Image spam paints a troubling picture

Vendors say as many as one in four spam messages are now image-based, as attackers more commonly use .jpg and .gif image files .

Numerous vendors have recently issued warnings about the dangerous spread of image-based spam. These unsolicited commercial email messages feature images that are intended to lure victims into visiting a Web site, downloading spyware or adware, or worse.

Vendors have put forth some frightening figures. For example:

  • Messaging security firm CipherTrust Inc., which is being acquired by Secure Computing Corp., reports image spam now accounts for about 15% of all spam traffic. Many of those messages are reportedly not stopped by text-based spam filters.

  • Messaging management vendor Postini Inc. reports a higher figure, that about 25% of spam messages this year have contained images. In some months that figure has been as high as 30%. Postini attributes the growth to attackers who are eager to exploit older spam filters that are only able to analyze text.

  • Email security vendor Commtouch Software Ltd. finds similar proliferation numbers, and that on days when image spam is spreading at its peak capacity, the global bandwidth and storage consumed by spam grows by more than 70%. The Israel-based vendor's research shows the average image spam message is 19 KB, more than three times the size of a standard spam message.

    While image spam has been around for some time, Richi Jennings, an analyst with Ferris Research, said recently attackers have been making use of it to more effectively bypass spam filters.

    "Spammers are being cleverer in how they're sending and coding the images," Jennings said. In the past, for instance, spammers would add random dots to their messages or put a border of dots around a message that contained random dots.

    "We're now seeing things like taking a big image and splitting it up into different sized tiles that fit together when you view the message," he said. "The size and shape of the tiles varies from message to message, so it can be difficult to spot."

    Dmitri Allperovitch, a research engineer with CipherTrust, said the "vast majority" of image spam is used in stock-scam messages, in which senders encourage victims to buy a certain stock to raise its value, then quickly turn around and sell the stock themselves to make a profit.

    "These are Pink Sheet stocks, traded on the OTC bulletin boards, that typically don't get a lot of volume. They're niche companies with no profit and no products, so when you see a spike from almost no trades to two or three million when the spam is sent out, you know there were a lot of people who fell for it."

    He also noted that images are increasingly being used in phishing attempts because pictures copying or closely mimicking the logo of a reputable financial company can be more convincing than text alone.

    Though some dispute the level of danger presented by image-based phishing as compared with text-based attempts, Scott Petry, Postini's founder and CTO, said they present a sizable challenge for antispam vendors and enterprises alike.

    "The use of images in those phishing exploits is so correct and accurate that the user doesn't realise when [is not from] an eBay or Citibank or whatever," Petry said. "We've found the images that are in place with a phishing exploit are near impossible to differentiate from versus a legitimate sender. You have to look in different places in the message structurally to identify them."

    More on spam and antispam

    Spam that glitters isn't gold

    Thwarting spam from the inside and the outside

    Confessions of a spam gangsta

    Petry said the threat posed by image spam is not only on par with other types of text-based spam, but also can be an additional drain on an enterprise's bandwidth and storage resources, since images take up more space in an organisation's Internet pipeline and on its mail servers.

    "I think image spam is going to exacerbate the administration requirements around spam," Petry said. By its nature, image spam is going to be bigger and take longer to process, so I do feel there is further pressure on IT and the messaging infrastructure to deal with increase of data."

    Petry recommended that companies pay careful attention to the volume of incoming messages with image attachments, and if a significant portion of those messages aren't being blocked, it may be wise to restrict the delivery of certain image-based messages.

    "You don't want those messages to undermine the availability of data in your enterprise," he said. "It might mean some grumpy users, but at least the mail server will remain up and running."

    Still, Jennings said organisations using comprehensive antispam products -- those that focus on both the content and origin of messages -- have little to worry about, other than to make sure they're on the latest version of their vendor's products and receiving regular updates.

    "However, if they're still finding a lot of image-based spam [getting through], they should be thinking about migrating to something that is working, because there are plenty of solutions out there that are doing a good job with it."

  • Read more on Antivirus, firewall and IDS products