I was pwned online recently. My contact information was revealed to the internet by the Entertainment Software Association's leaky exhibitor portal. Luckily, confidential info like my SSN and birthdate were not spilled but I still found myself preparing for the inevitable flood of scams and spam, now that my details were out there for the world to see. But the deluge never came, only a meager handful of Nigerian princes reached my inbox with offers of long lost inheritance. So if internet nefarious scammers have my email address, why isn't my inbox filled with spam? Turns out we have AI to thank for that.
Spam has been around for nearly as long as computers have. Digital Equipment Corp marketing manager Gary Thuerk is widely seen as the father of spam. He earned that ignominious distinction in May 1978 when he emailed more than 600 clients over ARPANET about DEC's new VAX system.
"I knew I was pushing the envelope," Thuerk told Computer World in 2007. "I thought of it as e-marketing... we wanted to reach as many people as possible to let them know about our new product. It was coming out December of that year and we didn't want to send invitations." And it worked. DEC sold $13 - 14 million worth of equipment as a result of the email campaign. It raised the ire of users as well with Thuerk noting that an ARPANET admin "called me up and chewed me out. He made me promise never to do it again."
If only we'd heeded that brave network admin's call. In the years since, the volume of spam being sent has steadily grown. In 2008, Microsoft estimated that more than 97 percent of emails sent that year were unwanted. By 2010, spammers were sending some 200 billion unsolicited emails annually. In the last few years, those numbers have declined slightly with only an estimated 56 percent of all email traffic being of the spam variety in the first quarter of 2019, according to Kaspersky Labs. Still, that's 1 out of every 646 emails delivered to American inboxes. Luckily, only 1 in 3,207 were actual phishing attempts and not just unsolicited commercial email.
Spam originates from every corner of the globe and there is often little distinction between the operations that fill our inboxes with ads and those that attempt to hijack our online identities through spear phishing campaigns.
"In many ways, it's not the person sending the Viagra ad [versus phishing] but the service used to send it is identical," Kevin Haley, director of Symantec Security Response told Engadget. "The easiest and the cheapest way is to hire somebody to send that all out for me. It wouldn't be very expensive."
"There are certainly shops that generate email at scale, and will do this for any type of content," Neil Kumaran, Product Manager for Gmail, told Engadget. "Then there are folks that focus very specifically on very targeted crafted phishing attacks, or they're doing spam for a particular organization or for a particular monetary benefit for them."
A 2018 study by Symantec found that spammers appear to be foregoing malicious links in favor of email attachments. "Symantec telemetry shows that Microsoft Office users are the most at risk of falling victim to email-based malware, with Office files accounting for 48 percent of malicious email attachments, jumping from 5 percent in 2017," the study reads.
"There are certainly trends," in how scammers target their marks, Haley explained. "The trend now, as you can see from the numbers in the report, is to go towards attachments."
He points out that Office file attachments have long been a popular infiltration vector for malicious emailers. "We all use Office files," he said. "None of us ever really have a lot of fear, don't think that it could be any problem from opening them up -- until you have all these macro viruses." Microsoft nixed that scheme when it stopped allowing macros to run by default with Office 97. However, in recent years, scammers have with great success developed social engineering techniques to fool users into allowing macros to run automatically.
"That's part of what you're seeing in those numbers," Haley said. "The bad guys always copy each other when something works."
Spam's seemingly inexorable march to our inboxes has not been unopposed. In 2003, Congress passed the Controlling the Assault of NonSolicited Pornography and Marketing Act (CAN-SPAM). This legislation requires that the header and subject lines of emails be free of deceptive or misleading information, the sender include a physical mailing address, and that the sender cease correspondence after the recipient opts out of the mailing list.
Although the CAN-SPAM act was devised with honorable intentions, the law as it stands today is effectively useless and virtually unenforceable. For one, the act does not require the sender to get permission to email the recipient beforehand, placing the onus of opting in and out of these campaigns on the end user. What's more, the act also preempts state legislation, which could enact stronger supplementary consumer protections, and forces recipients to sue spammers under laws drafted prior to the advent of email.
"[Can-Spam] is an abomination at the federal level," Stanford law professor Lawrence Lessig told an assembled conference audience in 2004. "It's ineffective and it's affirmatively harmful because it preempts state legislation."
"There's been no reduction in the volume of spam," Scott Chasin, MX Logic's chief technology officer, told PC World later that year. "In fact, the exact opposite -- our spam rates are actually going up."
The tech industry is also working to mitigate the problem. In 2004, Bill Gates -- once touted as the world's most spammed person -- proudly declared that Microsoft would eradicate the scourge of spam within two years.
"Two years from now, spam will be solved," Gates told delegates at the 2004 World Economic Forum meeting. "In the long run, the monetary (method) will be dominant."
His tri-tiered plan first called for more robust filters to be implemented, schemes that could authenticate senders using a challenge-response system. Second, the plan would enable "tarpitting" where the delivery of emails from unknown senders is drastically delayed. Finally, Gates advocated for email "stamps" which would inflict a small monetary charge against the emailer if the recipient marked it as spam. But, just like his prediction that Microsoft would eventually outcompete Google on internet search, Gates' anti-spam plan didn't shake out quite the way he figured it would.
Instead of stamping out spam entirely, the situation has become an arms race with service providers like Microsoft and Google working to devise ever more stringent filters and spammers striving to circumvent them.
"I think it's always been an arms race," Haley remarked. "That's not new. The arms are getting better, the fights are getting bigger."
"It's still a problem that happens at scale," Kumaran noted. "Gmail blocks about 10 million spam emails a minute." The system also blocks around 100 million phishing attempts daily, he explained. A whopping 68 percent of those are based on techniques and methodologies that Google engineers have never seen.
As such, Gmail relies heavily on filtering and machine learning systems to keep spam from reaching a user's inbox. "We have a very robust spam filter," Kumaran continued. "It's something that's been around since the inception of Gmail, and we've evolved that as the space has changed. We had some very early adoption of machine learning and I think it's been an extremely useful feature for us."
Google furthered the state of the art of spam mitigation this February when it introduced a new filtering system based off the company's TensorFlow ML library. The filter is built to detect some of the most difficult to spot types of spam including "image-based messages, emails with hidden embedded content, and messages from newly created domains that try to hide a low volume of spammy messages within legitimate traffic," Kumaran wrote earlier this year. It does so by looking for subtle trends in large scale data sets, basing its judgement of whether or not a message is spam on thousands of individual potential signals. The new system is already spotting and stopping an additional 100 million spam emails everyday from reaching Gmail's 1.5 billion users.
While Gmail now blocks north of 99 percent of spam emails from reaching your inbox, scammers are already hard at work subverting your Google calendar instead. As reported by CBS News in August, this trick exploits the deep functional integration between the two services automatically adding event reminders to your calendar as soon as the email appears in your inbox. Clicking on the event doesn't just expose the user to whatever big dick energy herbal boner pill is being hawked, but also confirms to the scammer that the email address is active.
Unfortunately, there is no magic bullet for solving this problem. No single filter, no matter how robust or capable, will likely ever completely eliminate spam entirely. Instead, Haley advocates for a combination of technological advancements and continued public education.
"I think there's certainly technological advances that we leverage and will continue to push that space and that boundary," Kumaran said. "I think there are roles for multiple organizations to play. But ultimately, there's there's a lot of interests that are aligned towards the same goal, which is making sure that spam and malicious email never sees users' inboxes. And so I think pushing all of these actions at the same time will be the most effective method."
The power to end this era of spam email may ultimately lie within the users themselves. "If at one point the bad guys move on," Haley said, they'll do so "probably not because security gets really good, but because the users have moved on -- the users are now on social media and messaging each other that way. So if you really want to get people, you need to go where they are."