Application security

Marshal: Puzzle-like image spam perplexes filters

Researchers from Marshal today reported a sharp increase in image spam, as well as new techniques used to slip the unwanted emails past filters.

The Atlanta-based firm's Threat Research and Content Engineering team recorded a 40-percent increase in total spam during late October and early November, which it attributed to an increase in image spam. That technique was credited for 30 percent of all spam, a jump from 22 percent just three weeks before.

Image spam now accounts for between 15 to 20 percent of all email images sent, according to Marshal.

Image spam is a technique used by fraudsters to bypass filters - usually set to look for common spamming words or phrases - through the use of .gif or .jpg images.

But in a shift from traditional image spam emails, researchers are now seeing messages containing multiple images acting like pieces of a puzzle, as well as more obscure image file formats such as PNG.

Penny Freeman, director of sales engineering for Marshal, told today that email filters will eventually see more hybrid spam emails.

"They're actually combining methods, and the key is to get the text-based scanners to fail. It has different variations of background color. Having all of these things means the emails don't necessarily meet any of the criteria for them to be considered spam," she said.

Symantec has reported that image spam now accounts for 25 percent of all spam in recent months.

Calling the new technique "Mr. Ransom," the anti-virus giant has seen emails containing the test of "The Master and the Margarita" as well as other works of Russian literature.

The spam emails appear to be identical to emails sent from Yahoo groups or other legitimate sources, according to Symantec.


Doug Bowers, senior director of anti-abuse engineering at Symantec, told today that randomization and slicing of images is key to image spam's success.

"This is similar to an approach we were calling ‘Mr. Puzzle,' slicing up images to create what looked like a single image to a user," he said.

Researchers at IBM Internet Security Systems reported in September that spammers are now using multiple frames within animated .gif files to hide messages, bypassing most anti-spam gates.

A month before, CipherTrust said that the amount of image spam sent to users since June had tripled - now accounting for 30 percent of all spam sent. In May 2005, image spam made up only three percent of all spam messages.

Meanwhile, spammers have also turned to technical language to get spam into the hands of home users and employees. Researchers from MessageLabs reported seeing an increase in "geek spam" - email messages that use IT-related language to hide from filters - just two months ago.

Click here to email Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.