Olly

Canning the new variant of spam

Spam was solved for a while but it's back with a vengeance. Where do we go from here?

Photo by Hannes Johnson

I got my first email address in 1992. It was something like owh@cs.notts.ac.uk and I had to log into a Solaris terminal on the 13th floor of a loathsome, brutalist high rise to access it. I’d sometimes get email from my CS tutor and occasionally digital pen letters from random American students at curiously named colleges like Brown and Penn State that I’d met in obscures IRC chat rooms late at night in the lab. That sounds a lot more creepy than it actually was, I promise.

In the three years that I had this academic email address I don’t remember receiving a single spam. Maybe spam didn’t exist yet. Or maybe spammers were active but didn’t yet have the luxury of harvesting gazillions of legit email addresses for a few ETH on the dark web. To be honest, even if an entrepreneurial GenX crime syndicate did try and sell me Viagra (which didn’t exist), they couldn’t extort money from me because e-commerce hadn’t been invented. Plus I had no money.

My next email was something forgettable that I didn’t really use and was forced upon me by a dial-up ISP. After that, I think, I got a Hotmail account along with tens of millions of other people. And because of cgi-bin and SSL, extortion was in reach. And thus, email spam was born.

I changed email providers from Hotmail to Yahoo to Gmail and spam was never that much of a problem. It turns out spammers quickly met their match with Bayesian algorithms and so it stayed for many years. In the past few years, things have started to change. More and more emails are hitting my work inbox that I wouldn’t consider classic spam but were unsolicited all the same. At first they made me feel popular – here were sales people who had heard of me and figured I was in the market for their enterprise products! Why thank you! Naively, I even replied to some of them to say thanks but no thanks. I diligently clicked on their unsubscribe links for a while, until I realised this verified my existence which gave the crims a real taste for blood, leading them to triple-down on me. I tried blocking the senders, but the sea level kept rising. I ended up giving up, marking them as spam which worked to some degree but because the emails are technically (semantically) legit, the spam filters really struggle, increasing false positives while leaving a large chunk of dodgy emails in my inbox.

Spam not spam

These new emails are spam (they’re unsolicited email after all) that is probably sent by bots, but rather than broadcast to millions in bulk they’re being far more targeted. The senders are still peddlers but rather than Viagra, they’re peddling recruitment, cloud products, offshore dev teams and advertising opportunities. They’re not classic spam as we know it, they’re a new and more virulent variant.

Unfortunately it doesn’t look like we’re going to eradicate this new spam generation with traditional filters any time soon. You can free your inbox with this one neat trick but you need to combine this with some additional brute force. You can block senders but it won’t be very effective – every nu-spam seems to always come from a unique address. Those who are technically inclined can wrangle Gmail filters and contacts to create an allowlist so you block every sender other than those in your contacts, then gradually build it up over time. This is painfully draconian, but it’s the only option I can think of. It’s worth noting that this is the approach taken with The Screener in HEY – you have to verify every sender before the mail hits your inbox.

The fact we’re reduced to this experience and inconvenience reflects badly on email which is a shame. Email services (or email clients) can help solve this, but most of them currently don’t, or won’t. I think we’ll see this start to change. Email isn’t going away and supposed challengers to email such as WhatsApp have started to encounter similar problems. Email has endured worse in the past and it will overcome this latest breed of attacker just as it did the last time.