The History of Email Spam

On May 3, 1978, Gary Thuerk sent the world’s first spam email. Thuerk was a marketer at Digital Equipment Corporation (DEC), and his unsolicited email reached approximately 400 ARPANET users. According to legend, this email resulted in an impressive $13 million in sales, clearly demonstrating the power of email marketing, even in its rudimentary form.

The commercial success of Thuerk’s email is widely regarded as the birth of spam. This seminal event marks the beginning of our own history of email spam. While the email allegedly generated significant sales, it also sparked complaints from many recipients who had never received an unsolicited message before.

While it's commonplace today, the "From" header was an important development in email marketing history. Not only does the "From" header help to increase the authority of emails, it has been exploited by bad actors to trick consumers. This specification can be traced back to RFC 922 in 1982.

If you doubt the power of email communications, consider how governments reacted to this new medium. In 1986, the U.S. government extended restrictions on wiretaps to include electronic messages in direct response to growing concerns about privacy and unsolicited messages.

The Morris Worm was one of the first worms distributed via the internet. It highlighted, unfortunately, the vulnerabilities of connected systems and the potential for email to serve as a vector for spreading malware. Originally, it was not meant to be malicious–rather just gauge the size of the internet–but due to a programming error, it replicated excessively, fatally slowing down the host computer.

Tim Berners-Lee proposed the creation of the World Wide Web in 1989. It was implemented in 1990, and, as they say, the rest is history.

Of course, the advent of the Web set the stage for a new age of digital commerce. Growing from humble origins in labs worldwide, the Web has become a juggernaut of commerce, generating trillions of dollars every year. With this opportunity, email spammers had plenty of incentive to trick consumers.

Evolving from its origins as ARPANET, the internet was hosted on private networks. By the late 1980s, however, the internet started to be publicly accessible via the first Internet Service Providers (ISPs). The rapid spread of this technology into the public domain encouraged commerce as well as spammers.

Phil Zimmerman created PGP in 1991 introducing a method for secure communication over the internet which included secure email transmissions. The history of PGP itself warrants its own post – from its usage by political activists to a criminal investigation by the US government. Check out the Wikipedia entry!

AOL was one of the earliest and most recognizable email providers in the 1990s. From its iconic notification, "You've got mail!" to its widespread adoption, AOL was a mainstay of the internet in the 1990s.

While email gained popularity in the 1990s, so too did the rise of bad actors and spam emails. One of the largest and most influential internet service providers in the United States in the 90s, AOL was at the forefront of the fight against spam. In 1994, AOL introduced automated spam filters to its email system. These filters were designed to detect and block spam before unsolicited emails reached customers' inboxes.

The “Green Card Lottery” spam event is significant due to its scale and the negative public reaction it received. This event wasn’t perpetrated using email; instead, spam messages were distributed over Usenet, an early discussion board. The message was directed at individuals hoping to apply for the U.S. Green Card Lottery—a legitimate immigration program.

The campaign was run by Laurence Canter and Martha Siegel, two lawyers who were seeking to advertise their services. Clearly, it wasn’t well thought out, as users blocked the two from posting on Usenet. This event, and others like it, signalled the need for regulatory action and served as the catalyst for laws like the CAN-SPAM Act.

The introduction of heuristic filtering in the mid-1990s represented a significant development in the fight against spam. New automated filtering gave ESPs the ability to prevent spam messages from getting through to consumers.

Heuristic filters work by assigning scores to different elements of an email. If the score is above a certain threshold, the email is flagged as spam. Attributes scored include the presence of keywords, the ratio of text to images, the use of capitalization, and other spam indicators. Heuristic filters helped reduce false positives, meaning legitimate emails were less likely to be classified as spam, while also increasing overall accuracy.

Founded in 1996, the Mail Abuse Prevention System (MAPS) is a non-profit organization focused on preventing email spam. The organization is not without controversy, as it found itself in court over the publication of its anti-spam blacklist.

MAPs maintained the Real-time Blackhole List (RBL), a directory of domain names, email servers, and IP addresses that are recognized spammers. This organization is significant as one of the first groups to provide a community-driven solution to combat spam through blacklisting.

The term "spam" was officially recognized in the New Oxford Dictionary, defining it as irrelevant or inappropriate messages sent over the Internet, highlighting its prevalence.

First appearing in March 1999, the Melissa virus was distributed through infected Microsoft Word document attachments. When a user opened the infected document, the virus executed a macro that forwarded the document to the first 50 contacts in the user's Outlook address book. The virus rapidly spread to other email users.

Its rapid spread overloaded email servers due to the volume of emails automatically sent by infected systems, quickly affecting organizations and individuals worldwide. It’s estimated that the Melissa virus caused $80 million in damages. The virus’s creator, David L. Smith, was arrested and sentenced to 20 months in federal prison.

First introduced in the late 1990s, Bayesian filtering techniques gained widespread adoption in the early 2000s. These techniques are based on Bayesian probability developed by Thomas Bayes in the 18th-century. In essence, Bayesian probabilities relies on starting with an assumption and then refining that assumption as more information becomes available.

The adoption of Bayesian filtering in email spam helps to detect and block messages. The filter works by incorporating a training phase where the filter is trained by analyzing a large volume of legitimate and spam emails. This helps builds out the initial statistical model. Next, a scoring system is used to assess the likelihood the email is spam. Then, a threshold score is put in place where any email over that score is flagged as spam and blocked.

Despite the adorable name, the ILOVEYOU virus that appeared in May 2000 caused widespread damage across the world. Estimates of the economic damage range from a whopping $5 billion to $10 billion. The ILOVEYOU virus was spread via email through an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs."

The US government endeavoured to put the spam back in the can with the 2003 CAN-SPAM act. The act established national standards for commercial emails and required the Federal Trade Commission to enforce these rules. This represents a major step in the legislative and regulatory fight against spam.

The introduction of the Sender Policy Framework (SPF) marked another significant security advancement in the battle against email spam. This framework was designed to provide a validation system to prevent email spoofing by having domain owners publish SPF records in their Domain Name System (DNS) settings. In effect, this was like proclaiming that email from a particular address was valid and legitimate, whereas any email from other addresses was suspicious.

The Sobig worm once again highlighted the vulnerabilities of email systems and the effectiveness of email as a channel for distributing malicious software. Spread through email attachments, it often disguised files with enticing names, and the emails had ordinary subject lines like “Re: Details” or “Thank You!”

The deception resulted in economic damage amounting to hundreds of millions of dollars. The sheer volume of emails generated by the Sobig worm slowed networks, impacting businesses and individuals worldwide.

The Mydoom worm has the distinction of being one of the fastest-spreading email worms at the time. It was first detected in January 2004 and it quickly spread across the world, causing an estimated $38 billion in damages. It infected an incredible 1 million computers with the first 24 hours of its release!

Microsoft introduced Caller ID for Email in 2004 aimed at improving security by verifying the domain of email senders. Using domain verification has become a tried-and-tested way to combat spam by validating legitimate email senders. Like other verification standards, Caller ID for Email required domain owners to publish DNS records specifying which IP addresses were authorized to send emails on behalf of their domain.

This initiative was part of a larger push towards the development of Sender ID which combined key elements of Caller ID for Email and SPF.

The result of collaborative efforts led by Microsoft, Sender ID addressed some of the limitations of SPF to provide a framework for verifying the identity of email senders. The goal of SPF and Sender ID was to prevent email spoofing, and Sender ID added a check of the Purported Responsible Address (PRA). The way Sender ID handled PRA checks helped enhance SPF by reviewing both the envelope sender—part of the SMTP transaction that isn’t visible to email recipients—and the “From” address.

Sender ID didn’t become widely adopted, in part due to the complexity of setting it up. However, it did spur further innovation in email authentication and demonstrated the increasing importance of addressing spoofing and phishing.

Google's introduction of Gmail included innovative spam filtering techniques that became a benchmark in the industry, significantly reducing the impact of spam on users.

Founded in 2000, IronPort Systems specialized in email and web security, but it quickly gained a reputation for its innovative solutions for combating spam, malware, and other email-borne threats. Cisco acquired IronPort for $830 million in January 2007, representing both a major acquisition and a significant addition to Cisco's suite of security products.

Greylisting is an anti-spam technique that temporarily rejects emails from unknown senders, requiring the sending server to retry delivery after a delay. This helps identify spam email servers, as legitimate email servers will try to resend the message, whereas spam servers will not. Once the email is resent, it will be permitted and sent to the recipient’s inbox. While not perfect, as email spammers can develop workarounds, greylisting is used in conjunction with other security methods.

The "Storm Worm" earned its name because many of the initial emails spreading the virus had subject lines referencing a storm, such as "230 dead as storm batters Europe." The worm spread through email attachments, disguising itself as news reports or other enticing content. Unfortunately, in an all-too-familiar story, users who opened the attachment inadvertently installed the Trojan on their systems.

The Storm Worm is remarkable in part because of its social engineering practices used to entice users to open the email and download attachments.

DomainKey Identified Mail (DKIM) was another significant advancement in email security, providing a method for verifying the authenticity and integrity of email content. It works by generating a unique cryptographic signature based on the email's content and headers. This signature is then attached to the email as a DKIM-signature header. The email sender publishes a corresponding public key in their domain’s DNS records, allowing ESPs to cross-check signatures.

DKIM quickly became an industry standard and has been adopted by major email providers and organizations to improve email security.

The late 2000s saw the introduction of CAPTCHA technology to help combat spam and automated abuse. CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” and requires users to pass a test to determine if they are human or a robot.

CAPTCHA remains widely used today and has been a powerful tool in the fight against spam.

The adoption of cloud-based email security services represented a shift in how organizations managed and protected their email communications. The exponential growth of email traffic in the 2010s was matched by an increase in the volume and sophistication of spam, phishing attempts, and other malicious activities.

Cloud-based services are hosted solutions that provide protection against common email threats. Operated in the cloud, they can rapidly scale to meet organizational requirements, unlike traditional on-premise hardware and software. Benefits of this approach include scalability, cost efficiency, and automatic updates to address new threats as they emerge.

Named after the misleading subject line it used, the “Here You Have” virus spread rapidly through email systems. It exploited human curiosity by enticing users to click on what appeared to be a PDF document. Instead, users were directed to a malicious executable file. Like many other worms in history, it downloaded contacts and self-replicated by sending itself to all contacts in the user’s address book.

Introduced in 2012, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that works with SPF and DKIM. DMARC is important because it allows domain owners to specify policies for handling emails that fail authentication checks, providing a mechanism to prevent fraudulent emails and offering reporting capabilities.

DMARC is an essential component of email security, enjoying widespread adoption and proving to be an effective method for combating phishing and spoofing attacks.

Enacted in 2014, Canada’s Anti-Spam Legislation (CASL) is considered one of the toughest anti-spam laws in the world. The act applies to all commercial electronic messages sent within, from, or to Canada. It carries hefty penalties for violations, with fines up to $1 million per violation for individuals and $10 million for companies.

How we interact with email or any technology is unique and creates a pattern. Behavioral biometrics involves the identification and authentication of users based on behaviors rather than physical attributes. Instead of a fingerprint, you can be identified by how you interact with email. This type of pattern analysis is used in email to detect anomalies, such as a login from an unfamiliar location, which could indicate a threat.

Integrating behavioral biometrics into email security has been effective at thwarting attackers and providing an additional layer of defense. This approach provides real-time threat detection, allowing organizations to respond quickly by identifying and isolating compromised accounts.

The sheer volume of email communications presents a significant challenge for spam detection at scale. In the mid-2010s, the implementation of neural networks added a potent new weapon to the anti-spam arsenal. Neural networks have an advantage over rule-based spam filters because they continuously learn and evolve based on the analysis of vast datasets. The benefit isn’t just blocking potential spam messages; it’s also ensuring that legitimate emails don’t get incorrectly flagged as spam.

Concerns about data privacy were a central theme of the 2010s. By the mid-2010s, advanced encryption techniques for email significantly improved the security and privacy of digital communications. Key legislation like GDPR required organizations to protect data in transit and at rest, and encryption became essential for both compliance and security.

Encryption techniques saw widespread adoption, with tools like PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) becoming more accessible to the average user.

The introduction of Email Authentication, Reporting, and Conformance (ARC) in 2016 was another significant step forward for email security. It was developed to ensure that email authentication was preserved when forwarding authenticated emails. It works by attaching a series of headers to the email with the original authentication checks to allow for downstream servers to independently verify the origin of the email.

One of the most widespread and impactful ransomware strains of the 2010s, Locky ransomware caused havoc for users and businesses. Locky worked by encrypting files on the victim's computers and then demanding a payment in Bitcoin for the decryption key. It spread through email campaigns enticing users to download attached files that appeared to be invoices, receipts, or other typical business files.

Like Locky in 2016, the WannaCry ransomware encrypted files and demanded Bitcoin in exchange for decryption keys. The attack is significant not only for the widespread damage it caused, but the exploitation of a vulnerability. To Microsoft's credit, it had recognized and fixed the vulnerability, but many organizations hadn't applied the update leaving them exposed to the WannaCry ransomware.

Adopted by the European Union in April 2016, the enforcement of the General Data Protection Regulation (GDPR) began on May 25, 2018. GDPR represents one of the most significant pieces of legislation in the history of email marketing. It had an immediate global impact, regulating how organizations could interact with residents of the EU.

One of the key provisions for email marketing was the requirement for explicit, informed consent before collecting or processing personal data, including email addresses. Additionally, organizations must provide opt-out mechanisms and uphold data subject rights, including the right to access, correct, delete, or restrict the processing of personal data.

BIMI helps to authenticate legitimate brands by displaying brand logos alongside their messages in the inbox. This is aimed at increasing trust and making it easier to identify authentic emails. Learn more about BIMI here.

The COVID-19 pandemic provided an opportunity for bad actors to exploit consumers, leading to a surge in email-based phishing attacks. Unfortunately, despite technological and security advancements, many phishing attacks used social engineering to deceive consumers.

In response, organizations around the world placed greater emphasis on cybersecurity and began investing more in training and education. The ability to recognize and respond appropriately to phishing attacks is a key focus of modern email and cybersecurity training programs.

A surge in email-based phishing attacks exploiting the COVID-19 pandemic, which included malware and misinformation, emphasizing the role of timely cybersecurity measures in times of crisis.

Part of its iOS 15 update, Apple announced its Mail Privacy Protection (MPP) feature. As a direct countermeasure to concerns over user privacy and the increasing use of tracking technologies in email marketing, MPP limits marketers’ ability to track user information through invisible tracking pixels.

Zero Trust Architecture (ZTA) is a framework that assumes no entity can be trusted by default. Instead, every access request must be verified before access is granted, whether it’s a login or an email communication. ZTA helps reduce vulnerabilities by requiring more stringent verification for every action and eliminating implicit trust.

Its adoption is occurring in parallel with the rise of remote work and bring-your-own-device (BYOD) policies. ZTA is still being implemented but enjoys broad support, with 96% of organizations stating they plan to implement it.

Often referred to as the “cookie law,” the EU ePrivacy Regulation addresses confidentiality in communications, including the use of cookies, direct marketing, and unsolicited communications. This regulation updated the requirements for businesses to obtain consent from users before collecting, processing, or sharing data for electronic communications.

One outcome of this regulation was the widespread adoption of cookie consent banners that inform users about cookies and obtain their consent. The EU ePrivacy Regulation requires that businesses not set cookies prior to obtaining consent. In addition, websites must offer clear and concise information about cookie policies in a transparent manner.

Advances in neural networks for spam filtering in the mid-2010s have contributed to the effectiveness of advanced anomaly detection systems. Anomaly detection leverages deep learning to analyze vast volumes of email in real-time.

This data helps systems identify typical email user behavior and recognize deviations from the norm. Advanced anomaly detection systems not only help stop email spam in real-time but also reduce false positives, ensuring that legitimate emails aren’t mistaken for spam.

Ever wonder what happens when you “mark an email as spam” in Gmail? As of 2023, Google implemented a new policy that escalates consequences for email senders who exceed a spam rate of 0.1%. This policy is designed to improve the quality of emails and may have a broader impact as other email service providers adopt similar practices.

In 2023, Apple reinforced its strong stance on user privacy by introducing Link Tracking Protection in iOS 17 and macOS Sonoma. These protections prevent the use of tracking parameters in URLs, which are often used by marketers to track link clicks. While positive for consumers concerned about privacy, the changes pose a challenge for email marketers seeking to measure the effectiveness of their campaigns.

Learn more: Link Tracking Protection in iOS 17 & macOS Sonoma: Important changes for marketers