When Filters Fail: The Continuing Saga of Image-Based Spam
by Melisa LaBancz-Bleasdale
Image-based spam has long been making the rounds— parading past network defenses and filling up inboxes worldwide. What it lacks in malfeasance it makes up for in sheer annoyance. Despite what is known about image-based spam, it has proven difficult to control. In fact, spam in general is rising at alarming rates. Postini, provider of on-demand Integrated Message Managementservices, processed nearly 70 billion email connections from September to November 2006, and found a 59 percent spike in spam during that time. According to Postini's research, unwanted email currently comprises 91 percent of all email received, with image based and MS Office document spam making up as much as 30 percent of all junk email. "This dramatic rise in spam attacks on corporate networks has the Internet under siege," says Daniel Druker, executive vice president of marketing at Postini.
Internet gateway security provider, IronPort Systems, has found the average spam message size has grown from 8.9 kB to 13 kB. This 46 percent increase is due to the rise in image-based spam. "Due to increases in spam, and declining capture rates, the average email user is seeing two to three times more spam since the start of 2006," states Tom Gillis, senior vice president of worldwide marketing at IronPort.
"Catch rates are falling because signature-based solutions can't keep up with spammer's rapidly changing randomization techniques."
What is Image Spam?
Steve Kille of Ferris Research explains that image-based spam encloses a GIF or other image file within a message, which is then held as a separate, inline body part—using a mechanism known as "multipart/related". This construction enables the image to be referenced from within an HTML message. Kille notes that most email clients will then render this image as a part of the message. The outer wrapper of the message is carefully constructed so that it does not have any spam characteristics. But the spam call-to-action, (whatever is being advertised) is actually held within the GIF image.
"To begin with, image spam is difficult to identify because there isn't a lot for first generation antispam solutions to analyze," reveals David Mayer, product manager at IronPort Systems. "To the anti-spam solution, image-based spam is just one file. There's no text. There's no URL. To detect whether or not this 'file' was spam, it would take a hash, fingerprint or signature. If declared spam, it would look for that same exact file and signature each time. Spammers gradually started randomizing to bypass spam technologies."
Almost all image-based spam is related to what are referred to as "pump and dump" stocks. These are penny stocks, purchased by spammers in the hopes of luring gullible victims into making a buy. Although there are a few "pharmacy" and fake "online diploma" scams floating around, these are relatively rare today. Image-based spam serves one specific purpose: defeating spam filters so that the advertisement can reach the inbox. It is an unpopular mechanism for regular spam because it does not employ embedded URLs needed for victims to click on to purchase whatever product the spammer is selling—be it a bottle of pills or illegal software.
"There are only a limited number of ways that spammers can randomize a URL, and a lot of the filters can still extract links and block messages based on that," says Dmitri Alperovitch, principal research scientist with Secure Computing. "There's not much impetus for regular spammers to go in the image spam direction when the whole point is to randomize every part of the image in the message. Some parts of a spam email would not be able to be randomized, like the link they need to include, in a sufficient enough manner to get by the spam filters. Basically it defeats the entire purpose of their type of spam."
Identifying Email Content
The reason image-based spam works so well is that, by subtly altering each message—adding or subtracting pixels, background color, or embedded images— traditional spam technologies (like file or hash matching) can not detect it. Even more advanced solutions such as Optical Character Recognition (OCR) technologies, designed to identify email content, are unable to tag image-based spam due to its constant, randomized modifications. Postini notes that spammers succeed by employing these simple techniques to bypass even optical character recognition technology.
"A lot of anti-spam vendors have reacted to the image-based spam problem by deploying OCR in an attempt to pick out words and characters from an image," says Alperovitch. "From there, they try to perform traditional content filtering on the extracted characters and hope to identify stock symbols, pictures of Viagra and so forth. OCR was never designed to deal with an attacker trying to obfuscate the characters. Spammers are able to adapt to it within weeks. Even before most of the vendors publicly released their upgrades, OCR technology was already being defeated." OCR works by assuming that each character is roughly the same size, that there is specific spacing between them and that it will be delivered in horizontal, linear, typed font. When the positioning, spacing, shapes and colors of the characters are altered, OCR is extremely easy to defeat.
"It doesn't cost spammers anything to randomize their messages because they're able to do that from the millions of zombies that they've taken over," adds Alperovitch, "They're not using their own resources to send out spam. For the anti-spam vendors, however, it's very expensive to deploy this type of OCR technology. It's resource intensive and slows down the overall processing of the mail."
IronPort Systems estimates that over 80 percent of spam email is sent from botnets, hijacked networks employed to flood mail systems with continuously randomized spam. Spammers continuously move between these networks, in order to avoid being blacklisted by enterprise spam solutions. Further, the company states that similar rotations take place with spam URLs—which have an average lifecycle lasting four hours or less.
So Wherein Lies The Danger?
Alperovitch stresses that from an organizational standpoint, the issue is one of volume, with spam overwhelming mail servers that can't keep up with the flood. Secure Computing notes that 86 percent of all email is spam, compared to 70 percent in 2005. "Mail volumes have doubled in the last year alone. Organizations are buying more and more mail servers and requiring more processing power to cope with the increase in spam. For public companies required by Federal regulations to store their email for several years, storage cost is skyrocketing—because they are forced to keep all that spam on their hard drives."
IronPort's Mayer concludes, "Image-based spam is not actually dangerous, but I'd say that it's a huge annoyance. We have customers deleting dozens of messages from their inbox every day and it cuts down on their productivity. On top of that, people are forwarding their spam to their email administrators and asking, 'What is this? Why didn't we catch this?', so there's an added burden on email administrators to figure out what's going on. Essentially, it's a grating annoyance—the online version of sitting in stopped traffic." MB/MNP