Wikipedia Deep Dive

Email spam

13 min read

In 1978, a marketing manager named Gary Thuerk did something nobody had ever done before. He sent a single message to 600 people on the ARPANET—the precursor to the modern internet—advertising a product demonstration for Digital Equipment Corporation computers. The recipients were furious. Thuerk was formally reprimanded and told never to do it again.

He had invented spam.

Today, 160 billion spam messages are sent every single day. That's roughly twenty emails for every person on Earth, delivered in the time it takes you to read this sentence. The United States leads this dubious competition, firing off 8 billion spam messages daily, with China close behind at 7.6 billion. By 2014, spam had grown to comprise an estimated 90 percent of all global email traffic—a figure that has remained stubbornly high ever since.

Why We Call It Spam

The name comes from a Monty Python sketch.

In the 1970 episode, a couple enters a café where every item on the menu contains Spam, the canned meat product made by Hormel Foods. As the waitress recites the options—"egg and Spam, egg bacon and Spam, Spam egg sausage and Spam"—a group of Vikings at another table begins chanting "Spam, spam, spam, spam" with increasing volume, drowning out all other conversation. The joke is about inescapability. The word appears so often, so insistently, that it overwhelms everything else.

Early internet users saw the parallel immediately. When unwanted messages began flooding newsgroups and chat rooms in the 1990s, they called it spam. The name stuck because it captured something essential about the experience: the sheer, suffocating repetition of messages you never asked for and cannot escape.

The Economics of Annoyance

Spam is what economists call a negative externality—a cost imposed on people who had no say in the transaction. When a factory pollutes a river, the people downstream bear the burden even though they weren't involved in the factory's business decisions. Spam works the same way. The sender pays almost nothing to blast out millions of messages, while recipients collectively spend billions of hours filtering, deleting, and occasionally falling victim to scams.

A 2004 survey estimated that spam cost American internet users $21.58 billion annually in lost productivity alone. The worldwide cost that same year was estimated at $50 billion. These numbers have only grown since.

The asymmetry is staggering. A spammer can send a million emails for the cost of a few hours of server time. If even a tiny fraction of recipients click—one in ten thousand, say—the operation is profitable. The response rate doesn't need to be good. It just needs to be non-zero.

What Spammers Actually Sell

The content of spam has remained remarkably consistent over the decades. Pharmaceutical products—particularly erectile dysfunction medications like Viagra—have long dominated, making up about 45 percent of spam in recent years. Job scams promising fast, easy cash come in second at roughly 15 percent. Diet products, often featuring exotic-sounding ingredients like Garcinia Cambogia, round out the top three.

But the most dangerous spam isn't trying to sell you anything. It's trying to steal from you.

Phishing emails masquerade as legitimate communications from banks, payment services like PayPal, or government agencies. They're designed to trick you into entering your password, credit card number, or other sensitive information on a fake website that looks identical to the real thing. When the deception is targeted—when the attacker uses information they already know about you to make the email more convincing—it's called spear-phishing. A generic email claiming to be from "Your Bank" might not fool you, but one that addresses you by name, references your recent purchase, and includes your partial account number is far more dangerous.

In 2023, 56.2 million people fell victim to these schemes, losing a combined $25.4 billion. The average victim lost $452.

The Arms Race

The battle between spammers and filters resembles an evolutionary arms race, each side constantly adapting to the other's innovations.

When text-based filters became effective at catching spam, spammers responded with image spam—messages where the actual text is embedded in a picture, invisible to programs scanning for suspicious words. These images often contained gibberish text alongside the real message, confusing early detection systems. The technique was particularly popular in the mid-2000s for promoting "pump and dump" stock schemes, where fraudsters artificially inflate a stock's price through mass promotion before selling their shares at the peak.

Filter developers fought back with optical character recognition, teaching their systems to read text within images. Spammers countered with animated graphics that displayed clear text only briefly, or distorted letters the way CAPTCHAs do—those squiggly verification images designed to distinguish humans from bots.

Then there's blank spam: messages with no content at all. No subject line, no body, nothing. Why would anyone send an empty email? Often it's a harvesting technique. Spammers send millions of blank messages to random addresses. When an email bounces back as undeliverable, they know that address doesn't exist. When it doesn't bounce, they've confirmed a valid target. Sometimes blank spam is just a mistake—a spammer who forgot to attach the payload before hitting send. Software bugs and malfunctioning servers contribute their share too. And occasionally what appears blank actually contains hidden code, like the VBS.Davinia.B worm, which propagated through seemingly empty emails that secretly downloaded malware.

The Zombie Apocalypse

Your computer might be sending spam right now without your knowledge.

Modern spammers rarely operate their own servers. Instead, they build botnets—networks of infected computers called zombies. Malicious software, often installed when you click a bad link or download a compromised file, quietly takes control of your machine. It waits for instructions from its controller, then uses your internet connection to send spam, your electricity to power the operation, and your IP address to take the blame.

By June 2006, an estimated 80 percent of all spam was being sent by zombie computers—an increase of 30 percent from the previous year. At that time, 55 billion spam messages were flying through the internet daily, up from 30 billion just twelve months earlier. By the first quarter of 2010, roughly 305,000 new zombie computers were being activated every single day.

Brazil led the world in zombie infections that quarter, responsible for 20 percent of the global total. India contributed 10 percent, Vietnam 8 percent, the Russian Federation 7 percent. These aren't necessarily where the spammers live—they're where computer security is weakest, where outdated software and limited security awareness make infection easiest.

The Legal Labyrinth

Governments have tried to legislate spam away. They have not succeeded.

The European Union's Directive on Privacy and Electronic Communications, adopted in 2002, requires member states to ensure that unsolicited marketing emails are sent only with prior consent—or at least that recipients can opt out. The United Kingdom implemented this strictly: you cannot send unsolicited emails to individual subscribers unless you have a pre-existing commercial relationship or explicit permission.

Canada's Fighting Internet and Wireless Spam Act, which went into effect in 2014, took a similarly aggressive approach. Australia's Spam Act of 2003 imposed penalties of up to 10,000 penalty units for violations.

The United States went a different direction.

In the late 1990s and early 2000s, numerous states passed anti-spam laws. Then came the federal CAN-SPAM Act of 2003, which preempted all of them. The name sounds tough—Controlling the Assault of Non-Solicited Pornography and Marketing—but critics immediately dubbed it the "You Can Spam" Act. The law doesn't ban commercial bulk email. It merely requires that such email include a truthful subject line, avoid forged header information, and provide an unsubscribe mechanism.

In other words, you can spam Americans all you want, as long as you do it honestly.

The results were predictable. In 2004, less than one percent of spam complied with CAN-SPAM. The Federal Trade Commission claimed in 2005 that sexually explicit spam had decreased and total volume was leveling off, but most observers saw the law as a failure. A few high-profile prosecutions made headlines, but they barely dented the flood.

The Fakery Underneath

Spammers are fundamentally fraudsters, and their technical operations reflect this.

They use fake names, stolen credit cards, and fabricated contact information to create disposable accounts with internet service providers. When one account gets shut down, they've already moved to the next. They spoof email addresses with ease because the Simple Mail Transfer Protocol—SMTP, the basic system that moves email across the internet—was designed in a more trusting era. It has no built-in authentication. Anyone can claim to be sending from any address.

Some operators hire third-party companies to send messages on their behalf, creating a buffer between themselves and complaints. Others forge the delivery chain that appears in email headers, making it look like their messages bounced through a series of legitimate servers before arriving in your inbox. The only thing they can't fake is the final hop: the receiving mail server records the actual IP address of whoever connected to deliver the message.

This forgery creates collateral damage. Innocent people find their inboxes flooded with "undeliverable" bounce messages for emails they never sent. Sometimes they're mistakenly identified as spammers themselves. Naïve internet service providers, receiving complaints about an email address, have been known to terminate the accounts of victims who had nothing to do with the spam bearing their name.

The Accidental Backscatter

There's a particularly insidious form of spam that doesn't come from spammers at all. It comes from the good guys.

When an email server receives a message it can't deliver—because the address doesn't exist, because the recipient's inbox is full, because the content looks suspicious—it often sends a bounce notification back to the sender. This is a reasonable courtesy when the sender is legitimate. But spammers routinely forge their return addresses. When a server bounces a spam email, the bounce goes to whatever innocent address the spammer happened to use that day.

The result is backscatter: legitimate email servers inadvertently flooding random strangers with bounce messages about emails they never sent. Because these bounces are generated in bulk and sent to people who never requested them, they technically qualify as spam themselves. Systems that produce excessive backscatter can find themselves blacklisted, blocked by other servers for contributing to the problem.

The Mainsleaze Problem

Not all spam comes from shadowy criminal enterprises operating out of server farms in legal gray zones.

About 3 percent of spam comes from otherwise reputable companies—a phenomenon known as mainsleaze. These are legitimate businesses that buy email lists, match their customer databases against harvested addresses, or simply ignore the niceties of consent in pursuit of marketing reach. They're harder to stop precisely because they're not breaking the law in most jurisdictions. They're just being aggressive, and annoying, and imposing costs on everyone else to marginally improve their own sales numbers.

It's a reminder that spam isn't really about technology. It's about incentives. As long as sending a million emails costs nearly nothing and receiving them costs time and attention from millions of people, the calculus will favor the senders. Every filter you install, every unsubscribe link you click, every second you spend deleting junk—that's the externality, distributed across billions of inboxes worldwide.

The Numbers That Matter

Microsoft founder Bill Gates, according to a 2004 statement by then-CEO Steve Ballmer, received four million emails per year—most of them spam. (This was initially misreported as four million per day, which would have been one every 22 milliseconds.) Around the same time, Jef Poskanzer, owner of the domain acme.com, was receiving over one million spam emails daily. The misfortune of owning a short, memorable domain name in the early internet era.

A 2010 survey found that 46 percent of email users had opened a spam message, though only 11 percent had clicked a link inside. That 11 percent represents millions of clicks per day, more than enough to make the whole operation worthwhile for senders.

The numbers have grown relentlessly. In 2008, more than 97 percent of all emails sent over the internet were unwanted. The Messaging Anti-Abuse Working Group, studying over 100 million mailboxes in 2007, found that 85 percent of incoming mail was "abusive." As of 2018, according to IPwarmup.com, approximately 90 percent of global email traffic was spam.

That last statistic contains a hidden cruelty. When nearly all email is illegitimate, legitimate senders suffer too. Email providers grow aggressive with their filtering. Important messages end up in spam folders. Newsletters fail to arrive. Password reset emails vanish into the void. The bad actors have so thoroughly poisoned the well that everyone drinking from it tastes the contamination.

The Delivery Scam Era

The content of spam shifts with the times.

In the first half of 2023, the most common spam topic in the United States was delivery service messages—over 1.1 billion of them. These are emails claiming your package couldn't be delivered, that you need to update your shipping address, that you must click a link to track your order. They exploit the ubiquity of online shopping and the anxiety we feel about missing deliveries.

It's a clever adaptation. Twenty years ago, spam pretended to offer you Viagra. Now it pretends to have your Amazon package. The underlying principle remains the same: find something people care about, forge a message that seems to be about it, and extract value from the confusion.

Fighting Back

The defenses are imperfect but improving.

Email servers now commonly block dynamic IP ranges—addresses that change frequently, as they do for most home internet connections—making it harder to run a spam operation from your basement. They require Forward-confirmed reverse DNS, a technical check that ensures the sending server is who it claims to be. They maintain blacklists of known spam sources and preemptively block large swaths of suspicious IP addresses.

These measures cause their own problems. Someone trying to run a small legitimate email server from a home connection may find their messages blocked because they share an IP range with past spammers. The cure sometimes affects the healthy tissue alongside the disease.

SMTP-AUTH—authentication that verifies the specific account from which an email originates—has become more common, though not universal. It's one of many patches applied to a system that was never designed with security in mind, built for a smaller and more trusting network than the internet became.

The First Spam

Gary Thuerk, the man who started it all, remained unrepentant. His 1978 message advertising DEC computer demonstrations was, by his own admission, spectacularly effective. The ARPANET had only 2,600 users at the time, and software limitations meant only slightly more than half his intended 600 recipients actually received the message. But those who did were not amused.

The backlash was immediate and fierce. The norms of the early internet prohibited commercial messaging. Thuerk was formally reprimanded by ARPANET administrators and instructed never to do it again. For a while, that was enough. Social pressure and explicit rules kept commercial email at bay.

Those days are gone. The ban on spam is now enforced primarily through Terms of Service agreements and the constant, exhausting efforts of filter developers and system administrators. Peer pressure still exists—few companies want to be known as spammers—but the economics are too favorable, the barriers too low, and the world too large for social norms to hold the line.

What began as one man's aggressive marketing experiment has become a fundamental fact of digital life: a 160-billion-message-per-day reminder that any system designed for cooperation can be exploited by those who refuse to cooperate.