The evolution of spam

Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s, ie, as soon as enough people were using email to make this a cost-effective form of advertising. By 1997, spam was regarded as being a problem, and the first Real-Time Black List (RBL) appeared in the same year.

The development of spammer techniques

Spammer techniques have evolved in response to the appearance of more and better filters. As soon as security firms develop effective filters, spammers change their tactics to avoid the new spam blockers. This leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters.

Direct mailing
Initially, spam was sent directly to users. In fact, spammers didn’t even need to disguise the sender information. This early spam was easy enough to block: if you blacklisted specific sender or IP addresses, you were safe. In response, spammers began spoofing sender addresses and forging other technical information.

Open relay
In the mid-1990s all email servers were open relay – any sender could send an email to any recipient. Spam and other security issues led administrators to start reconfiguring mail servers worldwide. However, the process was relatively slow, and not all mail server owners and administrators were willing to cooperate. Once the process was well underway, security analysts began scanning for the remaining open relay mail servers. These DNS RBLs were made available, making it possible for, security conscious administrators to block incoming mail from listed servers. However, open relay servers are still used for mass mailing.

Modem pool
As soon as sending spam via open relay became less efficient, spammers began to use dial-up connections. They exploited the way in which ISP providers structured dial up services and utilized weaknesses in the system:

As a rule, ISP mail servers forward incoming mail from clients.

  • Dial-up connections are supported by dynamic IP addresses. Spammers can therefore use a new IP address for every mailing session.
  • In answer to spammer exploitation, ISP providers began to limit the number of emails a user could send in any one session. Lists of suspect dial-up addresses and filters which blocked mail from these addresses appeared on the Internet.

Proxy servers
The new century saw spammers switching to high-speed Internet connections and exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that many ADSL modems had built-in socks servers or HTTP proxy servers. Both are simply utilities that divide an Internet channel between multiple computers. The important feature was that anybody from anywhere in the world could access these servers since they had no protection at all. In other words, malicious users could use other people’s ADSL connections to do whatever they pleased, including, naturally, sending spam. Moreover, the spam would look as if it had been sent from the victim’s IP address. Since millions of people worldwide had these connections, spammers had a field day until hardware manufacturers began securing their equipment.