[ih] Why is there (still) spam...?

[Dave Crocker]

On 7/28/2025 4:20 PM, Jack Haverty via Internet-history wrote:
> I even receive email allegedly sent by me, but that I never wrote. Or 
> email from what looks like a legitimate person or company, but isn't 
> actually from them.  The "known correspondent" technique isn't helpful 
> for such things.
>
> But it wasn't always this way.

By some measure, yes it was.

People were always able to use whatever name in the From: field they 
wanted.  They were always able to put anything they wanted in the 
Subject: field and the body.

The most important difference is that in a small, tightly-knit, closed 
society it quite a bit easier to ensure accountability and control than 
in a much larger, open and diverse communit.



> Back in the ARPANET era, in order to use the 'net you had to be 
> authorized.

Heh. Consider this for a moment.  Everyone who uses the net today needs 
to be 'authorized'.  The venues for authorization have expanded quite a 
bit and the rules for authorization have changed quite a bit.  But 
everyone gets authorized.



> Computers were attended by armies of administrators and operators, who 
> protected their expensive resources with the technology of the day, 
> such as passwords and quotas. 

That does not sound like what I remember hearing about, for the 
operations and use of some of the MIT research computers...



>  To "log in" to a computer you needed to have an account, and an 
> associated password.
>
> The computer knew who you were, and was required to enforce rules for 
> use of the 'net.

Oh?  What sort of code was there, in these machines, that enforced the 
rules for use of the net?  I don't recall hearing of any system that had 
software enforcing such rules.

Interestingly, at Rand, circa 1976-8 when I was there, there was 
something almost like that.  But it was a Rand internal policy, stemming 
from their requirement that every single piece of paper that left the 
building be vetting by a special office.  My understanding was that this 
did not have to do with 'security' but was for brand protection, since I 
was told that Rand's real value was in being credible.

(I of course thought this absurdly onerous, but the first time I had to 
get some paper document or letter shipped quickly, their processed 
delayed me only maybe 15 minutes.  Color me impressed.)

Anyhow, they required the same ability for email.  We tried to explain 
that email was more like a phone than postal mail, and we finally got 
them to agree to a copying mechanism, rather than actual serial, 
gatekeeping.  And they permitted a switch to turn this on and off.  When 
on, they got a copy of every email that went out.

When we put this into place, it was of course set to on.  I don't 
remember when they turned it off, but it was not more than a few days.  
And I never saw it turned on again...


> Technology also developed.  Mechanisms such as "digital signatures" 
> were invented, which seemed promising as replacements for the old name 
> and password schemes.  Protocols, algorithms, and procedures were 
> invented, and even implemented in many popular user programs.
>
> Yet today I rarely receive any email that uses such technologies. It's 
> allegedly available "on the shelf", but few people seem to use it.

Over the open Internet, the usability of these authentication mechanisms 
remains poor.



>  Other aspects of the 'net seem to have successfully evolved to use 
> such modern tech.  For example, websites now often use https rather 
> than the original http, with "certificates" providing some guarantee 
> of authenticity and privacy.
>
> But email is different for some reason. 

Arguably, it isn't really different.  Scamming is on the Web, too.  And 
lots of other apps.

The problem is thinking that 'technology' can prevent human crime and 
the like.  It can't.



> Why is there (still) spam? 

Because there are still bad actors.


d/

-- 
Dave Crocker

Brandenburg InternetWorking
bbiw.net
bluesky: @dcrocker.bsky.social
mast: @dcrocker at mastodon.social