Mar 27 2007

Image Spam

Spammers have finally realized that a picture is worth a thousand words.

Spammers are nothing if not clever. Realizing that the increased sensitivity threshold of filters was thwarting their attempts, they turned to a different, more elusive, spamming method: image spam.

Image spam circumvents spam-filtering software that tests messages based on keywords. Instead of sending text, spammers send images — including images of text — to get their e-mail delivered.

Image files use a different format than text files, letting them pass undetected through most filters. Getting around improved filters remains a challenge to the spammer, however. Still daunting are filters that validate the sending computer and/or verify headers and message envelopes. Image spam is most effectively blocked from as far back in the network as possible — for instance, at the e-mail gateway. 

They say a picture is worth a thousand words and with image spam that’s an understatement. Because image spam uses much more disk storage space, about three to 10 times more than text alone, it makes already strained storage systems more overtaxed.

Although the price of storage has come down dramatically over the past decade, it’s still not free and because image spam is just that — spam — companies don’t want or need valuable disk space consumed by superfluous data. If, for example, your company is subject to regulatory compliance standards such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, you need to archive e-mail messages. That’s a more important way to use your space.

Slowing the Broadband Wagon

Storage problems aside, image spam can wreak havoc in another manner. Because of its sheer size, such spam also gobbles up valuable bandwidth as it traverses around the globe. Single Mail Transfer Protocol receiving threads must be held open longer to accommodate the large-size image spam. Not only are individual image spam messages larger than text spam, but the mounting numbers of such messages test the load capacities of SMTP service.

Regardless of whether all launched messages reach their destinations (and only then face spam filters), as with any spam, huge numbers of transmitted messages will clog servers trying frenziedly to validate or reject each e-mail.

Once the spam overwhelms SMTP thread capacities, the targeted systems will ultimately experience denial of service. If image spam continues to grow unchecked at its current pace, all users will pay the price that the added burden puts on Internet service providers and backbone providers. Although to some it is a mere annoyance, image spam in the aggregate is a serious and costly threat.

Optical Character Recognition Technology

Vendors are touting optical character recognition applications — in use by every major industry and sector — as the solution to the problem of image spam. OCR translates characters from scanned images of machine-printed text into editable text files. It can be used to mine such printed text from images sent electronically via e-mail.

Notwithstanding its drawbacks — graphics and handwritten text, for example, cannot be “read” by OCR — does offer help. Scanning typewritten text and comparing it and matching it to a known library of character sets requires time, sometimes slowing systems by several seconds per message. Those seconds may not seem significant, but the aggregate of such a slowdown amounts to considerable expense when a system carries hundreds or thousands of messages daily or even hourly.

To confuse filters, spammers have taken to adding the visual equivalent of white noise to their messages by overlaying text on a background of lightly colored specks. We can still read such text, albeit somewhat fuzzily, but the OCR will have a harder time scanning it efficiently. Vendors have fought back by developing OCR software that first removes the small specks and flecks and then proceeds with the scanning.

Along the same lines, spammers are now also circumventing filters by arbitrarily modifying image pixels. By randomly changing individual pixels within an image, spammers anticipate that an OCR may not discern the image, as it will appear completely unique to most anti-spam software. Under this scenario, spammers can create countless versions of the same message with each new iteration, fooling anti-spam software into identifying each one as different from the last.

Although OCR software goes a long way toward impeding image spam, the challenge today is to craft software that will leave text legible to human readers yet simultaneously block spam. Plug-in programs like gocr check for particular keywords in image/gif, image/jpeg and image/png attachments. Not only do such programs seek out specific keywords, but some even make inexact, estimated matches so that detection can occur when spammers try to circumvent filters with other text.

Slicing Images

Even identified or “known” images have been adapted to thwart filters that will recognize them. Spammers quickly realized that images could be sliced into sections to pass through filters that would otherwise recognize and then ban them. After the image sections are put together on the end user’s viewer, the message displays in its assembled state. Not to be outdone, vendors modified filters to recognize and block sliced-image spam. Not surprisingly, spammers retaliated by slicing images into more and smaller pieces. In fact, some image spam contains separate images for individual letterswithin the text.

Despite filters and gateway obstructions, wily image spam continues to traverse barriers into susceptible systems, eating up precious storage and backup space. Although image spammers seem to adapt to whatever barriers are thrown in their paths, most recipients can easily identify image spam as spam. If the off look of image spam isn’t readily noticeable, then its content generally is.

Creating an Image Spam Filter

If image spam is assaulting your inbox, it doesn’t matter what operating system you’re using, the basic steps to create a filter are the same. Most e-mail programs support the ability to create message filters. Although I can’t include instructions for every program, if you use Mozilla Thunderbird or any other Mozilla variant, you can create an image spam filter by following these general steps:

  1. Go to Inbox, then Tools, Message Filters
  2. Click New and assign your filter a name (perhaps “Image Spam Filter”)
  3. Where you see “For incoming messages” select “Match all of the following”
  4. Add the following rules:
       Body contains Content-Type: multipart/related
       From isn’t in my Personal Address Book
       From isn’t in my Collected Addresses
  5. Where you see “Perform these actions,” add “Set Junk Status to Junk”
  6. Where you see “Perform these actions,” add “Move Message to”
  7. From the list of folders, select your Junk folder
  8. Click “OK” and close the “Message Filters” window.

Subsequent e-mail will travel through your new filter. A note of caution: If controls are set to delete flagged mail, all such mail (including some you may want to receive) will automatically be deleted. Instead, choose the setting that lets you decide what action to take on flagged mail.

Douglas Schweitzer, A+, Network+, iNet+, CIW, is an Internet security specialist and author of several information security books.