Logo Rob Buckley – Freelance Journalist and Editor

Image spam: In the picture

Image spam: In the picture

Spammers are finding new ways to bypass filters, but that doesn't mean you have to let them bombard your inbox. Rob Buckley reports

Page 1 | Page 2 | All 2 Pages

Need pain releif (sic)? Some Cialis, perhaps? Or maybe you'd like to invest in China YouTV Corp (CYTV)? You've probably received at least a few emails offering some of these things because they managed to sneak past your spam filters. Rather than using a simple text-based email, these spammers have embedded their kind offers into images, making it seemingly impossible for a standard spam filter to pick up the usual keywords that reveal the messages' true intents.

Given these advantages, it is no surprise that image spam now comprises a considerable proportion of total spam traffic. Quite how much is up for debate. Security vendor Marshal puts the figure as high as 56 per cent of all spam; SurfControl says between 25 and 40 per cent is more likely; while F-Secure and Sophos think that the proportion is around 35 per cent.

Other commentators dismiss those figures as hype. “It's approximately ten to 20 per cent,” says Mark Sunner, chief security analyst at email services company MessageLabs. “Some vendors put the figure at close to two thirds of spam, but that's scaremongering.” However, image spam campaigns arrive in bursts, he adds, since they are sent via botnets controlled by spammers in the hope that some emails will beat the spam filters before they have time to adapt. If a spam measurement is taken during a burst, it may appear that the percentage of this kind of attack is higher than it actually is.

Whatever proportion it does represent, image spam is among the most likely kinds of spam to get through filters, and it poses the same problems as its conventional cousin: it wastes employee time; takes up bandwidth, processing power and space on email servers, their back-up systems and end-user systems; and can pose legal issues if staff who receive it object to it. Since text-based spam tends to be less than 5k, while the image-based type ranges from 5k to 40k and beyond, a single image-based piece of spam can have all the effects on systems of eight regular pieces of spam. For any employee accessing their email on a mobile device, where every kilobyte downloaded costs the company money and slows down the device, image spam poses an even greater inconvenience.

Simple measures
So what can an IT manager do to fight image spam? Surprisingly, most vendors are happy to say that existing technology is up to the challenge.

It may appear at first that using optical character recognition (OCR) technology is the only way to really know if an email is spam or not: harvesting the images for text allows the system to use a conventional text-spam filter on the email. But Donna Pittaway, product marketing manager at SurfControl, argues that this approach is useful in only a few cases. “We capture the vast majority of image spam through other methods,” she says. “It's only if an email is borderline that we use OCR. But it's resource intensive, so we use it as a secondary layer.” In fact, spammers often use wavy text, backgrounds, polka dots and other techniques to prevent OCR systems from extracting text.

Other techniques make quicker work of image spam, for example traditional “fingerprint” systems, used by F-Secure.

Even smaller software vendors don't claim any magical powers for their systems. Michael Tsai, who developed the SpamSieve desktop anti-spam software, says the Bayesian analysis in his solution was able to learn to catch image spam relatively quickly. “With recent versions, I've made changes so that SpamSieve can extract more image-related information from the message to feed into the Bayesian classifier,” he explains. “This helps it learn faster and catch some newer types of image spam. I also added some blocklist rules to detect common patterns of image spams.”

Most larger anti-spam systems also use the infrastructure of the email itself to provide many of the necessary clues. “We use a heuristics technology that looks at characteristics such as size and so on,” says SurfControl's Pittaway. “GIF files, for instance, aren't used so much for photographs, so that indicates it's more likely to be an image spam.”

MessageLabs' Sunner also highlights the propensity of spammers to use malformed GIF images with incorrect checksums in an attempt to defeat spam filters. This now provides a strong hint that an image is no innocent attachment.

Page 1 | Page 2 | All 2 Pages

Interested in commissioning a similar article? Please contact me to discuss details. Alternatively, return to the main gallery or search for another article: