be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent."

On his Web site, Templeton observes that the ongoing spam arms war is doing damage to e-mail as an effective medium for communication.

In response to the blacklisting of spam senders, spammers have resorted to botnets -- networks of compromised computers. Thus, instead of one machine sending millions of spam messages, we have millions of machines sending one spam message, Templeton explains.

Because botnets circumvent sender-based filtering, content-based filtering has emerged. But spammers can still get their messages through. (Templeton himself uses a challenge-response filter, which is perhaps the most effective means of spam avoidance.)

As spam continues to flood mailboxes everywhere, Templeton sees people turning to mediums like SMS and sites like Facebook, though he concedes part of the disdain for e-mail may be a function of differing generational communication preferences rather than flight from spam.

Looking back over the years, Templeton said in a phone interview that he wished that when the time came to write a law against spam, specifically the Can Spam Act of 2003, lawmakers had crafted something more specifically targeted at the worst spammers. "If they had said, 'Let's focus on legal remedies that would find these two dozen people who are sending literally billions of spam,' then they could have had a law with some teeth," he said. While he acknowledges that a stronger, more specific law might just have driven the worst spammers overseas, he said that such a law would still be better than current federal legislation.

Marcus observes that technology can help. But, like Cluley, he sees spam as a social problem. "Filtering and multiple layers of defense have certainly gotten a lot better over the years," he said. "But at the end of the day spam is something that requires a lot of awareness on the victim's part. That is certainly the most challenging aspect of spam."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.