Image spam: In the picture
- Article 9 of 22
- SC Magazine, May 2007
Spammers are finding new ways to bypass filters, but that doesn't mean you have to let them bombard your inbox. Rob Buckley reports
Page 1 | Page 2 | All 2 Pages
How the email is constructed can also provide clues. Era Eriksson, senior content filter researcher at F-Secure, says that most spammers use “off-the-shelf” packages developed by nefarious programmers for bulk mailing rather than develop their own software. “'Dark emailers' tend to generate specific-looking emails,” he says. “Superficially, image spams are changing all the time, but there's usually a recurring pattern in other parts of the email, such as headers.” Character-set encoding, the claimed email client used to create the message, specific meta-tags in the HTML, as well as keywords in the header or body of the email can all suggest a message is spam.
As well as the emails themselves, the origination point of the messages can indicate whether they are spam. “There's a whole bunch of addresses that are clearly botnets, built over a long period of time,” Sunner says. Using blacklists to block emails from compromised machines can go a long way towards cutting down on image spam, although relying completely on this is not advisable.
So for the beleaguered IT manager, the short-term answer to image spam is no different to that for dealing with regular spam: stay up to date with any existing anti-spam packages or outsource email filtering to a reliable service provider.
Put pressure on ISPs
The long-term solution, according to Dave Rand, chief technology officer at Trend Micro, is to apply pressure on internet service providers that allow botnets to exist on their networks. “If you look back to the 1990s, AOL was the number-one spam source, thanks to all the free CDs it gave out and because it didn't deal with all the abuse complaints. Now it's not a source of spam at all.”
Peer pressure from other ISPs and customers, as well as the threat of being completely blacklisted, can all work wonders. In response to frequently having its IP ranges and email servers blacklisted, UK ISP Be recently decided to block customers' access to the ports necessary for SMTP traffic unless they used Be's own mail servers. With most bots using built-in email servers to send emails, this move blocked a good proportion of outgoing spam, with only bots smart enough to use their machine's default email account settings able to bypass this limitation. But Be can now track all outgoing messages and identify which are being sent by bots. It then notifies the owners of infected machines of the problem and blocks them from sending any emails until they are cleaned up. “If I could, I'd get every ISP to do that tomorrow,” Rand says approvingly.
But it may be difficult to convince large ISPs with leverage that they need to change their ways. Sunner argues there is a good case to be made for corporate customers to pressure their ISPs to prevent incoming spam instead. “At the moment, it's like we're being told that there's a new outbreak of botulism and we need to boil all our own water. ISPs are kicking out the equivalent of raw sewage.”
By getting ISPs to block spam before it arrives at corporate email servers, the load on systems and drain on bandwidth is stopped before it takes effect. It's a capability, he points out, that is true for any outsourced email security service provider, and one he suspects many ISPs will have to offer in the next few years.
As of yet, image spam isn't a severe problem, just one that needs to be heeded. The majority of current anti-spam software can deal with it, as can outsourcers, although no vendor or service provider will ever claim 100 per cent success.
However, F-Secure's Eriksson says that spammers aren't trying that hard at the moment. “There's a number of techniques that bulk email agencies use, for example, to avoid triggering spam filters that spammers aren't utilising.” Spammers could fix the flaws in their existing systems to make image spam far harder to detect. He believes, however, that image spam isn't as clever a technique as might be suspected. In the long run, ultra-simple messages with clickable links might be their most efficient mechanism for creating and delivering their messages.
Whatever the next big thing in spam is likely to be, we won't know until it hits us. Whether it'll be another iteration of image spam or something completely new, neither vendor nor service provider has seen a hint to its nature yet. But it's clear that the war goes on, knowing that the other side doesn't give up easily.
Page 1 | Page 2 | All 2 Pages