Image-based spam is on the rise, filling up inboxes with photos of
naked women and some extremely graphic language that traditional
spam filters used to be able to catch.
Image-based spam, which is increasing at an alarming rate, is a
tactic spammers use to elude spam-filtering software that analyzes
messages of keywords. By embedding their marketing messages in
attached, randomized .gif or .jpg image files instead of in plain
text, many spammers manage to elude those filters. Image-based
emails don't differ much from text-based spam and will often
include pitches for prescription drugs and penny stocks in addition
to pornographic material.
Gateway security vendor IronPort Systems Inc. in San Bruno, Calif.,
claims that image-based spam has increased 11% overall since last
year, but on any given day that number can be much higher.
Commtouch Inc., an antivirus software vendor in Mountain View,
Calif., reports that on May 29, for instance, image-based spam
accounted for 30% of all global spam.
"It's a technique that's been around for a while," said Dan
Blum, an analyst at Burton Group Inc. in Midvale, Utah. "It doesn't
seem like rocket science, but now that filters have gotten good
enough at detecting randomized text-based spam, more spammers are
using this approach, which is probably not what they want to do
because they care about bandwidth, too."
When image-based spam sneaks through spam filters, it become a
problem on several levels. According to Commtouch, the typical
image-based message is three times larger than text-based spam.
Such messages can create storage problems and bandwidth problems.
And companies that are subject to regulatory compliance standards
such as the Sarbanes-Oxley Act and the Health Insurance Portability
and Accountability Act must archive all their email messages. The
image files in spam can quickly take up storage capacity.
"Without blocking image-based spam, it would probably lead to a
25% increase of storage space and bandwidth," said Stephen
Laughlin, director of information technology at the Academy of
Television Arts & Sciences, the Los Angeles organization that
hands out television's Emmy Awards. "Email storage space is already
at a premium, so there's not a lot to give up. People want as much
as they can get."
The flood of image-based spam, a lot of which is porn, can be a
problem even at organizations that aren't required to retain email
messages for regulatory compliance.
"The image was much larger in size so it took up more space on
hard drives for users," said Mark Kowitz, a system administrator at
The Rockefeller University in New York. "A lot of people saw it. A
lot of people complained. Virus scanners took more time at the
server level and desktop level. It affected overall bandwidth and
CPU time. And unfortunately, you always get users who click on [the
images, unleashing viruses]."
Image-based spam has forced Kowitz to consider a new spam filter
solution. He had been using Cloudmark, purchased through reseller
Sendmail Inc. Now he is testing a new version of Commtouch's
antispam solution.
Greg Olson, director of product marketing at Emeryville,
Calif.-based Sendmail, explained the different approaches of spam
filtering services.
"The Cloudmark method for detecting spam is based on a
collaboration network, tens of thousands and hundreds of thousands
of people who are essentially nominating spam to be called spam,"
Olson said. "Commtouch's approach is a network-based approach. They
just look at Internet traffic passing through various gateways.
Every message gets unique identifiers calculated for them, and that
information gets sent to Commtouch for analysis. They look at
distribution patterns for messages. If they see the same message
being sent by lots of individual folks it's an indication of a
botnet. And if they see a large distribution of
messages from a single send, [it's a single source
spammer]."
Blum, of the Burton Group, said companies should take a
multilayered approach to fighting image-based spam.
Companies that have to archive their email for regulatory
compliance should engage a vendor that blocks incoming spam outside
their firewall. If the messages are stopped outside the company,
they don't have to be retained.
However, companies that don't have email retention requirements
might want to have a light layer of filtering outside the firewall
to stop the most obvious spam, without running the risk of
accidentally blocking legitimate email. Then the company can have a
second and third level of filtering at the server and desktop
level.
Blum also said CIOs should look for vendors that have a variety
of expertise in detecting and blocking spam.
"I would look for a vendor that had both a good heuristic for
scanning the content of messages and a good reputation database,
because 80% of the spam is coming from botnets. That means the
disposable addresses and disposable domains that spam is coming
from change very frequently."
Blum said a vendor with a large reputation database can more
quickly detect the ever-changing botnets that bombard email
traffic.
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer