You've installed keyword-based spam filters and invested countless staff hours tuning its performance to suit your environment. Perhaps you've even gone the extra mile and implemented an advanced spam detection system that utilizes statistical analysis techniques like Bayesian filtering. You should be good to go, right?
Unfortunately, the threat environment is changing once again. Like the classic battle between authors of malicious code and antivirus firms, spammers investigate new technologies in an effort to stay one step ahead of spam filters. Spammers' latest technique involves image spam -- messages that contain little more than a link to an image that is rendered in an HTML mail reader. The image, of course, contains the spam message that you hoped to avoid.
Recent reports indicate that image spam is on the rise. Antispam vendors (who certainly have a vested interest in scaring us about spam!) report that image spam accounts for 15-25% of all spam sent in the first half of 2006. Spammers are also getting sneakier, using techniques like image tiling to avoid simple image spam filtering techniques.
Here's an example of image spam that made it through my spam filter:
To the casual observer, this message appears to be a standard text-based email complete with hyperlinks. Only a careful look reveals that the entire message is actually an image. The message didn't contain any text, just the HTML code to display this image. My spam filter apparently didn't recognize the source of the message as a known spammer and there weren't any keywords to analyze, so it arrived in my inbox.
The image above doesn't contain any clickable links and it's unlikely someone would be so enthralled with a spam message that they would type the URL into their browser. So why do spammers use this technique? The majority of these messages are classic "pump and dump" stock scams, where the spammer invests in a stock and then sends out messages hyping the stock, hoping to inspire a quick, profitable run.
Is it effective? I certainly can't prove a cause-and-effect relationship, but I received this message around 9 a.m. on the day of writing this tip. The previous day's closing price for this penny stock was $0.090 and the next day's close was $0.115. That's a 27.78% single-day gain. Some spammers are probably sitting pretty (provided the SEC doesn't get to them first!).
What's the big deal? First, consider the bandwidth your organization loses to traditional spam. You can safely multiply that figure several times when those messages lead to image downloads. There's also a more nefarious risk at play here. Consider the "extremely critical" Windows image flaw discovered late last year. Image spam offers attackers another vector to exploit similar vulnerabilities when they're discovered.
The best security measure against image spam is tried-and-true end user awareness. Make sure your users are aware of this risk and understand the classic instructions about responding to spam and phishing attempts. Second, consider updating your antispam infrastructure. Vendors are aware of this threat and are investing in research to improve their products' detection capabilities. If you're already running an enterprise antispam solution, you may be able to get a free upgrade as part of your maintenance agreement.
Image spam is just the latest salvo in the battle between spammers and those of us who just want to peacefully send and receive email. Watch as technologies evolve to battle this threat, and don't expect it to be the last novel attack against our infrastructures.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in August 2006