Spammers are finding new ways to bypass filters, but that doesn't mean you have to let them bombard your inbox. Rob Buckley reports
Need pain releif (sic)? Some Cialis, perhaps? Or maybe you'd like to invest in China YouTV Corp (CYTV)? You've probably received at least a few emails offering some of these things because they managed to sneak past your spam filters. Rather than using a simple text-based email, these spammers have embedded their kind offers into images, making it seemingly impossible for a standard spam filter to pick up the usual keywords that reveal the messages' true intents.
Given these advantages, it is no surprise that image spam now comprises a considerable proportion of total spam traffic. Quite how much is up for debate. Security vendor Marshal puts the figure as high as 56 per cent of all spam; SurfControl says between 25 and 40 per cent is more likely; while F-Secure and Sophos think that the proportion is around 35 per cent.
Other commentators dismiss those figures as hype. "It's approximately ten to 20 per cent," says Mark Sunner, chief security analyst at email services company MessageLabs. "Some vendors put the figure at close to two thirds of spam, but that's scaremongering." However, image spam campaigns arrive in bursts, he adds, since they are sent via botnets controlled by spammers in the hope that some emails will beat the spam filters before they have time to adapt. If a spam measurement is taken during a burst, it may appear that the percentage of this kind of attack is higher than it actually is.
Whatever proportion it does represent, image spam is among the most likely kinds of spam to get through filters, and it poses the same problems as its conventional cousin: it wastes employee time; takes up bandwidth, processing power and space on email servers, their back-up systems and end-user systems; and can pose legal issues if staff who receive it object to it. Since text-based spam tends to be less than 5k, while the image-based type ranges from 5k to 40k and beyond, a single image-based piece of spam can have all the effects on systems of eight regular pieces of spam. For any employee accessing their email on a mobile device, where every kilobyte downloaded costs the company money and slows down the device, image spam poses an even greater inconvenience.
So what can an IT manager do to fight image spam? Surprisingly, most vendors are happy to say that existing technology is up to the challenge.
It may appear at first that using optical character recognition (OCR) technology is the only way to really know if an email is spam or not: harvesting the images for text allows the system to use a conventional text-spam filter on the email. But Donna Pittaway, product marketing manager at SurfControl, argues that this approach is useful in only a few cases. "We capture the vast majority of image spam through other methods," she says. "It's only if an email is borderline that we use OCR. But it's resource intensive, so we use it as a secondary layer." In fact, spammers often use wavy text, backgrounds, polka dots and other techniques to prevent OCR systems from extracting text.
Other techniques make quicker work of image spam, for example traditional "fingerprint" systems, used by F-Secure.
Even smaller software vendors don't claim any magical powers for their systems. Michael Tsai, who developed the SpamSieve desktop anti-spam software, says the Bayesian analysis in his solution was able to learn to catch image spam relatively quickly. "With recent versions, I've made changes so that SpamSieve can extract more image-related information from the message to feed into the Bayesian classifier," he explains. "This helps it learn faster and catch some newer types of image spam. I also added some blocklist rules to detect common patterns of image spams."
Most larger anti-spam systems also use the infrastructure of the email itself to provide many of the necessary clues. "We use a heuristics technology that looks at characteristics such as size and so on," says SurfControl's Pittaway. "GIF files, for instance, aren't used so much for photographs, so that indicates it's more likely to be an image spam."
MessageLabs' Sunner also highlights the propensity of spammers to use malformed GIF images with incorrect checksums in an attempt to defeat spam filters. This now provides a strong hint that an image is no innocent attachment.
How the email is constructed can also provide clues. Era Eriksson, senior content filter researcher at F-Secure, says that most spammers use "off-the-shelf" packages developed by nefarious programmers for bulk mailing rather than develop their own software. "'Dark emailers' tend to generate specific-looking emails," he says. "Superficially, image spams are changing all the time, but there's usually a recurring pattern in other parts of the email, such as headers." Character-set encoding, the claimed email client used to create the message, specific meta-tags in the HTML, as well as keywords in the header or body of the email can all suggest a message is spam.
As well as the emails themselves, the origination point of the messages can indicate whether they are spam. "There's a whole bunch of addresses that are clearly botnets, built over a long period of time," Sunner says. Using blacklists to block emails from compromised machines can go a long way towards cutting down on image spam, although relying completely on this is not advisable.
So for the beleaguered IT manager, the short-term answer to image spam is no different to that for dealing with regular spam: stay up to date with any existing anti-spam packages or outsource email filtering to a reliable service provider.
Put pressure on ISPs
The long-term solution, according to Dave Rand, chief technology officer at Trend Micro, is to apply pressure on internet service providers that allow botnets to exist on their networks. "If you look back to the 1990s, AOL was the number-one spam source, thanks to all the free CDs it gave out and because it didn't deal with all the abuse complaints. Now it's not a source of spam at all."
Peer pressure from other ISPs and customers, as well as the threat of being completely blacklisted, can all work wonders. In response to frequently having its IP ranges and email servers blacklisted, UK ISP Be recently decided to block customers' access to the ports necessary for SMTP traffic unless they used Be's own mail servers. With most bots using built-in email servers to send emails, this move blocked a good proportion of outgoing spam, with only bots smart enough to use their machine's default email account settings able to bypass this limitation. But Be can now track all outgoing messages and identify which are being sent by bots. It then notifies the owners of infected machines of the problem and blocks them from sending any emails until they are cleaned up. "If I could, I'd get every ISP to do that tomorrow," Rand says approvingly.
But it may be difficult to convince large ISPs with leverage that they need to change their ways. Sunner argues there is a good case to be made for corporate customers to pressure their ISPs to prevent incoming spam instead. "At the moment, it's like we're being told that there's a new outbreak of botulism and we need to boil all our own water. ISPs are kicking out the equivalent of raw sewage."
By getting ISPs to block spam before it arrives at corporate email servers, the load on systems and drain on bandwidth is stopped before it takes effect. It's a capability, he points out, that is true for any outsourced email security service provider, and one he suspects many ISPs will have to offer in the next few years.
As of yet, image spam isn't a severe problem, just one that needs to be heeded. The majority of current anti-spam software can deal with it, as can outsourcers, although no vendor or service provider will ever claim 100 per cent success.
However, F-Secure's Eriksson says that spammers aren't trying that hard at the moment. "There's a number of techniques that bulk email agencies use, for example, to avoid triggering spam filters that spammers aren't utilising." Spammers could fix the flaws in their existing systems to make image spam far harder to detect. He believes, however, that image spam isn't as clever a technique as might be suspected. In the long run, ultra-simple messages with clickable links might be their most efficient mechanism for creating and delivering their messages.
Whatever the next big thing in spam is likely to be, we won't know until it hits us. Whether it'll be another iteration of image spam or something completely new, neither vendor nor service provider has seen a hint to its nature yet. But it's clear that the war goes on, knowing that the other side doesn't give up easily.