"A picture is worth a thousand words," goes the old saying. What is true in art and journalism is proving equally apt in the more modern field of spam. As the recent surge in image-based spam shows, pictures can be a very effective way to get a message across – or at least through a victim's anti-spam filter.
Richi Jennings, senior analyst for Ferris Research, an IT analysis firm specializing in messaging technologies, says that the number of image spam emails has increased ten fold – or 900% --over the past year.
Much of it is coming from botnets, or networks of PCs that have been infected with a virus and turned into unwitting SMTP servers for spammers. With the computing power of thousands of PCs at their disposal, the spammers are able to send out more messages and be more creative in their approach, he notes.
Frank Guillotti, director of IT for supply and contract management software vendor Emptoris Inc., based in Burlington, Mass, has seen substantial growth in image spam. Six months ago as much as 60% of employee mail was spam, with nearly a third of that in the form of image spam, he said. "People had to go through a delete it, and some of it was relatively offensive. People just don't have the time for that," Guillotti said.
Spam not only offends employees and wastes their time, but also exposes them to potential fraud. Spam also can overwhelm email servers and slow network performance. Image spam is a particularly heavy consumer of bandwidth and storage space. While a text-based spam message usually runs 5 to 10KB, the typical size of image spam ranges from 10 to 100KB, Jennings said.
"That can have an impact on the performance of the email and delay legitimate messages," he said
Typical solutions to defend against image spam include reputation based filtering, behavior based filtering, and content analysis. But it's in the content analysis side that software vendors are struggling to keep up with new image spam tactics.
For example, says Amir Lev, chief technology officer of Commtouch Software, an anti-spam software and service provider based in Netanya, Israel, spammers have learned to make small changes to an image to evade detection.
"The spammers randomize the image so that it's difficult to identify it as part of a spam attack," Lev said. "They'll add pixels, random lines, an animated gif, or tilted lines instead of straight lines." That is how spammers were able to flood the inboxes of customers at Denver-based USA.NET, a network provider, said Victor Silva, senior director of client services for USA.NET.
"We were doing good job of blocking regular spam, but image spam was getting through," Silva said. "We started hearing complaints from several large customers, with C-level executives even calling us directly."
USA.NET solved the problem in two ways. It blocked emails from IP addresses known to send spam, and it requested its anti-spam software provider, Symantec, to improve its ability to detect image spam, which it did.
A multi-layered spam filter is best, Jennings said.
"The vendors that are doing a good job are applying a cocktail of approaches," he said, adding that the best location for a spam filter is at the network perimeter, rather than on the mail server or client.
"At the perimeter you can tell where the message is coming form and look up its reputation," Jennings said. "You can see the behavior of the sender. But once you've accepted the message and sent it on to the Exchange server or client, all of that information is gone."
What should enterprises expect next from spammers? Lev predicts image spam with handwriting instead of printed text, as well as audio messages.
"They will keep on adding tricks," he says. "If the trick is successful, then they'll use it in a full blown attack."