Vulnerabilities / Threats

01:52 PM
Connect Directly

Spam Turns 30 And Never Looked Healthier

One e-mail security company estimates that spam, initially a nuisance, now makes up 95% of all e-mail.

Thirty years ago, on May 3, 1978, Digital Equipment Corp. engineer Carl Gartley sent the first spam e-mail message on behalf of Gary Thuerk, a DEC marketing representative, to promote the new Decsystem-20 line of computers.

Thuerk's message has been preserved and can be seen on the Web site of Brad Templeton, chairman of the board of the Electronic Frontier Foundation, along with details about how the first spam came to be and the reaction it generated.

While the message appears to have been composed on May 1, 1978, Templeton's record of the event indicates that the e-mail was sent on May 3.

In 2004, Bill Gates predicted the spam problem would be solved in two years. Four years later, there's more spam than ever, though many end users only see a fraction of what's out there because of the diligence of their e-mail service providers.

Sophos, an e-mail security company, says that 95% of all e-mail today is spam. Symantec says that figure is more like 80% to 85%. However you count it, there's more spam than most people want.

Initially, spam was a nuisance. Today, it's more like the Internet's version of an environmental catastrophe, not to mention a security risk. Clicking on a link in a spam e-mail can initiate an attempt to install a keylogging Trojan or other malware. Should one's computer become compromised, a possible consequence could be the theft of funds from an online bank account or identity theft.

Graham Cluley, senior technology consultant at Sophos, believes that Internet users need to do their part and refuse to purchase goods or services advertised through spam. "Gary Thuerk could never have imagined what he was starting when he sent that mass email 30 years ago," said Cluley on the Sophos Web site. "The Internet community needs to do what it can to make sure that spam doesn't celebrate a 40th or 50th birthday. That means educating the public about never buying goods sold via spam. If you receive an unsolicited email message advertising goods to you -- don't buy, don't try, don't reply."

Unfortunately, that message bears repeating, despite its simplicity, because not everyone complies. A small number of people do buy, they do try, and they do reply, making the Internet worse for everyone except for those who profit from spam.

Dave Marcus, security research and communications manager at McAfee Avert Lab, said that having read some of the original complaints from Arpanet users about Thuerk's spam message, he was struck by the fact that people said and did more or less the same thing they do today. "The original spam and the reaction to the original spam generated the same reaction we see today," he said. "They were pissed at him, but he sold product."

And given the economics of spam, Princeton computer science professor Ed Felten expects spam will continue. "Thirty years later, there is more spam than ever and no end is in sight," he said in a blog post on Thursday. "This shouldn’t be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent."

On his Web site, Templeton observes that the ongoing spam arms war is doing damage to e-mail as an effective medium for communication.

In response to the blacklisting of spam senders, spammers have resorted to botnets -- networks of compromised computers. Thus, instead of one machine sending millions of spam messages, we have millions of machines sending one spam message, Templeton explains.

Because botnets circumvent sender-based filtering, content-based filtering has emerged. But spammers can still get their messages through. (Templeton himself uses a challenge-response filter, which is perhaps the most effective means of spam avoidance.)

As spam continues to flood mailboxes everywhere, Templeton sees people turning to mediums like SMS and sites like Facebook, though he concedes part of the disdain for e-mail may be a function of differing generational communication preferences rather than flight from spam.

Looking back over the years, Templeton said in a phone interview that he wished that when the time came to write a law against spam, specifically the Can Spam Act of 2003, lawmakers had crafted something more specifically targeted at the worst spammers. "If they had said, 'Let's focus on legal remedies that would find these two dozen people who are sending literally billions of spam,' then they could have had a law with some teeth," he said. While he acknowledges that a stronger, more specific law might just have driven the worst spammers overseas, he said that such a law would still be better than current federal legislation.

Marcus observes that technology can help. But, like Cluley, he sees spam as a social problem. "Filtering and multiple layers of defense have certainly gotten a lot better over the years," he said. "But at the end of the day spam is something that requires a lot of awareness on the victim's part. That is certainly the most challenging aspect of spam."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Microsegmentation: Strong Security in Small Packages
Avishai Wool, Co-Founder and CTO at AlgoSec,  4/12/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.