Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spam Victims Get the Picture

Vendors warn of growing threat of spam embedded with image files that circumvent filters

Security vendors and researchers are reporting a marked increase in image-based spam, including a couple of new exploits designed to bypass currently available anti-spam applications.

Image spam, in which an attacker camouflages a message in a picture or some other graphical form, has shown incredible growth in the past few months, researchers say. Symantec estimates that image spam currently makes up about 25 percent of all spam; Tumbleweed Communications puts that number as high as 36 percent. Vendors generally agree that image spam made up less than 15 percent of spam traffic during the first half of this year.

"In the past few weeks, Marshal's TRACE team has recorded a nearly 40 percent increase in the overall volume of spam sent," said security software vendor Marshal in a statement issued yesterday. "This increase is partly due to a rise in image spam, which jumped from 22 percent to 30 percent and has lasted over three weeks."

"Image spam has become a top concern and frustration for our customers in recent months," says John Menezes, president of Cyberklix, a managed security services provider based in Ontario, Canada.

Image spam began simply, as attackers embedded their messages in JPEG or other graphical images to avoid text-only spam filters. In recent months, however, vendors such as BorderWare Technologies, Marshal, and TumbleWeed have developed anti-spam tools that use optical character recognition (OCR) or other filtering techniques to find and block graphical images containing suspected spam.

In recent weeks, however, attackers have responded with a variety of exploits designed to circumvent these graphics filters. The simplest of these use unusual fonts or image formats, such as PNG, which often are not spotted by currently available image-scanning anti-spam tools.

But the exploits don't stop there. Symantec and Marshal this week have both reported attacks that break up the spam message into a number of graphical pieces that can circumvent anti-spam applications and then reassemble to present a spam message to the end user.

Symantec was one of the first to spot this trend earlier this year when it identified an exploit that cuts a text image into nearly-arbitrary slices -- meaningless message fragments -- and then reassembles them in an email program or browser. The company called this exploit "Mr. Puzzle."

"We've also seen a new strain of image spam that acts as a kind of 'ransom note,' says Penny Freeman, director of software sales engineering at Marshal. "Spammers use individual images of letters that they then assemble to form words and sentences. Random text is inserted to fool text-only anti-spam products. Each letter has a slightly different background color, which we suspect is a randomization technique designed to fool signature-based anti-spam products."

The result is a message that looks something like the old-style ransom notes, in which kidnappers created messages from cut-and-pasted letters out of many different magazines to avoid detection.

Image spam is a thorny problem, not only because of its complexity, but because of the size and volume of messages that it generates, experts say. Symantec gives the example of one image spam attack that generated 683 bytes just to represent the letter "p."

"Throw in the HTML that coerced the image parts into the right order, and you're talking about 700 times more bandwidth required [to send image spam] than to send the same spam as text," said a Symantec research report. This type of message could create real problems for organizations that are required to collect and store all email messages due to regulatory mandates, the company says.

The good news is that image spam is fairly easy to find, experts say. "The irony is that the spammers are making it easier for us to spot spam," says Marshal's Freeman. "Image spam is very distinctive. It has unusual properties that normal business email does not have, and this makes it easier for us to identify."

BorderWare, Marshal, Tumbleweed, and Symantec in recent weeks all have introduced tools that claim to locate and block image spam. However, it is likely that spammers will periodically find ways to circumvent these tools, just as they do with other anti-spam applications, experts say.

— Tim Wilson, Site Editor, Dark Reading

  • BorderWare Technologies Inc.
  • Marshal Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Tumbleweed Communications Corp. (Nasdaq: TMWD)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-21
    ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
    PUBLISHED: 2019-11-21
    btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
    PUBLISHED: 2019-11-21
    __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
    PUBLISHED: 2019-11-20
    A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
    PUBLISHED: 2019-11-20
    A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.