Spam's Tenth Birthday Today
Ten years ago today, spam as we know it was born. On 5 March 1994, a message was posted to some Usenet newsgroups by a law firm called Canter and Siegel, advertising their services for the U.S. Green Card lottery. It sounds mild enough today, but at the time that move and its follow-ups provoked increasing outrage across the Net. Many were appalled that "netiquette" - the unspoken rules that hitherto had maintained order in cyberspace - had been breached, sensing perhaps that things would never be the same again.
They were right, of course. By daring to try what no one had done before, those first spam messages opened the floodgates to the deluge we battle daily. When it became clear from Canter and Siegel's continued postings that their spams were being neither effectively blocked nor ignored, others soon followed in their footsteps.
As anyone using the Internet ten years ago will recall, the wave of Usenet spam that followed effectively destroyed the usefulness of newsgroups. This would have been bad enough, but things did not rest there. The next critical development was moving from spamming Usenet newsgroups to spamming individual email addresses. The initial constraint on email spam was the difficulty of putting together big enough lists to compensate for the small response rate. It is probably no coincidence that the practice of email spam arose just as the Web was becoming a mass medium. Its growing popularity, and the natural tendency of enthusiastic users to include email contact details on their sites, made address harvesting easier.
However, almost as soon as the critical list-size was attained for email spamming to be economically worthwhile, it proved necessary to include even more addresses to offset the mounting hostility towards spam and the corresponding reduction in response. Spam thus undermined its own effectiveness, and drove its own escalation. Unfortunately, in the process of doing so, it also debased email itself - to the extent that there is a serious risk that many companies and individual users will be alienated from email altogether.
Even if vast swathes were to seek alternatives to traditional email, spam would still pose a serious threat to the functioning of the Internet. The latest generation of spam, whose payloads are highly-infectious worms - such as SoBig and MyDoom - rather than advertisements, means that even if only a small proportion of machines become infected, collectively they could still bring down Web sites through distributed denial of service (DDoS) attacks. Worse, those same machines can be used to relay yet more infectious spam.
More subtly, spam even entails a broader risk to international security. According to the anti-spam company Brightmail, since July 2003, most email is now spam. Coupled with the fact that spam tries to evade increasingly sophisticated email filters by embedding spurious characters, chunks of irrelevant text or concatenations of unusual words, this means that the bulk of email traffic is random, if sometimes oddly poetic. As such, it now provides the perfect medium for covertly transmitting criminal or terrorist information over public networks - using steganography, for example - in a way that would be almost impossible to detect, no matter how sophisticated the analysis programs.
The scale of the challenge - and the lack of unanimity on how best to meet it - can be judged from the diversity of anti-spam approaches on offer. These include technical fixes to the venerable SMTP protocol to allow email to be authenticated (for example, Microsoft's much-vaunted Caller ID for email, or SPF), entirely new economic models for email, as well as legislation (such as the U.S. CAN-SPAM Act), industry alliances (like the Messaging Anti-Abuse Working Group, and that between AOL, Microsoft and Yahoo), managed services (MessageLabs, Postini), Internet gateway products (Brightmail, CipherTrust) and client-side filtering (SpamAssassin, SpamNet).
More about these and other ideas will be found in future columns. But it is hard not to wish that some of the ingenuity and urgency now finally being shown had been brought to bear on those fledgling spam messages all those years ago.
Glyn Moody welcomes feedback at feedback@netcraft.com.
"Its growing popularity, and the natural tendency of enthusiastic users to include email contact details on their sites, made address harvesting easier"
and they post an email address at the bottom of the post! :)
Posted by: jeff on March 7, 2004 12:55 AMThere is one prior mass Usenet spam of which I'm aware (being one of the people who mass-cancelled it) in January 1994.
This was Clarence L. Thomas IV's "Global Alert For All: Jesus is Coming Soon" spam that a couple of hundred newsgroups.
Announcement of the cancels:
http://groups.google.com/groups?selm=1994Jan18.122329.18102%40aber.ac.uk&output=gplain
Logs of the cancel messages:
http://groups.google.com/groups?selm=1994Jan18.164130.13076%40aber.ac.uk&output=gplain
http://groups.google.com/groups?selm=1994Jan18.164444.13462%40aber.ac.uk&output=gplain
..and how about this a sadly way-of-target hope for the future..
http://groups.google.com/groups?selm=1994Jan18.200327.24535%40aber.ac.uk&output=gplain
Posted by: Chris Samuel on March 7, 2004 01:55 AMI believe SPAM was born much earlier, as early as 1978.
http://www.templetons.com/brad/spamterm.html
Posted by: Tong Sau Loon on March 8, 2004 01:50 AMI would love to debate.. But I have to be at work in 1 hour.
Posted by: Brainfarth on March 8, 2004 12:33 PMI was going to point you to the Brad Templeton piece but for a different reason: he starts his article on spam history with a definition of spam as Hormel coined the phrase, a nice touch. Your piece also interests me because of your ideas about spam and security, another great angle. Nice job.
Posted by: Tim on March 9, 2004 12:09 AMGlyn,
First, NICE JOB of remembering ! I thought it was earlier than that (like 1992). I see now that my memory has been slightly muddled ! :>D
Second, You wistfully say: "But it is hard not to wish that some of the ingenuity and urgency now finally being shown had been brought to bear on those fledgling spam messages all those years ago."
If you remember, the "Usenet SPAM" didn't hit any of the moderated newsgroups. Also, the folks who RAN Usenet were ACTIVELY doing everything in their power to kill off the "GREEN CARD" messages. There were quite a few people who wanted to do the same to Canter & Seigel ! :>D
We traced them down. I, personally, found SEVEN accounts that they used to send their junk. There were no (discovered) methods for 'fool-proof' address spoofing a UUCP-Style email address. All together (remember, my memory is NOT completely clear) there were about twenty accounts that they had for the purpose of sending their junk.
Most of the ISP's shut off their accounts when approached with hard data. I seem to remember some lawsuits filed (from the Green Card pukes) about depriving them of "paid-for" rights. [You'll probably know or be able to find out much more than I.]
The point is that we were as ingenious as we could be, given the state of the technology, and only by convincing some Legislators that this was illegal, and a hindrance, could laws have been passed to "nip SPAM in the bud".
Unfortunately, the Legislators were all too worried about raising our taxes, and other such folly (at the time). The 'Internet' was nowhere on ANYBODY's "Radar" in (or before) 1994. [Most Law-Makers couldn't be bothered at that time.]
Thanks, though, for bringing this up. Very few people remember the beginnings of SPAM, and how far it has come in such a SHORT time. [It has 'progressed' in step with network speeds !!]
JB
Last year I published some fairly widely read articles about the 25th anniversary of the earliest spam, and the nearby 10th anniversary of the migration of the term spam into USENET. It had been used for several years before that in the MUD community.
That early spam was in May of 78, the, early use of the term was in March of 1993. The first really giant USENET spam was not the green card one, it was 4 months earlier about Jesus.
The green card one got a lot of attention not for being first but by being the first where they didn't go away in shame, but instead said, "We're going to keep doing this."
http://www.templetons.com/brad/spamterm.html
http://www.templetons.com/brad/spam/spam25.html
And other links from there
Glyn Moody's article "Spam's Tenth Birthday Today" arrives just a few years too late.
I was getting SPAM from Sanford Wallace's 'Cyberpromo' operation on my Compu$erve account in early 1992 [at $0.75 per email received from a non CI$ source that quickly got expensive]
Dave Levitt
[formerly known as 76116.3250@compuserve.com]
Spam's birthday is 1 May 1978.
http://www.templetons.com/brad/spamreact.html
Hello,
very nice article. I didn't know exactly when it began, only that it did begin in Usenet.
I run a spam filtering service at www.spamfreemail.de. In contrast to most other providers, our customers do not mind if the occasional false positive gets filtered. This allows us to filter more agressively than most other providers, which makes a lot of people who receive almost only SPAM come to us.
A couple stats: 80% of the mail connections we receive are already blocked at the SMTP level (via DNS blackhole lists and to unknown recipients). Of the rest, about 5% are Windows viruses and worms, and filtered by a mail scanner (qmail-scanner and f-prot). Of those, known malware executable attachments are blocked already at the SMTP level. Of the rest, almost all is SPAM and filtered by SpamAssassin. Only about 3% of the mail we _would_ receive without blocking is real email - the rest is garbage. SpamAssassin with a lot of custom rules gets us almost 100% hit rate, and about one false positive per 10,000 "legitimate" mails.
I think this is a very important approach. As long as people will complain when they don't receive their friend's colorful HTML message about his favorite credit card or porn pictures, written on Hotmail but with a Yahoo sender adress, and sent from a local provider who tolerates spammers, it will not be possible to filter SPAM efficiently. I.e.: If you get into (some) DNS blocklists you must not complain to the people blocking your mail, but to the provider for getting into the list!
Also, people must learn not to publish their mail addresses. I have a work email adress that I use *solely* for email contacts. No website. No mailing or distribution lists. No usenet. No forwarding. I have yet to receive a single SPAM message on this address, in over a year.
Thank you,
Jens Benecke
At the rate things are going, with an average of ~500 spams a day hitting our main mail server, I wonder where we'll be in 10 years. If we need a powerful machine now just to filter our mail, imagine in the future.
Ugh.
leandro
Those of us who 10 years ago forsaw the present darkness were ridiculed and ignored. Unfortunately, there is little satisfaction now in saying "I told you so". But many of us did. I suspect a year from now those still using email will be behind whitelist only systems accepting no unknown email, or using alternative means of communication. Legal authorities still seem for the most part utterly clueless and unwilling to take action, as criminals overwhelm the Internet with spam and other abuse from millions of compromised machines worldwide. A stunning development during the past year, but MSBlast introduced one of those watershed moments as did the first spam on usenet, and I don't think the majority have quite grasped this watershed moment in Internet history, either.
Spam itself is cheap to buy, with sites boasting of the ability to mass email in bulk to specified lists created with prices that can range from $20 a month to hit 500 emails a day to $169 to hit a million emails at one time “spam-free.” Their services are also available in different languages, are easy to post, and their sophisticated software that is guaranteed to get through any email filters to inboxes that are verified as working daily as long as a credit card number is provided.
Some offer a promise never to spam the buyer of spam. They sell bulk email, bulk servers, and email lists with options to buy spam services from overseas avoiding U.S. spam laws that can include free tracking reports. Spammers bait the unsuspecting with offers to win or receive free services like www.MyFreeWebMail.com that hides fine print agreeing to opt-in for sponsor information and within 24 hours spam has taken over. It easy for bulk mail companies to buy email lists from online companies willing to make a fast buck. Selling demographic information has become a lucrative industry with major corporations sharing consumer information for profit.
Bulk spam companies have teams that scour the web for any public posted email addresses from newsgroups, Web pages, realtor databases, travel agents, classified ads, and search engines. To get around anti-spam laws they offer an opt-out option, however opting out of one these lists may validate the email address and make it hit with even more spam.
http://www.overture.com/d/search/?type=home&Keywords=bulk+email
http://www.spamalternative.com/
For every hit to their sites they have to pay, so it can be your turn to get back at them if only a little.
Posted by: Basta on April 22, 2004 06:55 AM
