"A picture is worth a thousand words," goes the old saying. What is
true in art and journalism is proving equally apt in the more
modern field of spam. As the recent surge in image-based spam
shows, pictures can be a very effective way to get a message across
– or at least through a victim's anti-spam filter.
 | | | | | The spammers randomize the image
so that it's difficult to identify it as part of a spam
attack.
Amir Lev,
chief technology officerCommtouch
Software |
| | | | | |
| |
|
Richi Jennings, senior analyst for
Ferris Research, an IT
analysis firm specialising in messaging technologies, says that the
number of image spam emails has increased ten fold – or 900% --over
the past year.
Much of it is coming from botnets, or networks of PCs that have
been infected with a virus and turned into unwitting SMTP servers
for spammers. With the computing power of thousands of PCs at their
disposal, the
spammers are able to send out more messages and be more
creative in their approach, he notes.
Frank Guillotti, director of IT for supply and contract
management software vendor Emptoris, has seen substantial growth in
image spam. Six months ago as much as 60% of employee mail was
spam, with nearly a third of that in the form of image spam, he
said. "People had to go through a delete it, and some of it was
relatively offensive. People just don't have the time for that,"
Guillotti said.
Spam not only offends employees and wastes their time, but also
exposes them to potential fraud. Spam also can overwhelm email
servers and slow network performance. Image spam is a particularly
heavy consumer of bandwidth and storage space. While a text-based
spam message usually runs 5 to 10KB, the typical size of image spam
ranges from 10 to 100KB, Jennings said.
"That can have an impact on the performance of the email and
delay legitimate messages," he said
Typical solutions to defend against image spam include
reputation based filtering, behavior based filtering, and content
analysis. But it's in the content analysis side that software
vendors are struggling to keep up with new image spam tactics.
For example, says Amir Lev, chief technology officer of
Commtouch Software, an anti-spam software and service provider
based in Netanya, Israel, spammers have learned to make small
changes to an image to evade detection.
"The spammers randomize the image so that it's difficult to
identify it as part of a spam attack," Lev said. "They'll add
pixels, random lines, an animated gif, or tilted lines instead of
straight lines." That is how spammers were able to flood the
inboxes of customers at Denver-based USA.NET, a network provider,
said Victor Silva, senior director of client services for
USA.NET.
"We were doing good job of blocking regular spam, but image spam
was getting through," Silva said. "We started hearing complaints
from several large customers, with C-level executives even calling
us directly."
USA.NET solved the problem in two ways. It blocked emails from
IP addresses known to send spam, and it requested its anti-spam
software provider, Symantec, to improve its ability to detect image
spam, which it did.
A multi-layered spam filter is best, Jennings said.
"The vendors that are doing a good job are applying a cocktail
of approaches," he said, adding that the best location for a spam
filter is at the network perimeter, rather than on the mail server
or client.
"At the perimeter you can tell where the message is coming form
and look up its reputation," Jennings said. "You can see the
behavior of the sender. But once you've accepted the message and
sent it on to the Exchange server or client, all of that
information is gone."
What should enterprises expect next from spammers? Lev predicts
image spam with handwriting instead of printed text, as well as
audio messages.
"They will keep on adding tricks," he says. "If the trick is
successful, then they'll use it in a full blown attack."