|
|
November 2006 - The Evolution of Image Spam
Image spam, Picture spam and even Ransom spam... These are all names used to describe a current and highly
effective trend in spamming... putting the message into a picture and including it as an embedded image.
Regardless of its name, Image spam is a problem because it gets past traditional antispam defenses.
Image spam is the latest variation on tried and true spam strategy: obfuscate the message to defeat spam
filters. Early on, spammers could hawk fake drugs simply by infringing on a popular trade name. Spam filters
started to pick up on words like Viagra and so spammers started mixing things up. Through creative spelling
intended to defeat filters, spammers replaced Viagra with
Viagr@, V1agr@, \/1@gr@, \/11@gr@, etc. until the word became unrecognizable.
Step 1 - Simple Image Spam
When Image spam first appeared, we had simple images promoting stock pump and dump schemes, bogus drugs and
other scams. For example:
Some antispam companies responded by developing unique signatures for each image. If a message contained an
image that matched the signature it was blocked.
Step 2 - OCR Hardened Image Spam
Spammers became concerned that some antispam products could read (through optical character recognition or OCR)
their text and identify the message as spam. They reacted by highlighting the text (reducing contrast) and
adding random pixels and lines to confuse OCR scans. Here's the result...
By inserting random elements, spammers defeated signature based antispam defenses (slightly different images
have different signatures) - but the text was still fairly readable so the technique was successful.
Step 3 - Animated Image Spam
To further confuse antispam defenses, spammers started to send multi-part, animated image spam. These images
cycle through a number of frames before presenting the viewer with the final image. OCR programmed to
see just the initial frame would miss much of the text.
Notice how the image draws in blocks. The message is still clearly readable to humans but difficult for basic
OCR software to scan.
Step 4 - Obfuscated Image Spam
In order to ensure high delivery rates, spammers started to obscure their messages.
Note the high incidence of random dots and small lines? The message is still readable (to a human) but the
extra noise helps defeat OCR scans.
Step 5 - Extreme Ransom Image Spam
The next stage is highly doctored images that are very resistant to OCR and signature
defenses. These images contain text that doesn't align, random elements and colored polygons all designed to
beat antispam defenses. It is often referred to as Ransom spam because the image looks like a cut-and-paste
ransom note:
Step 5 - Extreme Micro Image Spam
On the day this article was published, I encountered a new variant of Image spam... that I have named Extreme
Micro Image spam.
This is minimalist image spam where the image is so small that there is barely enough room to get the message
across. I don't know who would be tempted to phone their stock broker to furiously buy VXBX.PK
or any other stock when no 'research' is provided to justify interest in the stock.
However, if you get these sorts of messages, then the spammer has done their job.
Step 6 - Desperation Image Spam
This is an example of what I call Desperation Image spam. The sender has worked so hard to ensure that
their message is unreadable to spam filters (thereby ensuring delivery to the intended victim), that the
message is also unreadable by the recipient.
This message displays the extreme steps the spammer undertook, including:
- Very low contrast text
- Minimalist message content
- Floating text baseline
- Many random graphic objects
|
While I can't prove it, I suspect that the spammer has actually defeated himself. Most of the text is illegible
(to me at least). I cannot imagine that anyone viewing this image would ever contemplate
purchasing the stock.
Summary
Image spam is a new and effective technique for delivering unwanted content. Because it embodies the text in a
graphic image, it is impervious to Bayesian, content based filters. Because images are easily randomized
through the addition of graphic elements such as dots and lines, signature defenses are ineffective.
And the inclusion of low contrast text with background color elements and off baseline text placement makes
these images a challenge for Optical Character Recognition tools.
Spammers who can create readable images with sufficient antispam defenses will continue to achieve success.
However, taken to the extreme (as in the last example), the message becomes unreadable and consequently
worthless. Just as spammers have, for the most part, stopped using extreme permutations of
Viagra (such as \/1@@gR@), I predict that the use of Extreme Image spam
and Desperation Image spam will wane
as spammers learn to stay just one step ahead of most antispam defenses.
________________
Our Experience Distributing this Newsletter
We closely monitored the distribution of this newsletter because we were curious to see if the
inclusion of a known Image spam would impede its delivery. To our surprise, the reject rate for the
newsletter
was under 5%. This indicates that most companies do not have adequate Image spam defenses in place.
The few instances that were rejected could easily be classified as false-positives because
I (as the sender) have established a 2-way e-mail relationship with the recipient.
Image spam is a real challenge for e-mail administrators because it delivers unwanted and possibly fraudulent
content that may delay message delivery and defeat traditional spam filtering techniques. If you receive a lot
of Image spam, then your antispam provider has yet to develop effective defenses to this threat.
XPMsoftware's Solution
XPMsoftware has been working on the problem of Image spam for the last 4 months. We have developed
new and innovative techniques
to defend against image spam. In trials, PerfectMail now correctly filters out more than
95% of all image spam without inducing false-positives or punishing legitimate messages containing images (as
some recipient spam filters did!).
To find out more, please
contact us.
________________
I hope you found this article useful. My intent is to help organizations understand,
assess and effectively defend against e-mail threats. I would like to receive your
thoughts on this article. Please direct your comments by e-mail to
Larry Karnis.
© 2006 by Larry Karnis and XPMsoftware. All rights reserved. Permission is hereby granted to
quote from this article in whole or in part, or to reproduce this article by any means as long as
the the author and XPMsoftware receive appropriate attribution.
About the Author
Larry Karnis is the president of
XPMsoftware, the developer of PerfectMail Antispam and
Antivirus products and services. Larry has spent the last 7 years focused on e-mail security best practices
and e-mail security solutions. Before that, Larry worked as an IT infrastructure and security consultant,
software engineer with multiple commercial products to his credit, and as a
professional IT trainer.
Comments on this article should be directed to
lkarnis@xpmsoftware.com.
|
Link to Us
Bookmark Page
Print
