Is spam trying to tell us something?

While overall email spam volume is down, the "spray-and-pray" tactics of old have been abandoned for surgical strikes. Photo / 123RF

The oracles are screaming. They wave around their yield curves and their poll results and their images of ice and fire. Every headline is a forecast. Every stray observation supports a theory. Something is about to happen. (But when?) Many things are about to happen. (And here's why!) Nobody is sure they know anything, but everyone is worried that someone knows something. Summer will soon be over, but prediction season has just begun.

In the midst of a raging stream of news-as-prophecy, marketing-as-prophecy, and entertainment-as-prophecy, I've found some comfort in a space that's been operating at a similar pitch for decades, all prediction and promise and clues and theories, but at a slightly lower volume and mostly out of sight: my spam folder.

Remember spam? Maybe you haven't seen it in a while, at least not like you used to; email providers like Google, Yahoo and Microsoft have mostly succeeded in filtering out junk from our inboxes. It hasn't always been this way.

Spam took off with the consumer internet. By the early 2000s, it had become an object of obsession for technologists and lawmakers alike: Bill Gates declared war on it, and President George W. Bush signed into law the Can-Spam Act of 2003, which was meant to rein in the increasingly unwieldy category of unsolicited commercial email.

Ye olde spam

At the end of that year, AOL shared a list of the prevailing spam subjects, a collection of material that should sound familiar to anyone who had an inbox at the time. The list included some spam perennials — back-of-the-magazine junk, adapted for the web:

• Work from home (also: "be your own boss")

• Hot XXX action (also: "teens," "porn")

• Get bigger (also: "satisfy your partner," "improve your sex life")

It also included some timelier subjects:

• Get out of debt (also: "special offer")

• Online degree (also: "online diploma")

• Lowest mortgage rates (also: "lower your mortgage rates," "refinance," "refi")

As a warning of what was to come — or as a cynical investment strategy — you could do worse, in 2003, than focus on subprime loans, refinancing and online degrees. The spam folders of 2003 drew the future in caricature: scam loans, scam colleges and debt, debt, debt.

"You could basically tell a lot of big stories about the world at the time by looking at how they were perturbing the spam space," said Finn Brunton, a media studies professor at New York University and the author of Spam: A Shadow History of the Internet.

Chester Wisniewski, a researcher at the security software company Sophos, describes spam as a "culture of reflection." As a form of down-market advertising, spam plays off mainstream trends and base desires. As a vector for scams, spam tells more specific stories, too.

"Back in 2001 and 2002, the scams were about 9/11," he said. "If we look at them a year and a half ago, it's 'you won't believe what Bill Clinton and Hillary Clinton did.' " During the Obamacare era, Wisniewski said, "Canadian" pharmaceutical spam changed gears, leveraging worries about the health care crisis to sell heart medicine and diabetes medications.

"They're shipping from the same factories in Chennai as the fake penis pills," he said. "This is no longer a luxury spam about how you might please your partner. This is about staying alive."

Speaking of penis pills: What to make of the most notorious spam type of the early 2000s, so common that it appeared on AOL's list twice, as "Viagra online" and "Online pharmacy?"

Viagra spam — much of which was purely fraudulent — didn't lead national interest in "male enhancement," but instead followed memorable, widely distributed advertising campaigns on TV, radio and in print. Today, the clearest heirs to the legacy of the endless "C1al1$," "VI-@gra" and "R0ga1ne" messages — not to mention pitches for weight-loss pills and magical vitamins — are lavishly funded startups that hawk white-label vitamins, or newly generic erectile dysfunction and hair-loss pills, saturating social media feeds, subway cars and billboards with winkingly provocative subject lines.

The financial spampocalypse

A few years later, in 2007, as the next financial crisis loomed, male enhancement met its match, at least for a moment. According to a report from Bitdefender, a cybersecurity firm, the most common text-based spam subject was still "drugs (sex-related)." Spammers, however, had recently shifted tactics. "Image spam is now the medium of choice," the report said, describing messages in which text was hidden inside image files. Of the new image-based spam, the firm said, 75 per cent concerned a single subject: stocks.

The closer to the present we get, the less confident, and more paranoid, the spam folder sounds. In 2016, according to Kaspersky Lab, a Russian cybersecurity firm, notable spam trends included direct solicitations from (purported) Chinese factories, which, despite their irrelevance to most recipients, reached countless millions of people. Then, of course, there was the election.

"Donald Trump became one of the main topics for the majority of spam emails related to politics," the company said in mid-2016. "In these emails, spammers told their targets about Mr. Trump's unique methods of making money and invited them to copy Mr. Trump with their own business."

So what does this mean for me?

Absent the benefit of hindsight, the spam folders of 2019 are, naturally, the hardest to read. Spam has proliferated across many more platforms than email, of course. In recent years, spammers using automated calling software have rediscovered the telephone. While overall email spam volume is down, Wisniewski described a spamscape of slick scams and paranoia, where the "spray-and-pray" tactics of old have been abandoned for surgical strikes.

"The quality is up," he said. "We're seeing less and less of the 'buy my Viagra' messages and more of the personalised, specific, tailored stuff." Not unlike big tech companies facing stalled user growth, spammers are focusing on getting the most out of the people they know they can reach.

And while our politics and news media is fixated, at least for the moment, on various forms of financial and political apocalypse, the loudest warnings in our spam folders concern the internet itself.

"There is quite a lot of abuse around popular mail brands, including Microsoft and Google," Wisniewski said. The migration of personal data to massive cloud companies has sharpened spammers' focus, leading them to double down on phishing and ransom. It's not just Gmail and Facebook and online banks and Amazon — it's Salesforce, DocuSign and Slack. It's the Clinton email hack, now coming for everyone.

"The problem of spam, historically, was volume," Brunton said. With the emergence of phishing, "the problem moves from volume to evaluation."

To be subjected to spam is to be confronted constantly with disorienting questions about what's real. It's exhausting and demoralising. Much of the spam now is, in effect, about spam, scams and privacy. One of the most effective tactics to gain access to a recipient's social media account, or bank account, is to tell them it's already been hacked. "The drumbeat of paranoia is the context for its success," said Brunton.

The new extortionists

Here's what my own junk folder wants me to believe, in August of 2019: Big pharma doesn't want me to know about CBD oil. There are millions of women waiting to meet me on dozens of dubious apps. There are many, many opportunities in cryptocurrency. My Bitcoin wallet, which does not exist, has been hacked. And, of course, there is some very cheap mail-order Viagra and Cialis available. Would I like some?

The rest of the messages are uncanny. There is little of the surreal, double-translated tone that defined spam for so many years. The copy is clean. The voice is professional. There is no exuberance, and there are plenty of familiar warnings: I've been hacked, I missed a message, someone has logged into my account. It's a collection of messages that doesn't so much predict a financial or societal crisis as suggest that we're deep in the throes of one, or many, already. The days of "get rich quick" and "get sex now" are passing, replaced with "find financial relief," "don't be alone" and "WARNING!"

The most bracing form of spam I get comes a couple times a month. The subject lines are unprintable, not because they're profane, but because they're actual old passwords of mine, gleaned from one of the dozens of notable data breaches of the last decade: maybe LinkedIn, Tumblr or Dropbox. The message bodies tell me I've been hacked, or that my computer is now under the control of malicious software. The spammer has a webcam video and promises it's humiliating, but he will keep it to himself — for a price.

It's a good scam — better targeted and executed, frankly, than the one that thwarted a presidential campaign — delivered at the scale of spam. It's also an occasion to imagine what a real privacy crisis might look like, and to make it less abstract. My spammer oracle says this: If this is what one entity can accomplish with a few scraps of personal data gathered up from hacks and breaches they didn't even perpetrate, imagine what a sufficiently motivated party could do with something better. Say, data collected directly. Or, best of all, data users gave up voluntarily, to companies — or campaigns, or governments — they thought they could trust.

Written by: John Herrman

© 2019 THE NEW YORK TIMES