As anyone using the Internet ten years ago will recall, the wave of Usenet spam that followed effectively destroyed the usefulness of newsgroups. This would have been bad enough, but things did not rest there. The next critical development was moving from spamming Usenet newsgroups to spamming individual email addresses. The initial constraint on email spam was the difficulty of putting together big enough lists to compensate for the small response rate. It is probably no coincidence that the practice of email spam arose just as the Web was becoming a mass medium. Its growing popularity, and the natural tendency of enthusiastic users to include email contact details on their sites, made address harvesting easier.
However, almost as soon as the critical list-size was attained for email spamming to be economically worthwhile, it proved necessary to include even more addresses to offset the mounting hostility towards spam and the corresponding reduction in response. Spam thus undermined its own effectiveness, and drove its own escalation. Unfortunately, in the process of doing so, it also debased email itself – to the extent that there is a serious risk that many companies and individual users will be alienated from email altogether.
Even if vast swathes were to seek alternatives to traditional email, spam would still pose a serious threat to the functioning of the Internet. The latest generation of spam, whose payloads are highly-infectious worms – such as SoBig and MyDoom – rather than advertisements, means that even if only a small proportion of machines become infected, collectively they could still bring down Web sites through distributed denial of service (DDoS) attacks. Worse, those same machines can be used to relay yet more infectious spam.
More subtly, spam even entails a broader risk to international security. According to the anti-spam company Brightmail, since July 2003, most email is now spam. Coupled with the fact that spam tries to evade increasingly sophisticated email filters by embedding spurious characters, chunks of irrelevant text or concatenations of unusual words, this means that the bulk of email traffic is random, if sometimes oddly poetic. As such, it now provides the perfect medium for covertly transmitting criminal or terrorist information over public networks – using steganography, for example – in a way that would be almost impossible to detect, no matter how sophisticated the analysis programs.
The scale of the challenge – and the lack of unanimity on how best to meet it – can be judged from the diversity of anti-spam approaches on offer. These include technical fixes to the venerable SMTP protocol to allow email to be authenticated (for example, Microsoft’s much-vaunted Caller ID for email, or SPF), entirely new economic models for email, as well as legislation (such as the U.S. CAN-SPAM Act), industry alliances (like the Messaging Anti-Abuse Working Group, and that between AOL, Microsoft and Yahoo), managed services (MessageLabs, Postini), Internet gateway products (Brightmail, CipherTrust) and client-side filtering (SpamAssassin, SpamNet).
More about these and other ideas will be found in future columns. But it is hard not to wish that some of the ingenuity and urgency now finally being shown had been brought to bear on those fledgling spam messages all those years ago.
Glyn Moody welcomes feedback at feedback@netcraft.com.