Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s, ie, as soon as enough people were using email to make this a cost-effective form of advertising. By 1997, spam was regarded as being a problem, and the first Real-Time Black List (RBL) appeared in the same year.
Spammer techniques have evolved in response to the appearance of more and better filters. As soon as security firms develop effective filters, spammers change their tactics to avoid the new spam blockers. This leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters.
Initially, spam was sent directly to users. In fact, spammers didn't even need to disguise the sender information. This early spam was easy enough to block: if you blacklisted specific sender or IP addresses, you were safe. In response, spammers began spoofing sender addresses and forging other technical information.
In the mid-1990s all email servers were open relay - any sender could send an email to any recipient. Spam and other security issues led administrators to start reconfiguring mail servers worldwide. However, the process was relatively slow, and not all mail server owners and administrators were willing to cooperate. Once the process was well underway, security analysts began scanning for the remaining open relay mail servers. These DNS RBLs were made available, making it possible for, security conscious administrators to block incoming mail from listed servers. However, open relay servers are still used for mass mailing.
As soon as sending spam via open relay became less efficient, spammers began to use dial-up connections. They exploited the way in which ISP providers structured dial up services and utilized weaknesses in the system:
In answer to spammer exploitation, ISP providers began to limit the number of emails a user could send in any one session. Lists of suspect dial-up addresses and filters which blocked mail from these addresses appeared on the Internet.
The new century saw spammers switching to high-speed Internet connections and exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that many ADSL modems had built-in socks servers or HTTP proxy servers. Both are simply utilities that divide an Internet channel between multiple computers. The important feature was that anybody from anywhere in the world could access these servers since they had no protection at all. In other words, malicious users could use other people's ADSL connections to do whatever they pleased, including, naturally, sending spam. Moreover, the spam would look as if it had been sent from the victim's IP address. Since millions of people worldwide had these connections, spammers had a field day until hardware manufacturers began securing their equipment.
Currently spammers send the majority of mailing from machines belonging to unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving them open to remote use. Methods used to penetrate victim machines include:
Analysts estimate that Trojans are installed on millions of machines worldwide. Modern Trojans are sophisticated enough to download new versions of themselves, download and execute commands from specified websites or IRC channels, send out spam, conduct DDoS attack and much more. According to Return Path, 96.7% of all computers are controlled by spammers. ie, form part of a bot network.
Many spam filters work by analyzing the content of a message: the message subject, body, and attachments. Spammers today expend significant resources on developing content that will evade content filters.
Originally, spam was simple: identical messages were sent to everyone on a mailing list. These emails were laughably easy to filter out due to the quantity of identical texts.
Spammers then began to include a greeting based on the recipient's address (for example, “Hello, Joe!” in the message sent to email@example.com). Since every message now contained a personalized greeting, filters which blocked identical messages did not detect this type of spam. Security experts developed filters that identified unchanging lines, which would then be added to filtration rules. They also developed fuzzy signature matching, which would detect text which only had minor changes, and statistic based self-modifying filtration technologies such as Bayesian filters.
Spammers now often place either text strings from legitimate business emails, or random text strings at the beginning or end of emails in order to evade content filters. Another method used to evade filters is to include invisible text in HTML-format emails: the text is either too tiny to see or the font color matches the background. Both methods are fairly successful against content and statistical filters. Analysts responded by developing search engines that scanned emails for such typical texts, which also conducted detailed HTML analysis and sophisticated content analysis. Many anti-spam solutions were able to detect such tricks without even analyzing the content of individual emails in detail.
Sending spam in graphics format makes it very hard to detect. Analysts are developing methods for extracting and analyzing text contained in graphics files.
Spam in graphical form includes different types of mailings. Some of which are simple pictures that are easily detected by spam filters. To bypass filtering, spammers are now introducing more sophisticated types of graphical images: they create background noise in pictures, replace letters by images, rotate the elements at different angles and use unique fonts or fonts of different sizes. As a result, the text (in the form of an image) becomes extremely difficult to read, which defeats the object of sending the spam in the first place.
Another trick being used by spammers is animated spam. These days, spam isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which is recognized and displayed by all the popular browsers. Normally, animated spam has between two and four frames. Of these, only one of them actually contains significant information about the goods or services being promoted.
Spammers continue making attempts to modernize the technology used in creating graphical attachments in spam emails. The first half of 2007 saw several new techniques for delivering and showing spam graphics to end users:
When they first appeared, these new developments were quite effective. However several months (or sometimes just weeks) down the road, spam filters were reconfigured to counter new spammer tactics.
A single advertisement can be endlessly rephrased, making each individual message appear to be a legitimate email. As a result, anti-spam filters have to be configured using a large number of samples before such messages can be detected as spam.
Currently, spammers usually use the last three methods in a variety of combinations. Many anti-spam solutions are incapable of detecting all three. As long as spamming remains profitable, users with poor-quality anti-spam software will continue to find their mailboxes clogged up with advertising.