Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spam Victims Get the Picture

Vendors warn of growing threat of spam embedded with image files that circumvent filters

Security vendors and researchers are reporting a marked increase in image-based spam, including a couple of new exploits designed to bypass currently available anti-spam applications.

Image spam, in which an attacker camouflages a message in a picture or some other graphical form, has shown incredible growth in the past few months, researchers say. Symantec estimates that image spam currently makes up about 25 percent of all spam; Tumbleweed Communications puts that number as high as 36 percent. Vendors generally agree that image spam made up less than 15 percent of spam traffic during the first half of this year.

"In the past few weeks, Marshal's TRACE team has recorded a nearly 40 percent increase in the overall volume of spam sent," said security software vendor Marshal in a statement issued yesterday. "This increase is partly due to a rise in image spam, which jumped from 22 percent to 30 percent and has lasted over three weeks."

"Image spam has become a top concern and frustration for our customers in recent months," says John Menezes, president of Cyberklix, a managed security services provider based in Ontario, Canada.

Image spam began simply, as attackers embedded their messages in JPEG or other graphical images to avoid text-only spam filters. In recent months, however, vendors such as BorderWare Technologies, Marshal, and TumbleWeed have developed anti-spam tools that use optical character recognition (OCR) or other filtering techniques to find and block graphical images containing suspected spam.

In recent weeks, however, attackers have responded with a variety of exploits designed to circumvent these graphics filters. The simplest of these use unusual fonts or image formats, such as PNG, which often are not spotted by currently available image-scanning anti-spam tools.

But the exploits don't stop there. Symantec and Marshal this week have both reported attacks that break up the spam message into a number of graphical pieces that can circumvent anti-spam applications and then reassemble to present a spam message to the end user.

Symantec was one of the first to spot this trend earlier this year when it identified an exploit that cuts a text image into nearly-arbitrary slices -- meaningless message fragments -- and then reassembles them in an email program or browser. The company called this exploit "Mr. Puzzle."

"We've also seen a new strain of image spam that acts as a kind of 'ransom note,' says Penny Freeman, director of software sales engineering at Marshal. "Spammers use individual images of letters that they then assemble to form words and sentences. Random text is inserted to fool text-only anti-spam products. Each letter has a slightly different background color, which we suspect is a randomization technique designed to fool signature-based anti-spam products."

The result is a message that looks something like the old-style ransom notes, in which kidnappers created messages from cut-and-pasted letters out of many different magazines to avoid detection.

Image spam is a thorny problem, not only because of its complexity, but because of the size and volume of messages that it generates, experts say. Symantec gives the example of one image spam attack that generated 683 bytes just to represent the letter "p."

"Throw in the HTML that coerced the image parts into the right order, and you're talking about 700 times more bandwidth required [to send image spam] than to send the same spam as text," said a Symantec research report. This type of message could create real problems for organizations that are required to collect and store all email messages due to regulatory mandates, the company says.

The good news is that image spam is fairly easy to find, experts say. "The irony is that the spammers are making it easier for us to spot spam," says Marshal's Freeman. "Image spam is very distinctive. It has unusual properties that normal business email does not have, and this makes it easier for us to identify."

BorderWare, Marshal, Tumbleweed, and Symantec in recent weeks all have introduced tools that claim to locate and block image spam. However, it is likely that spammers will periodically find ways to circumvent these tools, just as they do with other anti-spam applications, experts say.

— Tim Wilson, Site Editor, Dark Reading

  • BorderWare Technologies Inc.
  • Marshal Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Tumbleweed Communications Corp. (Nasdaq: TMWD)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-13
    P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A, versions earlier than Emily-AL00A, versions earlier than NEO-AL00D NEO-AL00 have an improper validation vulnerability. The system does not perform...
    PUBLISHED: 2019-11-13
    P30 smartphones with versions earlier than ELLE-AL00B have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
    PUBLISHED: 2019-11-13
    Huawei smartphones with versions earlier than Taurus-AL00B have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
    PUBLISHED: 2019-11-13
    Smartphones with software of ELLE-AL00B,,,,,, have an insufficient verification vulnerability. The system does not verify certain par...
    PUBLISHED: 2019-11-12
    mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.