May 3, 2008, marked the 30th anniversary of spam mail. Yes, it’s been three decades since Digital Equipment Corporation (DEC) employee Gary Thuerk broadcast the very first unsolicited advertising message by announcing DEC’s new DEC-20 to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET).

This act changed the nature of email communication dramatically. Some have compared it to a cyberspace “environmental catastrophe”. Most available statistics agree that at least 80 percent or more of all email messages are spam. No one likes spam or wants it, and it’s not just because it's a nuisance. Spam also poses huge security risks. Click on a link in a spam email, and you risk installation of a Trojan or other malware. It can even lead to identity theft or credit card fraud if it takes you to a malicious site that tricks you into offering your confidential personal data to online evil-doers. To top it all off, spam is a huge productivity and resource drain for organizations, clogging email servers and slowing down performance.

Then and Now
Back in the seventies, people responded to the very first spam attempt in much the same way they respond today. After perusing some of the comments from the original recipients of Thuerk's spam message, Dave Marcus, security research and communications manager at McAfee® Avert® Labs observes wryly, "The original spam and the reaction to the original spam generated the same reaction we see today," he said. "They were pissed at him, but he sold product." (If you want to take a look at the message along with a write up of the events surrounding this unsolicited commercial email, click here.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it's even gone beyond that to image spam, spear phishing, attachment spam, and recent MP3 spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via botnets, or huge networks of zombie machines which are specifically designed to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

A Low-overhead Business
Despite Bill Gates' bold prediction in 2004 that spam would cease to exist by 2006, there appears to be no end in sight, in spite of recent laws, such as Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM), introduced to help curb spam. Why does the law lack legs? It's mainly because today's spammers, who are motivated by the prospect of potentially huge financial gains, largely operate outside of countries with strict anti-spam laws.

The proliferation of spam is largely driven by economics—and today more so than ever. Because of the open nature of SMTP mail, email fraudsters can send huge volumes of spam very inexpensively. Princeton computer science professor Ed Felten expects spam will continue for that very reason. "Thirty years later, there is more spam than ever and no end is in sight," he said in a blog post on Thursday. "This shouldn't be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent."

Can We Avoid Another Anniversary?
In 2004, Bill Gates predicted that spam would be eradicated in two years. But the fact that spam is still alive and kicking is nothing to celebrate!

In some ways, Bill Gates' prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the mess, rather than eliminating it. As spam volumes increase year after year, the required processing power, infrastructure demands, and storage costs needed to transport and deal with billions of spam mails are also increasing. It would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its source and block rogue ISPs. A possible alternative might be a transition to a newer, more secure mail SMTP protocol that would make it easier to eliminate spam email at the source. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market.

Naturally, technology can help alleviate the onslaught of spam. But, ultimately, as Dave Marcus points out, eradicating spam requires behavioral changes en masse. "Filtering and multiple layers of defense have certainly gotten a lot better over the years," he says. "But at the end of the day, spam is something that requires a lot of awareness on the victim's part. That is certainly the most challenging aspect of spam."

Is an upgrade to the SMTP protocol the answer? Or do we need more government legislation? Or is it something else altogether, like changing the way we respond to it? Will it take another 30 years to put spammers out of business? We sure hope not!