The evolution of spam

Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s, ie, as soon as enough people were using email to make this a cost-effective form of advertising. By 1997, spam was regarded as being a problem, and the first Real-Time Black List (RBL) appeared in the same year.

The development of spammer techniques

Spammer techniques have evolved in response to the appearance of more and better filters. As soon as security firms develop effective filters, spammers change their tactics to avoid the new spam blockers. This leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters.

Direct mailing

Initially, spam was sent directly to users. In fact, spammers didn't even need to disguise the sender information. This early spam was easy enough to block: if you blacklisted specific sender or IP addresses, you were safe. In response, spammers began spoofing sender addresses and forging other technical information.

Open relay

In the mid-1990s all email servers were open relay - any sender could send an email to any recipient. Spam and other security issues led administrators to start reconfiguring mail servers worldwide. However, the process was relatively slow, and not all mail server owners and administrators were willing to cooperate. Once the process was well underway, security analysts began scanning for the remaining open relay mail servers. These DNS RBLs were made available, making it possible for, security conscious administrators to block incoming mail from listed servers. However, open relay servers are still used for mass mailing.

Modem pool

As soon as sending spam via open relay became less efficient, spammers began to use dial-up connections. They exploited the way in which ISP providers structured dial up services and utilized weaknesses in the system:

• As a rule, ISP mail servers forward incoming mail from clients.
• Dial-up connections are supported by dynamic IP addresses. Spammers can therefore use a new IP address for every mailing session.

In answer to spammer exploitation, ISP providers began to limit the number of emails a user could send in any one session. Lists of suspect dial-up addresses and filters which blocked mail from these addresses appeared on the Internet.

Proxy servers

The new century saw spammers switching to high-speed Internet connections and exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that many ADSL modems had built-in socks servers or HTTP proxy servers. Both are simply utilities that divide an Internet channel between multiple computers. The important feature was that anybody from anywhere in the world could access these servers since they had no protection at all. In other words, malicious users could use other people's ADSL connections to do whatever they pleased, including, naturally, sending spam. Moreover, the spam would look as if it had been sent from the victim's IP address. Since millions of people worldwide had these connections, spammers had a field day until hardware manufacturers began securing their equipment.

Hacking users’ machines

Currently spammers send the majority of mailing from machines belonging to unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving them open to remote use. Methods used to penetrate victim machines include:

• Trojan droppers and downloaders injected into pirate software which is distributed via file sharing P2P networks (Kazaa, eDonkey etc.).
• Exploiting vulnerabilities in MS Windows and popular applications such as IE & Outlook.
• Email worms

Analysts estimate that Trojans are installed on millions of machines worldwide. Modern Trojans are sophisticated enough to download new versions of themselves, download and execute commands from specified websites or IRC channels, send out spam, conduct DDoS attack and much more. According to Return Path, 96.7% of all computers are controlled by spammers. ie, form part of a bot network.

The development of spam content

Many spam filters work by analyzing the content of a message: the message subject, body, and attachments. Spammers today expend significant resources on developing content that will evade content filters.

Simple text and HTML

Originally, spam was simple: identical messages were sent to everyone on a mailing list. These emails were laughably easy to filter out due to the quantity of identical texts.

Personalized messages

Spammers then began to include a greeting based on the recipient's address (for example, “Hello, Joe!” in the message sent to joe@user.com). Since every message now contained a personalized greeting, filters which blocked identical messages did not detect this type of spam. Security experts developed filters that identified unchanging lines, which would then be added to filtration rules. They also developed fuzzy signature matching, which would detect text which only had minor changes, and statistic based self-modifying filtration technologies such as Bayesian filters.

Random text strings and invisible text

Spammers now often place either text strings from legitimate business emails, or random text strings at the beginning or end of emails in order to evade content filters. Another method used to evade filters is to include invisible text in HTML-format emails: the text is either too tiny to see or the font color matches the background. Both methods are fairly successful against content and statistical filters. Analysts responded by developing search engines that scanned emails for such typical texts, which also conducted detailed HTML analysis and sophisticated content analysis. Many anti-spam solutions were able to detect such tricks without even analyzing the content of individual emails in detail.

Graphics

Sending spam in graphics format makes it very hard to detect. Analysts are developing methods for extracting and analyzing text contained in graphics files.

Spam in graphical form includes different types of mailings. Some of which are simple pictures that are easily detected by spam filters. To bypass filtering, spammers are now introducing more sophisticated types of graphical images: they create background noise in pictures, replace letters by images, rotate the elements at different angles and use unique fonts or fonts of different sizes. As a result, the text (in the form of an image) becomes extremely difficult to read, which defeats the object of sending the spam in the first place.

Another trick being used by spammers is animated spam. These days, spam isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which is recognized and displayed by all the popular browsers. Normally, animated spam has between two and four frames. Of these, only one of them actually contains significant information about the goods or services being promoted.

Spammers continue making attempts to modernize the technology used in creating graphical attachments in spam emails. The first half of 2007 saw several new techniques for delivering and showing spam graphics to end users:

1. Placing graphical files on free hosting websites (such as imageshack.us, imagenerd.com, imgnation.net, hostpic.biz, imgplace.com, etc.). The text of these spam emails includes a link to an address that hosts an image. When a user opens the email, most popular email clients will automatically download the image from the URL.
2. Using graphics as a background image. Graphics files are not included in the email, but are instead - again - published on a separate website. The message text only contains a URL inside a 'body' tag with the attribute 'background'. As a result, the image may be automatically downloaded by some mail clients, as well as by the web interface of some mail services.
3. Spam in PDF attachments. This kind of attachment will not open automatically, nor will it be downloaded automatically. In order to see the spam content, a user has to open the attachment manually.
4. Spam in FDF attachments. In some ways this is the same as using PDF attachments, especially since users are only able to open and view the attachment using Adobe Acrobat Reader.

When they first appeared, these new developments were quite effective. However several months (or sometimes just weeks) down the road, spam filters were reconfigured to counter new spammer tactics.

Paraphrasing texts

A single advertisement can be endlessly rephrased, making each individual message appear to be a legitimate email. As a result, anti-spam filters have to be configured using a large number of samples before such messages can be detected as spam.

Currently, spammers usually use the last three methods in a variety of combinations. Many anti-spam solutions are incapable of detecting all three. As long as spamming remains profitable, users with poor-quality anti-spam software will continue to find their mailboxes clogged up with advertising.