Image spam tricks spam filters

IT pros are adding multi-layered spam filters to deal with the incursion, but some say it's still a losing battle.

"A picture is worth a thousand words," goes the old saying. What is true in art and journalism is proving equally apt in the more modern field of spam. As the recent surge in image-based spam shows, pictures can be a very effective way to get a message across – or at least through a victim's anti-spam filter.
The spammers randomize the image so that it's difficult to identify it as part of a spam attack.
Amir Lev,
chief technology officerCommtouch Software

Richi Jennings, senior analyst for Ferris Research, an IT analysis firm specialising in messaging technologies, says that the number of image spam emails has increased ten fold – or 900% --over the past year.

Much of it is coming from botnets, or networks of PCs that have been infected with a virus and turned into unwitting SMTP servers for spammers. With the computing power of thousands of PCs at their disposal, the spammers are able to send out more messages and be more creative in their approach, he notes.

Frank Guillotti, director of IT for supply and contract management software vendor Emptoris, has seen substantial growth in image spam. Six months ago as much as 60% of employee mail was spam, with nearly a third of that in the form of image spam, he said. "People had to go through a delete it, and some of it was relatively offensive. People just don't have the time for that," Guillotti said.

Spam not only offends employees and wastes their time, but also exposes them to potential fraud. Spam also can overwhelm email servers and slow network performance. Image spam is a particularly heavy consumer of bandwidth and storage space. While a text-based spam message usually runs 5 to 10KB, the typical size of image spam ranges from 10 to 100KB, Jennings said.

"That can have an impact on the performance of the email and delay legitimate messages," he said

Typical solutions to defend against image spam include reputation based filtering, behavior based filtering, and content analysis. But it's in the content analysis side that software vendors are struggling to keep up with new image spam tactics.

Image spam:
Can simple antispam filters solve the image spam problem? If your company has a problem with image spam, why not just filter it out? In this Q&A, information security threat expert Ed Skoudis explains why filtering isn't the easy answer.

Image spam paints a troubling picture: Vendors say as many as one in four spam messages are now image-based, as attackers more commonly use hard-to-detect .jpg and .gif image files to bypass spam filters.

Security pros grumble over spam increase: Spim and spam from unexpected sources is challenging enterprises in 2007. Some enterprises are taking action.

For example, says Amir Lev, chief technology officer of Commtouch Software, an anti-spam software and service provider based in Netanya, Israel, spammers have learned to make small changes to an image to evade detection.

"The spammers randomize the image so that it's difficult to identify it as part of a spam attack," Lev said. "They'll add pixels, random lines, an animated gif, or tilted lines instead of straight lines." That is how spammers were able to flood the inboxes of customers at Denver-based USA.NET, a network provider, said Victor Silva, senior director of client services for USA.NET.

"We were doing good job of blocking regular spam, but image spam was getting through," Silva said. "We started hearing complaints from several large customers, with C-level executives even calling us directly."

USA.NET solved the problem in two ways. It blocked emails from IP addresses known to send spam, and it requested its anti-spam software provider, Symantec, to improve its ability to detect image spam, which it did.

A multi-layered spam filter is best, Jennings said.

"The vendors that are doing a good job are applying a cocktail of approaches," he said, adding that the best location for a spam filter is at the network perimeter, rather than on the mail server or client.

"At the perimeter you can tell where the message is coming form and look up its reputation," Jennings said. "You can see the behavior of the sender. But once you've accepted the message and sent it on to the Exchange server or client, all of that information is gone."

What should enterprises expect next from spammers? Lev predicts image spam with handwriting instead of printed text, as well as audio messages.

"They will keep on adding tricks," he says. "If the trick is successful, then they'll use it in a full blown attack."

Read more on Antivirus, firewall and IDS products