Application security

Beyond v1@gr@ – spam’s new image

We've all heard about the recent rise in spam, and while I dislike spam as much as the next person, I recently received a spam message that got me quite excited.

Now you may ask yourself, why would anyone be happy about getting spam, any spam, in their inbox, especially since I work for one of the leading anti-spam vendors? Well, that's exactly why I like to see spam. In fact, I have no spam controls on my account for the very purpose of trying to see what is being sent and how the spammers are trying to get through today's corporate defenses. This recent spam message is a new wave technique that we are increasingly seeing from the spammers, a technique designed specifically to try and fool today's anti-spam technologies. And in all honesty, this is an effective one. I am, of course, talking about image spam.

In the last six months, spam rates have tripled and image spam accounts for nearly 35 percent of overall traffic. Image spam is the latest tactic for bypassing current anti-spam technology. In fact, on any given day, over 25 image spam campaigns are being run resulting in lost productivity and end-user frustration. Not to mention, more image spam is making its way to your inbox. As a result, organizations are struggling to protect against this latest threat in spam attacks.

From the very first spam sent about 30 years ago in 1978, when a staff member of DEC (Digital Equipment Corporation) sent a spam message internationally to thousands of Arpanet addresses, we have seen the tricks and exploits of the spammers morph and evolve in an effort to get their unsolicited message into your mailbox. In the past, there was an inherent limitation to what they could deliver to you, as email was solely text based. However, with advancements to email such as the move to HTML, so too have there been advancements to spamming techniques.

In this article, I will discuss some examples that demonstrate how the spammers have evolved their techniques to combat anti-spam methods, making spam a continuing daily and evolving struggle for organizations of all sizes.

Let the games begin
As I mentioned, spam started off as simple text messages advertising products and services - fraudulent or real is immaterial, the mail was unsolicited. Commercial and free solutions came about to block these messages by relying on textual analysis of the email, (i.e., checking certain words in the message against lists of known spam words). This technique evolved to use "weighted" lists of words where a particular word would be evaluated as being more "spammy" than another. By analyzing all the words in the mail and calculating an overall score, the final value would determine if the message was spam or not. For example, if a message had 100 words and 10 of them were Viagra, there was a good chance it was a spam message.

So how did the spammers get around this? As the title suggests, they started using characters in a word to break up the pattern using words like v1@gr@, where the dictionary match would be lost, but the human eye could see the word. So then the filters had to become more intelligent and were designed to look for all combinations of characters, numbers and symbols.

As email clients, for example Microsoft Outlook, got more sophisticated, and consumer usage of email increased, HTML was introduced that enabled users to make the mail "pretty," by inserting formatting such as bold, italics, fonts, colors, etc. Now, spammers had a lot more to play with than just inserting characters to replace letters. They could use HTML formatting to change the way the text of the message presented itself to the anti-spam solutions, while the visual effect for the reader would remain the same. For example, Cialis could be hidden by including an HTML comment tag, Cia lis, which hides the word to the spam filter, but when the HTML is rendered the comment tag is removed leaving a human readable word.

These two techniques are important because they are the origins of what is known as image spam. Both of these techniques took an unusual way of hiding the actual message in an email in such a way that the human eye would perceive what the spammer wanted to get across, even if it really wasn't there. Think of v1@gr@ again.

Anti-spam tactics
A number of techniques have been brought to market in an attempt to address the issue of identifying image spam.

One technique is fingerprinting, used to identify and count the unique aspects of a message. With respect to image spam, this often means counting images based on size, color and other characteristics. Unfortunately, spammers have found ways to combat this technique by adding random patterns of text to the end of each message, hiding text in HTML with a text color the same as the background, varying the dimensions of the images, and by slightly changing the colors of the images.

Another popular anti-image spam technology is optical character recognition (OCR), which relies on characters being a consistent color and recognizable shape. However, OCR technology, while it has advanced greatly in the last 10 years, is still not good enough and is very CPU intensive. Spammers have also learned how to defeat OCR by varying the font colors, hiding spam-type words, and by using uncommon or rare fonts.

Anti-anti-spam spam
As the anti-spam community develops new techniques, the spam community is investing just as heavily in counter techniques. Spammers are now implementing more sophisticated methods to circumvent the anti-spam solutions - or what can be referred to as anti-anti-spam spam.

The spammers won't win
In an effort to address these tactics, a new anti-image spam technology - image characterization - is getting recognition in the industry. This method analyzes the image spam and comes up with a characterization of the message by tracking 30 different pieces of information about it that mimic the way the human eye visualizes. Early tests with this method have proven successful, and there are hopes that this will be the tactic that finally puts an end to image spam.

What's next?
As organizations see the convergence of their networks, they will face a new threat landscape involving multiple attacks across a variety of protocols beyond just email, including instant messaging and VoIP. As new blended threats emerge such as VoIP phishing attacks, the ability of organizations to protect their communications infrastructure will become more difficult and complex.

The battle against spam is one that is far from over, but new solutions being developed today are pushing the envelope in protecting against the spammers' latest attempts to get into our inboxes and into our wallets.

-Andrew Graydon is CTO of BorderWare Technologies. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.