Vendors warn of growing threat of spam embedded with image files that circumvent filters

Tim Wilson, Editor in Chief, Dark Reading, Contributor

November 28, 2006

4 Min Read

Security vendors and researchers are reporting a marked increase in image-based spam, including a couple of new exploits designed to bypass currently available anti-spam applications.

Image spam, in which an attacker camouflages a message in a picture or some other graphical form, has shown incredible growth in the past few months, researchers say. Symantec estimates that image spam currently makes up about 25 percent of all spam; Tumbleweed Communications puts that number as high as 36 percent. Vendors generally agree that image spam made up less than 15 percent of spam traffic during the first half of this year.

"In the past few weeks, Marshal's TRACE team has recorded a nearly 40 percent increase in the overall volume of spam sent," said security software vendor Marshal in a statement issued yesterday. "This increase is partly due to a rise in image spam, which jumped from 22 percent to 30 percent and has lasted over three weeks."

"Image spam has become a top concern and frustration for our customers in recent months," says John Menezes, president of Cyberklix, a managed security services provider based in Ontario, Canada.

Image spam began simply, as attackers embedded their messages in JPEG or other graphical images to avoid text-only spam filters. In recent months, however, vendors such as BorderWare Technologies, Marshal, and TumbleWeed have developed anti-spam tools that use optical character recognition (OCR) or other filtering techniques to find and block graphical images containing suspected spam.

In recent weeks, however, attackers have responded with a variety of exploits designed to circumvent these graphics filters. The simplest of these use unusual fonts or image formats, such as PNG, which often are not spotted by currently available image-scanning anti-spam tools.

But the exploits don't stop there. Symantec and Marshal this week have both reported attacks that break up the spam message into a number of graphical pieces that can circumvent anti-spam applications and then reassemble to present a spam message to the end user.

Symantec was one of the first to spot this trend earlier this year when it identified an exploit that cuts a text image into nearly-arbitrary slices -- meaningless message fragments -- and then reassembles them in an email program or browser. The company called this exploit "Mr. Puzzle."

"We've also seen a new strain of image spam that acts as a kind of 'ransom note,' says Penny Freeman, director of software sales engineering at Marshal. "Spammers use individual images of letters that they then assemble to form words and sentences. Random text is inserted to fool text-only anti-spam products. Each letter has a slightly different background color, which we suspect is a randomization technique designed to fool signature-based anti-spam products."

The result is a message that looks something like the old-style ransom notes, in which kidnappers created messages from cut-and-pasted letters out of many different magazines to avoid detection.

Image spam is a thorny problem, not only because of its complexity, but because of the size and volume of messages that it generates, experts say. Symantec gives the example of one image spam attack that generated 683 bytes just to represent the letter "p."

"Throw in the HTML that coerced the image parts into the right order, and you're talking about 700 times more bandwidth required [to send image spam] than to send the same spam as text," said a Symantec research report. This type of message could create real problems for organizations that are required to collect and store all email messages due to regulatory mandates, the company says.

The good news is that image spam is fairly easy to find, experts say. "The irony is that the spammers are making it easier for us to spot spam," says Marshal's Freeman. "Image spam is very distinctive. It has unusual properties that normal business email does not have, and this makes it easier for us to identify."

BorderWare, Marshal, Tumbleweed, and Symantec in recent weeks all have introduced tools that claim to locate and block image spam. However, it is likely that spammers will periodically find ways to circumvent these tools, just as they do with other anti-spam applications, experts say.

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights