As soon as spam fighters gain ground, spammers switch tactics, sometimes going back to what worked before. Hence the return of image spam.
Image spam has been around for many years, having spurts of popularity when spam filters get good at detecting normal types of spam. Each resurgence has seen image spam increase in sophistication. To try and understand image spam, I started talking to the people at Red Condor, a well-known spam filtering service.
Brien Voorhees, one of the founders of Red Condor was kind enough to answer my numerous questions. Let’s see what he has to say about image spam:
TechRepublic: I keep hearing about image spam and how spammers are using it to get past filters. What is image spam?
Voorhees: It’s a spam email where the spammer’s message or pitch is represented in an attached/embedded image instead of text. Often, the email will also have unrelated text in the body of the message to throw off filters, but the actual pitch will be in the image.
TechRepublic: Why is image spam so difficult to detect?
Voorhees: The purpose of spam is to get the user to take some kind of action, whether it’s clicking on a link to buy a product, calling a phone number, or replying to an email address. The spammer can randomize the content of their messages and where they come from, but it’s difficult to randomize the actual call to action.
Any kind of consistency in a spam campaign can be used by a filter to identify, target, and block the campaign. When the “call to action” is displayed visually, the computer can’t recognize it without computationally expensive Optical Character Recognition (OCR) processing. The images are almost always randomized to some degree to prevent OCR and also make each image unique.
Since an email containing a spam image looks almost identical to one with a picture of your grandkids, it’s extremely difficult to block them without also causing a lot of collateral damage (false-positives).
Techrepublic: What processes does Red Condor have in place to filter image spam?
Voorhees: Red Condor employs several different technologies to effectively block image spam without also blocking good images:
- Image fingerprinting: We have fast, efficient “fuzzy” matching algorithms that can target specific areas of an image.
- Our system also looks at the reputation of the IP address delivering the message and can be stricter if the message has image spam characteristics.
- Continuous feedback loops: Including humans in the review process.
In the near future, Red Condor will be introducing a new layer to its image spam defenses. While more details will come out soon, I can say the new layer will successfully identify image-spam campaigns based on a unique combination of structural elements present in both the image and the message.
TechRepublic: I understand that one of the new techniques is to just use an image, no text in the subject line or anywhere in the body. What is the purpose of that?
Voorhees: I haven’t noticed that as a very common technique. Most of the campaigns I see do have some amount of (unrelated) text. Regardless of the message body, a typical image spam ends up looking very similar to an email sent by a human. The spammers are good at making the message look like it was sent from a real person using Outlook, etc., and the messages are delivered from various infected machines (as part of a botnet) instead of the spammer’s own computers.
TechRepublic: Image spam was prevalent several years ago. Then it tapered off; was that because it required the victim to manually enter link information?
Voorhees: Yes, the “click on the link” requirement is a huge drawback to the image spam technique and makes it not desirable for most spammers. The really big image campaigns years ago were primarily the stock pump-and-dump campaigns.
It was a good technique for them because the “call to action” wasn’t for the user to click on a specific link; rather instead to go to their broker (offline or online) and buy the stock. The major stock spammers eventually got sued or arrested and the image spam levels dropped to a fraction of what they were.
TechRepublic: Why do you think image spam is making such a strong comeback?
Voorhees: While image spam is making a bit of a comeback it’s nowhere near the level it was several years ago. As for why, I think it’s partly desperation. Filtering technology has gotten pretty good in recent years and the spammers are constantly looking for any chink in the armor.
Image spam is still one of the most difficult types to accurately block. Due to image spam’s inherent disadvantages though, I think it will continue to be an annoyance, but not the majority of spam.
TechRepublic: Do you have any more thoughts about image spam?
Voorhees: Since the early days of image spam, it’s been interesting to watch it change, usually in response to filter adaption-basically evolution in action:
- In the beginning, all of the images would be identical. Then they started to add some simple randomization to the image “header” and/or palette to defeat basic fingerprinting (MD5 hash, etc).
- Next, they started to scale the image to varying sizes.
- Then they added a small amount of obfuscation noise, varying background colors, even tilting the image slightly.
- For a while, spammers were also using animated GIFs or slicing the image up into several smaller sections.
- They also tried delivering the images by embedding them inside PDFs.
Over time, the randomization has become more and more extreme to the point where it is difficult to discern the content (similar to some CAPTCHAs). Recent image spam campaigns employ multiple techniques together with color changes, scaling, noise, and waving. That makes it basically impossible to use OCR to decode the text.
Below is an example of what Mr. Voorhees is referring to:
TechRepublic: Changing the subject, I am curious as to how Red Condor came into being?
Voorhees: Myself and two other engineers were wrapping up some contract work and had been keeping an eye out for the right opportunity to create our own product and company. Spam was starting to become a real annoyance at the time, making it difficult to find real messages lost among the junk.
We checked out the available filtering options and didn’t find anything satisfactory. They forced the user to make a choice between letting too much spam through or blocking too many good emails. It has always surprised me how accepting many filtering companies (and some users) are of false-positives.
Personally, I consider all of my email to be critical and one lost message is one too many. As a group we recognized the opportunity to create a new spam filter that would meet our own standards.
I like the explanation of how spam requires a “call to action.” It defines what is needed to make spam work. Image spam, by its nature doesn’t provide an easy way to accomplish that. Yet it’s hard to detect image spam. Since the use of image spam is increasing, spammers must feel getting the spam in front of us is more important.
I would like to extend my thanks to Tim McAllister of Red Condor for pointing me in the right direction, Kevin Wilson of KevinWilsonpr.com for making it all happen, and finally Brien Voorhees for his insight into the world of spam.