how does spam work?

Everyone has come across unsolicited messages in their inbox. Certain periods of the year are particularly bad. During the holidays, for example, a full-scale assault is launched on our e-mail accounts:

  • deals on luxury items at unbeatable prices
  • medicine to enhance our sexual performance
  • even the occasional 100 million dollar inheritance from a long lost relative

And among these can’t-miss offers there are sure to be a few viruses and other IT attacks. OK, so everyone knows about spam, but what is it exactly?

no standard tools for securing your inbox

The system currently used to protect your e-mail was developed way back at the dawn of the Internet. In those days, there were a very small number of servers, and almost all admins knew each other (or at least they shared a set of common values). In this environment of relative “trust,” usage remained “normal” and abuse was rare.

However, the explosion in the number of machines and the massive growth of the Internet changed absolutely everything. Sadly, the systems used to send and receive electronic messages have not evolved with the times.

So we’re still using a system originally designed for a world where self-control was the only rule. This has given birth to the Internet as we know it today, where the “law of the jungle” reigns supreme.

e-mail is a digital postcard

Sending a postcard is as simple as can be: just drop it in the mailbox and off it goes. In some ways, mail is the same as email:

  • you can send a postcard to anyone you want
  • no sender address is required (or you can make it up)

What’s different about e-mail:

  • you don’t have to buy a postcard
  • you don’t need to buy a stamp

Here's another important point (that has nothing to do with spam), which many have failed to grasp (you can take my word for it): anyone at all can read what’s written on the card (it’s all in plain view)…

anyone can get his or her own mailbox

Unlike mailboxes on the street, the mailboxes used for e-mail are servers. These servers are called SMTP servers: they’re created by Internet service providers, businesses and anyone with a passion for computing.

In fact, anyone can set up their very own SMTP server.

Once an e-mail is sent to an SMTP server, this server then sends it on to another SMTP server which is in charge of managing the addressee’s inbox (using the DNS system).

SMTP servers set up as open relays

Ordinarily, an SMTP server only handles e-mail addressed to one of its users (or “clients”). Up until a few years ago, the goal was to find open relays that accepted e-mail to or from anyone, which left the door wide open for spammers. Now that most of these open relays have been closed, spammers have had to come up with some new tricks.

the rise of the botnets

If an SMTP server automatically accepts any e-mail belonging to its “legitimate clients,” then spammers just have to pose as legitimate clients to make sure their spam gets through.

The best way to pose as a legitimate client is to infect a machine and control it remotely. And now we meet our enemy: the network of zombie machines known as botnets.

security techniques: senders and receivers

Fighting spam is no walk in the park. It demands a huge amount of resources that have to be renewed continually. Sometimes it can be a pretty one-sided battle…

We’ll see that different techniques do indeed exist to prevent spam on the sender side and to keep it out of your inbox on the receiver side. But that’s for another time!

One last thing: never reply to spam and never purchase any service or item mentioned in spam.


This blog post was originally published in French here.

Photo copyright: texelart -

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens