Vulnerabilities / Threats
5/2/2008
01:52 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Spam Turns 30 And Never Looked Healthier

One e-mail security company estimates that spam, initially a nuisance, now makes up 95% of all e-mail.

Thirty years ago, on May 3, 1978, Digital Equipment Corp. engineer Carl Gartley sent the first spam e-mail message on behalf of Gary Thuerk, a DEC marketing representative, to promote the new Decsystem-20 line of computers.

Thuerk's message has been preserved and can be seen on the Web site of Brad Templeton, chairman of the board of the Electronic Frontier Foundation, along with details about how the first spam came to be and the reaction it generated.

While the message appears to have been composed on May 1, 1978, Templeton's record of the event indicates that the e-mail was sent on May 3.

In 2004, Bill Gates predicted the spam problem would be solved in two years. Four years later, there's more spam than ever, though many end users only see a fraction of what's out there because of the diligence of their e-mail service providers.

Sophos, an e-mail security company, says that 95% of all e-mail today is spam. Symantec says that figure is more like 80% to 85%. However you count it, there's more spam than most people want.

Initially, spam was a nuisance. Today, it's more like the Internet's version of an environmental catastrophe, not to mention a security risk. Clicking on a link in a spam e-mail can initiate an attempt to install a keylogging Trojan or other malware. Should one's computer become compromised, a possible consequence could be the theft of funds from an online bank account or identity theft.

Graham Cluley, senior technology consultant at Sophos, believes that Internet users need to do their part and refuse to purchase goods or services advertised through spam. "Gary Thuerk could never have imagined what he was starting when he sent that mass email 30 years ago," said Cluley on the Sophos Web site. "The Internet community needs to do what it can to make sure that spam doesn't celebrate a 40th or 50th birthday. That means educating the public about never buying goods sold via spam. If you receive an unsolicited email message advertising goods to you -- don't buy, don't try, don't reply."

Unfortunately, that message bears repeating, despite its simplicity, because not everyone complies. A small number of people do buy, they do try, and they do reply, making the Internet worse for everyone except for those who profit from spam.

Dave Marcus, security research and communications manager at McAfee Avert Lab, said that having read some of the original complaints from Arpanet users about Thuerk's spam message, he was struck by the fact that people said and did more or less the same thing they do today. "The original spam and the reaction to the original spam generated the same reaction we see today," he said. "They were pissed at him, but he sold product."

And given the economics of spam, Princeton computer science professor Ed Felten expects spam will continue. "Thirty years later, there is more spam than ever and no end is in sight," he said in a blog post on Thursday. "This shouldn’t be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent."

On his Web site, Templeton observes that the ongoing spam arms war is doing damage to e-mail as an effective medium for communication.

In response to the blacklisting of spam senders, spammers have resorted to botnets -- networks of compromised computers. Thus, instead of one machine sending millions of spam messages, we have millions of machines sending one spam message, Templeton explains.

Because botnets circumvent sender-based filtering, content-based filtering has emerged. But spammers can still get their messages through. (Templeton himself uses a challenge-response filter, which is perhaps the most effective means of spam avoidance.)

As spam continues to flood mailboxes everywhere, Templeton sees people turning to mediums like SMS and sites like Facebook, though he concedes part of the disdain for e-mail may be a function of differing generational communication preferences rather than flight from spam.

Looking back over the years, Templeton said in a phone interview that he wished that when the time came to write a law against spam, specifically the Can Spam Act of 2003, lawmakers had crafted something more specifically targeted at the worst spammers. "If they had said, 'Let's focus on legal remedies that would find these two dozen people who are sending literally billions of spam,' then they could have had a law with some teeth," he said. While he acknowledges that a stronger, more specific law might just have driven the worst spammers overseas, he said that such a law would still be better than current federal legislation.

Marcus observes that technology can help. But, like Cluley, he sees spam as a social problem. "Filtering and multiple layers of defense have certainly gotten a lot better over the years," he said. "But at the end of the day spam is something that requires a lot of awareness on the victim's part. That is certainly the most challenging aspect of spam."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.