Image spam paints a troubling picture

While image spam has been around for some time, Richi Jennings, an analyst with Ferris Research, said recently attackers have been making use of it to more effectively bypass spam filters.

"Spammers are being cleverer in how they're sending and coding the images," Jennings said. In the past, for instance, spammers would add random dots to their messages or put a border of dots around a message that contained random dots.

"We're now seeing things like taking a big image and splitting it up into different sized tiles that fit together when you view the message," he said. "The size and shape of the tiles varies from message to message, so it can be difficult to spot."

Dmitri Allperovitch, a research engineer with CipherTrust, said the "vast majority" of image spam is used in stock-scam messages, in which senders encourage victims to buy a certain stock to raise its value, then quickly turn around and sell the stock themselves to make a profit.

"These are Pink Sheet stocks, traded on the OTC bulletin boards, that typically don't get a lot of volume. They're niche companies with no profit and no products, so when you see a spike from almost no trades to two or three million when the spam is sent out, you know there were a lot of people who fell for it."

He also noted that images are increasingly being used in phishing attempts because pictures copying or closely mimicking the logo of a reputable financial company can be more convincing than text alone.

Though some dispute the level of danger presented by image-based phishing as compared with text-based attempts, Scott Petry, Postini's founder and CTO, said they present a sizable challenge for antispam vendors and enterprises alike.

"The use of images in those phishing exploits is so correct and accurate that the user doesn't realise when [is not from] an eBay or Citibank or whatever," Petry said. "We've found the images that are in place with a phishing exploit are near impossible to differentiate from versus a legitimate sender. You have to look in different places in the message structurally to identify them."

More on spam and antispam Spam that glitters isn't gold Thwarting spam from the inside and the outside Confessions of a spam gangsta

"I think image spam is going to exacerbate the administration requirements around spam," Petry said. By its nature, image spam is going to be bigger and take longer to process, so I do feel there is further pressure on IT and the messaging infrastructure to deal with increase of data."

Petry recommended that companies pay careful attention to the volume of incoming messages with image attachments, and if a significant portion of those messages aren't being blocked, it may be wise to restrict the delivery of certain image-based messages.

"You don't want those messages to undermine the availability of data in your enterprise," he said. "It might mean some grumpy users, but at least the mail server will remain up and running."

Still, Jennings said organisations using comprehensive antispam products -- those that focus on both the content and origin of messages -- have little to worry about, other than to make sure they're on the latest version of their vendor's products and receiving regular updates.

"However, if they're still finding a lot of image-based spam [getting through], they should be thinking about migrating to something that is working, because there are plenty of solutions out there that are doing a good job with it."