April 12th is the 20th anniversary of the first large scale commercial spam – the infamous “Green Card Lawyers” message that was posted to every newsgroup on Usenet News (right). Though there were attempts at spamming starting as early as 1978, they went out to hundreds of users rather than the hundreds of thousands that the green card lawyers annoyed. Cloudmark has put together a handy infographic summarizing some of the high and low points of the past two decades of unsolicited bulk messaging. In researching this timeline, I noticed a very clear pattern. For the first few years, the spammers had it pretty much all their own way. Many of the forms of spam that we are still familiar with today first appeared in the 1990s: Nigerian gold, bootleg Viagra(TM), hardcore pornography, etc. In the late 1990s and early 2000s the tide started to turn, with both innovations in engineering and legal and legislative moves against spammers, and from the mid 2000s onwards less spam had been sent, and far less had reached end user inboxes. Let’s look in a bit more detail at some of the things that turned the tide, in both the engineering and legal fields.
Usenet News was the first medium of communication on the Internet to be hit by large scale commercial spam, but it was also provided a forum for anti-spam activists to collaborate. The newsgroup news.admin.net-abuse.email (NANAE) became the center for the fight against spam, and it was here that the technical methods used to prevent spam were first discussed. Of course, that newsgroup itself became a major target for spammers, who conducted what amounted to a denial of service attack by posting so many spam messages to the group that it was hard to find the genuine ones. The first lesson in being a spam fighter was to build effective spam filters for NANAE!
It’s strange to remember that one of the first lawsuits related to spam, in 1996, involved a spammer suing for the right to have his spam delivered. Sanford Wallace‘s company, Cyber Promotions, a highly prolific source of spam, sued America Online on first amendment grounds. Not only did Cyber Promotions object to the fact that AOL was attempting to filter their messages, they also complained that by bouncing undeliverable messages back to Cyber Promotions, AOL was in fact mailbombing them! Happily the judge threw the case out on the grounds that AOL was not a branch of the government, so the first amendment did not apply. Spam filtering was officially legal in the US!
While AOL won the right to continue filtering spam, there were not many tools at the time available to smaller ISPs, who did not have the resources of AOL and could not develop their own filtering technology. That changed somewhat for the better in 1997, when Paul Vixie and Dave Rand announced the Realtime Blackhole List (RBL). This was a list of mail servers used by spammers – by refusing to accept SMTP connections from these mail servers, system administrators could block spam at the source. Of course, this was not adopted by all email providers, and spammers were free to obtain new IP addresses to send spam from, so this was not a complete solution to preventing spam.
In 1998, Steve Linford founded the non-profit organization Spamhaus based in the UK and later Switzerland. As well as providing widely used blacklist, in 2000, Spamhaus introduced the Register Of Known Spam Operations (ROKSO), a listing of the top spammers in the world. This became so well known that years later when FBI agent Keith Mularski wanted to establish his credentials in the cyber criminal underworld, he asked Spamhaus to list his undercover identity on ROKSO. They did, his persona became accepted in the credit card fraud underworld, and his operation eventually led to sixty arrests for carding.
Meanwhile, spammers had been wrestling with the problem of blacklisting, and in 2000 Khan C. Smith came up with the idea of using other people’s computers to send spam – lots of them. He created the first spam sending botnet. This was revealed in 2001 when he was successfully sued by Earthlink. However, botnets were here to stay, and looking at the source of an email message was no longer enough to determine if it was spam or not. Content based filters had been around for a while, of course, but spammers had learned to circumvent them by writing code to change part of their message or add random words to confuse filters. Since spam could change faster than any sysadmin could update filters what was needed was a filtering system that could recognize spam and respond as fast as spam messages could change. But how could that be done?
Vipul Ved Prakash
In 2000, Vipul Ved Prakash announced a system that would do just that. Vipul’s Razor calculates signatures for the important parts of email messages, and then relies on feedback from users and spam traps to determine if that signature identifies a spam message. By flagging a message as spam any user can send a vote that messages to other users with the same signature are likely to be spam. With enough votes from trusted users, future messages with the same signature are automatically flagged as spam. In 2001 Vipul and Jordan Ritter went on to found Cloudmark, but the original Vipul’s Razor was open source code, and has been used at the basis for other spam filtering systems since then.
In late 2003 the CAN-SPAM act became law in the United States and the first arrests followed in early 2004. Though far from perfect, the act did provide a framework in which the worst of spammers might get prosecuted, as well as reasonable practices for companies to follow if they want to do mass mailings to their customers. By 2005 the FTC was able to report that levels of spam were declining, and that much of it was being filtered to a spam folder rather than in inbox.
Since 2005, the technical innovation from email spammers has been more than matched by the spam filtering companies such as Cloudmark. While spam remains a problem, and we are very aware that we are in a constant arms race against some very persistent cyber criminals, the levels of spam reaching end user inboxes remain at very low levels.
However, the battleground against spam keeps changing. Myspace was founded in 2004, and by 2005 spammers were already using its messaging to send spam. Every social network and messaging service that has risen to prominence has been a target for spammers: Yahoo! Messenger, Skype, Facebook, Twitter, Pinterest, Snapchat, WhatsApp, nobody is immune. Cyber criminals have developed new techniques such as clickjacking and session hijacking for spamming and other malicious purposes. Clickjacking is placing a hidden button under the cursor, so that when a victim thinks they are clicking on an image like the one on the right to follow a link, they are in fact clicking on Like or Share and further distributing the spam. To remain successful, each new social network and messaging system has had to implement effective anti-spam measures against techniques developed to exploit their system.
Not the least of these is SMS messaging. SMS spam was seen as early as 2000, but it did not become a serious problem in the US until SIMs with unlimited messaging plans became cheaply available. In 2011 the GSMA’s Spam Reporting System (SRS) was launched in the US and since then has adopted in other countries. This allows customers to report spam SMS messages by forwarding them to 7726. These reports allow the phone carriers to respond rapidly to spam attacks.
In twenty years, it’s clear that we have not won the war on spam, but for the past decade we have been winning all the battles. Let’s hope that continues into the future.