In the last six months, image-based spam has pushed its way to the forefront of spam technique discussions. Image-based spam is not new, but it is now wreaking havoc on the effectiveness of many anti-spam products.
Spam containing embedded images is called image-based spam. The unique element here is that the actual message of the spam is not contained in the text of the email, but solely within the image, which in turn looks like regular text (embedded text). The challenge of today's anti-spam products is to detect image-based spam even though there is no text available to indicate a spam-related topic. According to the IBM X-Force research and development team, image-based spam accounted for more than 40 percent of spam messages at the end of 2006. Image-based spam requires purposefully created detection methods in order to prevent this percentage from reaching end-users.
After a slow evolution in the early years of spam, in the last two years spammers have become much more innovative in their usage of image-based spam. To make it easier to see the progression, let's consider the "generations" of image-based spam.
Generation one: spam that loads images automatically from the internet
Rewind back to 1997 to some of the first usages of images in spam messages. At this point, image-based spam messages did not contain any image files; rather, images loaded directly from the internet. After the image loaded, the actual spam message remained very small (generally less than 10k), saving bandwidth. The big value to spammers was that they could include the email address of the spammed user in the URL used for loading the image and consequently track the user. By opening the message and enabling the image to download, the end-user inadvertently verified his or her email address as active. In order to combat this first generation of image-based spam, anti-spam products used SURBL (Spam URL Real-time Block-lists) or large databases containing offending URLs to block the spam. As a by-product of this spam technique, email clients no longer load images from the internet automatically.
Generation two: spam that contains embedded images
Fast-forward to 2003 and second generation image-based spam. Now, spam messages contain embedded images to circumvent blocking by email clients. The spam message size becomes noticeably larger, but fortunately for spammers, bandwidth has increased to the point that it is no longer a concern. Many of the embedded images are "clickable." This means there is still a URL available that the spammers can use to validate email addresses. To counter these techniques, anti-spam products could still rely on large databases or SURBL containing URLs to block the spams with reasonable effectiveness. Additionally, products began to use image fingerprints to block this type of spam.
Generation three: spam that contains embedded images with random variations
By 2005, spammers started using image variations, such as random borders, variations in background color or random pixels, to circumvent filtering. These image variations ensure that each image is unique. Another approach used by spammers is to randomly fragment the images. This meant that in reality there were up to dozens of images embedded that looked like one image or one continuous piece of text in the email client, much like a puzzle. This type of spam is much harder to filter out by traditional spam filtering techniques. The ability to perform basic image analysis is necessary in order to accurately determine image fingerprints that are still valid, even with variations, such as color palette changes and pixel movements.
Generation four: spam that contains animated image files
Last year, fourth generation spammers began using animated GIFs to drive image-based spam distribution. This new technique opened the door to a wide variety of tricks, such as:
Using the first few frames to confuse the filters by showing them only for some milliseconds and afterwards presenting the main frame
Creating a combined spam message from many source frames using transparency schemes.
To be effective against these tricks, anti-spam products have to overlay the frames and simulate the animation to calculate an appropriate fingerprint.
Generation five: spam that contains multi-colored backgrounds
Right now, spammers are implementing new techniques to circumvent more sophisticated image fingerprints. Much like the effect new zero-day viruses have had on anti-virus solutions, these types of image-based spam have the potential for individualization. For example, spammers have started to fill the background randomly by multicolored geometric forms. These images rely on botnets and are calculated in a way that makes each and every spam unique. Also notable, the text is often not placed on a rectilinear baseline but rather on a rolling one to circumvent optical character recognition (OCR). Countering these types of spam becomes much more difficult. Anti-spam products must use sophisticated image structure fingerprints based on characteristics — such as multicolored text, multicolored background, percentage of text, or color distribution — to block this type of spam.
Animated image files and multicolored embedded text in images that cannot be easily separated from the background by an algorithm — or a combination of both — provide many options to outwit new detection methods dedicated to image-based spam. Even by using all features of animated image-based spam to create corresponding detection methods — transparency of pixels, overlaying frames, showing the last frame several minutes after the frame before — there is no easy way to analyze these images without a significant increase of computing power. That being said, a preemptive email security vendor should be focused on the development of image-based spam detection methods that effectively detect these types of spam without straining performance — a formidable but necessary task.
Carsten Dietrich is director of content security at IBM Internet Security Systems