Martin Lee, senior software engineer, Symantec Hosted Services
Martin Lee, senior software engineer, Symantec Hosted Services
Jan. 23 is an auspicious date in the cybersecurity industry. On this day in 2004 at the World Economic Forum, Bill Gates proclaimed that, “Two years from now, spam will be solved." Six years later, approximately nine out of every 10 emails are spam and there is no indication that the spam problem will ever be solved. So what went wrong?

The techniques that Gates referred to in 2004 seemed promising at the time. Technical advances would mean that the identity of the email's sender could not be forged. Puzzles, today known as CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), would be introduced requiring humans to solve a string of letters before an email could be sent.  The intent was to frustrate software that would not be able to solve the challenge. Additionally, payments would be introduced so that the recipient of an email could charge the sender for reading their marketing emails.

Unfortunately the payment idea never took off. Spam became increasingly associated with criminal activity rather than legitimate marketing, and the criminals didn't see the point of paying for something that they could do for free. The introduction of privacy and anti-spam laws forced legitimate marketing companies to move toward an opt-in system where the recipient consented to receive emails.

The concept of CAPTCHA has become widely accepted. Almost all webmail or social networking systems require new users to enter into a box a series of characters or words contained in a distorted image before they're allowed access to the system. These puzzles are designed to prevent the automated systems used by spammers to gain access to the system to abuse it by providing a challenge that is supposedly easy for a human, but impossible for a computer.

Unfortunately the ingenuity of spammers and the lure of making money through spamming by solving these puzzles with a machine have presented a new challenge. The concept itself has fallen prey to advances in computer pattern recognition and ultimately proved no barrier to spammers. Currently almost all CAPTCHAs can be solved by spammers' software, often much quicker and with greater ease than humans can.

Authentication schemes would allow the sender of a message to be identified beyond all doubt using mathematically proven cryptographic techniques. While this possibility generated much excitement, spammers continue to exploit its weaknesses rendering the technique less useful than it might have been expected to be in 2004.

Spammers have created their own domains, including email authentication, so that they can bypass identity checks. The result is that victims received mathematically proven cryptographically signed spam. Essentially, the spammers could create new domains from which to send emails faster than people could keep track of the domains – making it almost impossible to block the spammers' domains.

When spammers could break the puzzles that previously kept the webmail services free of spam, spammers could send millions of spam messages from the services that included email authentication. The result being, we still get spam pushing weight loss medication from a legitimate webmail account that can be verified and the battle against spam continues no matter what we may have hoped for in 2004.