Fighting Image Spam - 18 Jan 2007

Spammers are clever. You can say lots of other things about them (most of which aren't printable in this UPDATE), but you have to give them their due: In the ongoing fight between spammers and antispam providers, the spammers are continuing to show a high degree of adaptability and resourcefulness. The latest example: image spam.

Early attempts at image spam a few years ago were fairly clumsy; they consisted of conventional-looking multipart MIME messages with the spammer's pitch tucked into an image attachment. These turned out to be pretty simple to block because most spammers used the same image filename across spam runs. Over time, spammers figured out how to improve the basic mechanism by doing things such as adding blocks of text that attempted to confuse Bayesian filters.

In late 2006, though, there was a sharp increase in the amount of image spam; some estimates put the increase at 50 percent or more. What made this spam onslaught so insidious—beyond the huge increase—was that it used a variety of new techniques. For example, as antispam vendors such as Barracuda Networks started deploying optical character recognition (OCR) to convert the images to text for filtering, spammers started using blurred fonts and color combinations that can confuse the OCR software.

Some vendors were faster to respond than others, of course. Users of hosted services such as Microsoft Exchange Hosted Filtering or Postini Integrated Message Management fared well against the recent image spam because hosted services can recognize and tag the message as spam quickly when the same message is sent rapidly to lots of people. That's exactly what the spammers were doing, so hosted services had an edge over other types of spam protection. One of the big advantages of Exchange Server 2007 is that Microsoft is finally releasing regular updates to its built-in spam filter, which will help in the future.

If you're not using one of these services already, what can you do to improve your spam protection? One option is to change spam filters. Several filters, including Vamsoft's ORF (with its companion tool, Image Spam Agent), Barracuda Network's Barracuda Spam Firewall, and Sunbelt Software's Sunbelt Messaging Ninja, have features targeted exclusively at image spam. You might also be able to set up filtering rules in your existing antispam solution; for example, the Hawk Wings blog at explains how to catch image spam based on its frequent use of a particular MIME type; you can apply the same technique if your filtering solution supports filtering by MIME type.

In the past, I would have recommended examining the sender IP addresses of spam messages and using them to block traffic from the originating countries; previous outbreaks seem to have come primarily from a handful of countries. However, as spammers get smarter, they're increasingly turning to arrays of compromised computers that don't have contiguous address ranges that are easy to block. For drastic cases, you might consider filtering all incoming messages that contain GIF or JPEG attachments, but that solution will probably be too severe for most environments.

Antispam vendors will continue to attack the problem, and their efforts will no doubt bear fruit—until those regrettably clever spammers come up with a new wrinkle. I guess that's why they call it an arms race!

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.