Manage Learn to apply best practices and optimize your operations.

Will only allowing whitelist email messages stop image spam?

Some organizations automatically delete email messages that contain images that are not from whitelist senders. That technique can combat image spam to a certain degree, says Michael Cobb. In this AtE, the application security expert explains what else needs to be done.

In order to thwart image spam, our organization automatically deletes email messages containing images that are not from senders on our whitelists. Do you recommend this strategy, and is there a better one that we should consider?
Image spam has become a significant problem for both spam-filtering systems and system administrators. This unsolicited messaging technique presents the text of a spam email as a picture in an image file. Because spam-filtering programs are mainly built to detect patterns in an email message's ASCII text, image spam has been highly effective in circumventing filters. Detection applications that utilize optical character recognition do not fare much better; obfuscation techniques make it easy for spammers to hide the text from machine-based readers while still leaving the message legible. Ironically, while Web sites are using CAPTCHAs (an image of distorted text) to tell whether the user is human, spammers are using the same basic techniques to bypass spam filters. The result is a noticeable rise in the amount of spam arriving in users' inboxes.

Your approach of automatically deleting non-whitelist email messages will certainly keep image spam to a minimum -- in fact, close to 100%. When it comes to tackling spam, whitelists are certainly a better approach than blacklists. Spammers continually create new email addresses to send messages from, or new keywords to use in their email, so blacklists are nearly always out of date.

A major drawback of whitelists, however, is their inordinate number of false positives. With whitelists, it's easy for a number of genuine emails to be deleted. An email from a potential supplier, for example, may include a corporate logo. Unless the company is already on the whitelist, the email will be deleted.

Trying to avoid the number of false positives requires an up-to-date whitelist. Maintaining this catalog of trusted sources is another drawback. Whether you use specific email addresses, IP addresses or trusted domains, gathering the list can be a very time–consuming and labor-intensive task.

If most of your legitimate email comes from a relatively small and fixed set of senders, then I would stick with your current tactic. The effectiveness of the strategy justifies the work involved in maintaining the list. However, if your users are likely to register for online services or subscribe to online newsletters, you could run into problems. For example, if you don't immediately add a new email source to your whitelist, or if the domain or IP address is entered incorrectly, the communication will fail. In these circumstances, instead of deleting emails containing images, I would quarantine them. Then, the recipient can quickly review the "from" and "subject" fields before allowing them to be downloaded to his or her inbox. Most gateway spam filters provide this type of functionality.

You could also institute a challenge-response test. When an unknown sender writes an email to one of your users, the system can automatically send a challenge back to the sender. The sender has to respond to this email in order for the message to be delivered. Since spammers are unlikely to bother with a response, the approach can be an effective one. The technology can be irritating, however, for your genuine correspondents.

Unfortunately, there's no perfect antispam strategy, but you should definitely back up your technology-based defenses with security awareness training and a strong email policy. Many users are still unaware of the often malicious nature of spam.

More information:

  • Spammers that target enterprises are switching from image spam to emails containing PDF attachments.
  • Learn why simple antispam filters aren't enough to stop the image spam problem.
  • This was last published in September 2007

    Dig Deeper on Email and Messaging Threats-Information Security Threats

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.