Image Spam: Getting the Picture?

By | April 5, 2007

Spam. We’ve all seen enough of it. But just as familiarity has bred contempt (and stopped most email users responding to it), spammers have come up with a new technique to snare the unwary and get around corporate security measures.

The spammers´ latest technique involves image spam – emails that contain little more than an image embedded into the body of the message. The image, of course, contains the spam message that you hoped to avoid.

So what is image spam? How much of a threat is it? And more importantly, how can you ensure that your staff are protected against that threat?

Image spam – a snapshot

With image spam, the content is simply contained within an image embedded into the message body, in an attempt to bypass filtering protection layers.

This type of spam has a much greater drain on network and bandwidth resources than text spam, because the images mean a larger file size. For example, a “traditional” text spam averages 5kb in size, while an image spam message is 360% larger with a size of 23kb. While 23k is not much on its own, multiply that by the millions of spam emails send every day, and the scale becomes apparent.

In the last six months of 2006, 40% of all spam was image-based, which is a doubling in volume over the previous six-month period. This spike is likely due to spammers testing the viability of image spam. Now that format effectiveness has been demonstrated, SurfControl has seen that spammers have converted more of their text-based messages to image spam, and the image spam volumes continue to rise dramatically.

Why has this shift happened? Well, just like the classic battle between authors of malicious code and antivirus firms, spammers are investigating new technologies and trying new tricks in an effort to stay one step ahead of spam filters and promote their dubious offerings. After all, for them it’s a business.

Many spam filters, especially older or less sophisticated ones, rely upon certain text criteria on which to make judgments. Such filters typically watch for predetermined words in the subject lines of e-mail messages, suspicious word patterns and word frequency. Image spam is not easily stopped by such basic filters, because it contains random words to make it appear legitimate.

Know the enemy

So what does image spam look like? The message body of a typical image spam e-mail comprises three components. The first component is a short section of random text at the beginning of the message, which is then followed by the second component — the image file, which is typically an image of text with the spam content. The last component is a lengthy section of random text at the bottom of the message body, which attempts to fool unsophisticated spam filters.

The images typically don´t contain any clickable links that take the viewer to a website, and it´s unlikely someone would be so enthralled with a spam message that they would type the URL into their browser.

So why do spammers use this technique? The majority of these messages are classic “pump and dump” stock scams, where the spammer invests in a stock and then sends out messages hyping the stock, hoping to inspire a quick, profitable run.

And it seems that it can work. Some observers have watched the price movements in shares being hyped by image spam, and saw gains of over 25% in the days following a spam campaign. So there is cause and effect at play.

Protect against the image

So what measures can organisations take to protect their business and their employees against image spam, without impacting on network performance and productivity levels?

The most effective protection against image spam and other emerging threats is in a layered approach. By implementing solutions through layered deployments, you yield tremendous savings in network resources, bandwidth and overall administration, while ensuring that business security and compliance requirements are most efficiently met.

The first security measure against spam is tried-and-tested end user awareness. By making sure your users understand the risk of responding to spam and phishing attempts, you’ll reduce the impact of spam on your network and business operations.

But user awareness should be backed up by enforcement, too. The advent of image spam is causing many problems through its ability to defeat many traditional e-mail filters. You should review your Internet security and understand what technologies your vendor is using to protect your organisation. Today’s most effective and sophisticated solutions combine a variety of intelligent image spam detection technologies, including a heuristics engine, a reputation service, and targeted Optical Character Recognition (OCR) technology.

Layering these advanced technologies with deployment on the network and an in-the-cloud email filtering solution provides the greatest level of protection. In-the-cloud filtering removes large volumes of spam before it reaches the gateway protecting valuable network resources as well as maximising the overall image spam detection rate.

Layering protection

There’s no one-stop point solution which will protect your organisation against all incoming spam. It therefore makes sense that by layering a number of different solutions, you’ll succeed in creating a more robust, comprehensive filtering solution which will minimise the threat of spam emails entering the network.

A layered approach also offers greater control over inbound and outbound email, with the ability to closely manage traffic. With the rise in the number of spam emails, many organisations are choosing to add an additional email filter layer in the cloud, in order to filter out the vast majority of spam before it hits the network. In this way, organisations can free up bandwidth, reduce ISP costs, and remove the expense of having to upgrade servers to cope with additional load.

For businesses which need to perform deeper content inspection for confidential data management or compliance regulations and in order to prevent sensitive and confidential information leaving the network, adding another security layer using an appliance-based solution provides granular content filtering.

Plan today for the threats of tomorrow

Image spam is just the latest threat that is damaging e-mail performance as a business critical tool. Its ability to defeat many traditional e-mail filters has raised the issue of reviewing e-mail security, and there are options available that can improve the capture rate of image spam. However, in any review of security technology an organisation must look ahead and ensure that a solution not only solves today’s issues, but has the technology and deployment model to protect against tomorrow’s unknown threats too.

Leave a Reply