|
End-users around the world are reporting an
increase in spam. Much of this increase can be
attributed to a resurgence of spam in 2006 — driven
by the emergence of new, more sophisticated forms of
image spam. Early in the year we introduced
embedded image scanning and filtering, but stopped
using it because too many users were embedding
images compared to the lower volumes of image spam
at that time. Recently,
SpamRejection.com has re-tuned and re-enabled our
image scanning and filtering technology because the
number of image spam greatly outnumbers the
relatively few false positives. Most false
positives are created by users embedding images
unnecessarily.
Image spam is a technique with which spammers
use an image (jpg, gif, bmp or other graphic)
"embedded" into the main body of the email message.
These images advertise the "call to action" of their message as
part of an embedded file in the body of the email.
These images are automatically displayed to
end-users, and most programs like Outlook do not
have an option for turning off images that are
embedded into the text of a message. Content of the image itself remains hidden from
most spam filters. Often the image spam images
have unusual colors, dots and other attempts at
creating images designed to confuse image
scanning filters, but seem obvious to the human eye.
The increase in more complex image spam attacks
has caused spam capture rates across the email
security industry to decline, resulting in wasted
productivity and end-user frustration as more spam
gets delivered to their inboxes. The sheer increase
in the volume of spam, combined with a higher
percentage of larger-sized spam, is also clogging
the email infrastructure as many mail systems are
unable to keep up with these spam volumes.
This document summarizes (1) the recent trend in
image spam, (2) why it is difficult to detect, (3)
how SpamRejection.com protects customers from this
increasing threat, and (4) What you can do to
eliminate the image spam threat.
Fueled by a worldwide increase in
image spam, overall spam volumes surged in the
second quarter of 2006. According to industry tracking databases, spam volumes leveled off in
2005, but surged again in the second quarter of
2006. These tracking databases claim that
worldwide spam volumes grew from approximately 30
billion messages per day to over 50 billion over the
last 12 months. A 40 percent increase
in spam volumes during 2006 2nd Quarter alone has
been observed. This means that,
even if the spam capture rate is held constant, the
average end-user will have noticed 40 percent more
spam in their inbox since April of 2006.
Much of this increase in overall spam volume can
be attributed to the growth in image spam. Image spam rose from around 3 percent of spam
a year ago to over 20 percent today. When overall
spam volumes spiked in Q4 '05 and Q2 '06, image spam
was fueling the increase.
The root cause behind this sharp increase in spam
volumes is money. Spammers are single-minded: they
send spam to make money. The more messages that are
delivered to inboxes, the better the chances
recipients take action on the messages, resulting in
more income for spammers.
Randomized
image spam is especially difficult for most spam
filters to detect — causing more of the spam to get
delivered. Spammers can also make their images
appear quite normal and compelling to users,
resulting in higher response rates. Since neither factor is likely to change in the near-term,
SpamRejection.com expects image spam to remain a problem for
the foreseeable future. SpamRejection.com has also seen
spammers innovate rapidly in their use of image
spam, suggesting that image spam will soon become
even more challenging to detect.
Image spam has been around for years. It was
originally created in order to get past "heuristic"
filters, which block messages containing words and
phrases commonly found in spam. Since image files
are in an entirely different format than the text
found in an email, heuristic filters never "see" the
content of the message. Therefore, these filters
were easily defeated by this type of spam.
There is an almost infinite number of ways that
spammers can randomize images. In addition to
inserting dots, spammers have recently used
techniques such as varying the colors used in an
image, changing the width and pattern of the border,
altering the font style, and "slicing" images down
into smaller pieces (which are then reassembled to
appear as a single image to the recipient).
SpamRejection.com Anti-Spam Service ™ uses a unique, multi-layered
approach that stops over 99 percent of image-based
spam, with low false-positives. The first
layer of defense is powered by SpamRejection.com's
proprietary databases and scanning strategy which
can utilize 32 different scanning/analysis
techniques. This is followed
by an inner layer of image spam protection powered
by SpamRejection.com's Image Spam Pattern
Recognition technology.
To the human eye, image spam is extremely
recognizable. In fact, this is one of the properties
of image spam that make it attractive to the spammer
— they don't have to go to nearly the same lengths
to obfuscate their content when sending image spam
to avoid filtering as they do with traditional text
spam. But, if this spam is so obvious to the
end-user, why can't spam filters identify it?
The challenge is that humans interpret the
content of messages using a much richer data set
than just the text displayed. Attributes such as
image color, shape, font size and type, graphics and
many other characteristics also shape a reader's
perception of a message. This information is
entirely hidden from traditional content filters —
and technologies like OCR only capture a fraction of
this information.
SpamRejection.com's Image Spam Pattern
Recognition matched with other scanning and analysis
techniques stop the spam. Due to the challenge
to our programming, though, some false positives due
to Image Scanning can be expected if users continue
to embed images instead of attaching them.
This is simple, don't EMBED images in your
emails and have your senders ATTACH IMAGES NOT EMBED
IMAGES
in their emails to you. People embed images
because it is easy to copy and paste into an email
than to insert an attachment. This habit needs to
change if we are going to prevent the spammers from
beating us on this. Images can be safely
attached to emails and SpamRejection.com does not
scan attached images for image spam signatures because
spammers don't use attachments for image spam. SpamRejection.com will scan
attachments for viruses and mal-ware as always.
Image spam has exploded in 2006
and will drive spam growing into 2007, as spammers have
found it to be an effective means of bypassing
traditional spam filters. The flood of image spam is
frustrating end-users and taxing the already
strained email infrastructures of many companies.
Spammers have rendered traditional anti-spam
technologies ineffective by hiding content in
embedded images and subtly randomizing these images
so that each message appears unique to spam filters.
Some anti-spam vendors are looking towards
introducing OCR technology to stop this problem.
Unfortunately, this technology is too slow for many
customers and can easily be defeated by simple
changes in spammer tactics.
SpamRejection.com has taken a fundamentally different
approach to the problem. By interpreting image
content more along the lines of how a human would
interpret the image, using Image Spam Pattern
Recognition, SpamRejection.com has turned the spammers' own
techniques against them. In their efforts to defeat
traditional anti-spam systems, image spammers are
leaving behind subtle traces that SpamRejeciton.com's Anti-Spam
is using to stop over 99 percent of their messages.
Even though you have the very best email protection
available anywhere, check your quarantine web
page at least weekly for problems caused by
other companies email systems and/or practices.
SpamRejection.com technology
protects the infrastructures of organizations
worldwide; not only from today's threats, but also from
those certain to evolve in the future.
Matthew J. Rainoff
Edited November 1, 2006
|