Happy Anniversary!

May 3, 2008, marks the 30th anniversary of spam mail. Yes, it’s been three decades since Gary Thuerk, a Digital Equipment Corporation (DEC) employee at that time, broadcast the very first unsolicited advertising message announcing a new product, the DEC-20, to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET). Developed by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, the ARPANET was the world’s first operational packet switching network and paved the way for the information superhighway we now call the world wide web. Take a look at the innocuous message and a write up of the events surrounding this unsolicited commercial email by clicking here: http://www.templetons.com/brad/spamreact.html.

The term “spam”, which refers to SPAM®, a canned meat product sold by the Hormel Foods Corporation, was coined to describe unwanted and unsolicited commercial email. A description of why this term was used is here: http://en.wikipedia.org/wiki/Spam_%28electronic%29#History. The term wasn’t used much in the early days, and it wasn’t until 1994 that spamming started in earnest. Deliberate commercial spamming as a form of advertising is believed to have been started by a law firm, Canter & Siegel. In 1994, the firm sent a message advertising their immigration services to more 6,000 Usenet newsgroups. They developed mass-mailer software to automate the distribution of the email, a practice still used by spammers today.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it’s even gone beyond that to image spam, spear phishing, attachment spam, and recently even MP3 based spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via huge networks of zombie machines, which are designed by malware writers to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

Despite Bill Gates’ prediction in 2004 that spam would cease to exist by 2006 (http://news.bbc.co.uk/1/hi/business/3426367.stm), there appears to be no end in sight, even in spite of recent laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) introduced to help curb spam. Why does the law lack legs? It’s mainly because today’s spammers, who are motivated by the prospect of financial gains, largely operate outside of countries with strict anti-spam laws.

In some ways, Bill Gates’ prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the problem, rather than eliminating it entirely. I don’t think anyone would favour an “email tax” to reduce spam, and Challenge/Response systems only contribute to more unwanted mail and slower communications. I personally believe it would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its sources and block rogue “bullet proof” ISPs. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market. A better alternative may be a transition to a newer, more secure, mail protocol that would make it easier to eliminate spam email at the source.

In addition to ever more creative ways to block received spam, is an upgrade to the SMTP protocol answer? Or do we need more government legislation? Or is it something else altogether? Will it take another 30 years to put spammers out of business? I sure hope not!