Vulnerabilities / Threats
01:52 PM
Connect Directly

Spam Turns 30 And Never Looked Healthier

One e-mail security company estimates that spam, initially a nuisance, now makes up 95% of all e-mail.

Thirty years ago, on May 3, 1978, Digital Equipment Corp. engineer Carl Gartley sent the first spam e-mail message on behalf of Gary Thuerk, a DEC marketing representative, to promote the new Decsystem-20 line of computers.

Thuerk's message has been preserved and can be seen on the Web site of Brad Templeton, chairman of the board of the Electronic Frontier Foundation, along with details about how the first spam came to be and the reaction it generated.

While the message appears to have been composed on May 1, 1978, Templeton's record of the event indicates that the e-mail was sent on May 3.

In 2004, Bill Gates predicted the spam problem would be solved in two years. Four years later, there's more spam than ever, though many end users only see a fraction of what's out there because of the diligence of their e-mail service providers.

Sophos, an e-mail security company, says that 95% of all e-mail today is spam. Symantec says that figure is more like 80% to 85%. However you count it, there's more spam than most people want.

Initially, spam was a nuisance. Today, it's more like the Internet's version of an environmental catastrophe, not to mention a security risk. Clicking on a link in a spam e-mail can initiate an attempt to install a keylogging Trojan or other malware. Should one's computer become compromised, a possible consequence could be the theft of funds from an online bank account or identity theft.

Graham Cluley, senior technology consultant at Sophos, believes that Internet users need to do their part and refuse to purchase goods or services advertised through spam. "Gary Thuerk could never have imagined what he was starting when he sent that mass email 30 years ago," said Cluley on the Sophos Web site. "The Internet community needs to do what it can to make sure that spam doesn't celebrate a 40th or 50th birthday. That means educating the public about never buying goods sold via spam. If you receive an unsolicited email message advertising goods to you -- don't buy, don't try, don't reply."

Unfortunately, that message bears repeating, despite its simplicity, because not everyone complies. A small number of people do buy, they do try, and they do reply, making the Internet worse for everyone except for those who profit from spam.

Dave Marcus, security research and communications manager at McAfee Avert Lab, said that having read some of the original complaints from Arpanet users about Thuerk's spam message, he was struck by the fact that people said and did more or less the same thing they do today. "The original spam and the reaction to the original spam generated the same reaction we see today," he said. "They were pissed at him, but he sold product."

And given the economics of spam, Princeton computer science professor Ed Felten expects spam will continue. "Thirty years later, there is more spam than ever and no end is in sight," he said in a blog post on Thursday. "This shouldn’t be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent."

On his Web site, Templeton observes that the ongoing spam arms war is doing damage to e-mail as an effective medium for communication.

In response to the blacklisting of spam senders, spammers have resorted to botnets -- networks of compromised computers. Thus, instead of one machine sending millions of spam messages, we have millions of machines sending one spam message, Templeton explains.

Because botnets circumvent sender-based filtering, content-based filtering has emerged. But spammers can still get their messages through. (Templeton himself uses a challenge-response filter, which is perhaps the most effective means of spam avoidance.)

As spam continues to flood mailboxes everywhere, Templeton sees people turning to mediums like SMS and sites like Facebook, though he concedes part of the disdain for e-mail may be a function of differing generational communication preferences rather than flight from spam.

Looking back over the years, Templeton said in a phone interview that he wished that when the time came to write a law against spam, specifically the Can Spam Act of 2003, lawmakers had crafted something more specifically targeted at the worst spammers. "If they had said, 'Let's focus on legal remedies that would find these two dozen people who are sending literally billions of spam,' then they could have had a law with some teeth," he said. While he acknowledges that a stronger, more specific law might just have driven the worst spammers overseas, he said that such a law would still be better than current federal legislation.

Marcus observes that technology can help. But, like Cluley, he sees spam as a social problem. "Filtering and multiple layers of defense have certainly gotten a lot better over the years," he said. "But at the end of the day spam is something that requires a lot of awareness on the victim's part. That is certainly the most challenging aspect of spam."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.