Image spam and how to fight it

Spammers have become much better at slipping through spam filters, sending colourful promotions as images rather than text. Diego d’Ambra, CTO of SoftScan, gives OUT-LAW readers the full picture.

In November last year, Southeby’s brokered what is believed to be the most expensive painting sold to date. To some, Jackson Pollock’s classic drip picture ‘No.5, 1948’ is one of the greatest works of art to come out of the abstract expressionist movement, but to others less appreciative, it looks more like the back drop of the latest image spam.

A few years ago, image spam was simply straight text on a white background, sent as an email attachment. Back then, this was enough to overcome the majority of anti-spam filters, because they just searched for specific text in the body of the email. To combat this new development a leaf was taken from the book of anti-virus techniques and a signature based defence against spam was developed.

Until recently at least, this method has been relatively effective. However, in the past twelve months image spam has changed considerably as spammers update their technology in a bid to keep ahead of advancements in anti-spam scanning. In response, many anti-spam vendors introduced optical character recognition (OCR) technology into their solutions to detect the text within. So once again spammers have been forced to step up their game.

Increasingly, spammers are now trying to obfuscate scanners by introducing more complex images and colours, often using backgrounds with a variety of different hues in the hope that they will fool scanning techniques. Text has also been disguised by changing its colour throughout the image and is often distorted. Spam messages are frequently made up of several files that come together in the end user’s inbox as one image, but may be seen by some scanners as just innocent portions of text.

These changes make it difficult for less sophisticated anti-spam OCR scanners to detect, but the resulting image looks so appalling that it makes the majority of previous spam messages look almost professional. Since the main objective of spam is to sell goods, it won’t be long before spammers start using more sophisticated images, along with their current techniques.

Image spam is most frequently used with ‘pump and dump’ scams. These emails try to tempt the user to buy particular shares in the knowledge of a ‘hot tip’, but no sooner have enough people bought the shares, then the spammer sells theirs for a profit and the share price collapses.

Although it appears that this technique is currently used mainly for American stocks, it is occasionally seen occurring in European stock markets too. The number of pump and dump email scams has grown considerably in recent months and they are continually adapting in a bid to beat the spam filters by using techniques such as Bayesian poisoning, whereby words not normally associated with spam messages are added. Since many anti-spam scanners use Bayesian probabilities in determining the likelihood of a message being legitimate or spam, this helps to increase the probability that the message will pass through the scanner undetected.

There are also variations to the way pump and dump emails are presented. Last year a new twist was added aimed purely at encouraging the recipient to buy when scammers emulated the 50s film industry and included subliminal messaging in their emails. To encourage users to take action they included an additional image with the word ‘buy’ repeated several times to appear for a split second every so often in the email. The effectiveness of subliminal messages has been widely argued for years, but one thing is clear: if you’re planning on investing in a company, make your own enquiries or consult a professional; don’t believe an email from a service you didn’t subscribe to.

Although OCR scanning is a very effective way of eliminating image spam, because of the CPU power required and the time it takes to scan the files, it is not a viable method to deal with large volumes. Scanning all of the image spam received would ultimately result in delayed legitimate email. However, it is possible to detect which servers are distributing spam and to automatically block traffic from them. In this way, large quantities of spam can be removed, reducing the load on the scanning system and minimising the effects of other new techniques introduced by spammers, not just image spam.

These ‘Reputation Filters’, perform an assessment of the sender each time an email is accepted by the server. It looks-up the IP address in a number of databases that collect data about the senders of spam and viruses. Once an IP address has been identified as responsible for sending spam, messages from it are then blocked before they are even sent to the spam filter and before conventional blacklists have time to update.

The increase in image spam has also brought other problems for organisations. Since September last year the average size of a spam message has increased by 77% and continues to steadily grow. This enlargement of file size can be directly attributed to the noticeable rise in image spam in recent months and will add to the cost managing email for some organisations that have to scale-up bandwidth and storage requirements to meet demands.

Since September last year individual spam emails have increased from an average of 6.62 KB to 11.76 KB. Although still relatively small in size, the sheer volume of spam that many businesses receive means that even only a slight rise can have a significant effect. Organisations that stop spam at their email servers still have to pay for the bandwidth to receive it and depending on how their email back-up is configured storage costs may rise too if spam is included in the archive.

This moves away from the traditional thinking that spam is just an issue of user productivity. The growth in file size combined with the increasing volume of spam now means that many different aspects of the business infrastructure, from network administration to internet bandwidth, are affected. Email file size will become a real headache for businesses, particularly if spammers start to use other types of medium such as audio or video files once the tactic of image spam no longer works against the majority of filters.

Although it is unlikely that an individual spam message will ever induce anyone to spend the $140 million that ‘No5, 1948’ fetched, spamming as an industry is big business. It is a cheap way of marketing products regardless of whether it’s pirated software, counterfeit medicines or pornography and you only need a few people to respond to make a profit.

So maybe there is a comparison between a Jackson Pollack and the latest generation of image spam, and not just to the undiscerning eye. Image spam too can be worth a small fortune – to somebody at least.