What Is Image Spam?

An increasing volume of spam is what is referred to as "image spam." This works by enclosing a GIF or other image file within a message. This is held as a separate "inline" body part using a mechanism known as "multipart/related." This enables the image to be referenced from within an HTML message. Most email clients will then render this image as a part of the message. The outer wrapper of the message is carefully constructed so that it does not have any spam characteristics. The "spam" call-to-action, often stock kiting, is held within the GIF image. On spam generation, the GIF image is modified, so that every message is subtly different. GIF is a good choice of format for the spammer as it is small and easy to generate programmatically.

This combination makes image spam difficult to filter out. Each GIF image is different, so simple file or hash matching doesn't work, and the outer message is carefully constructed to avoid giving clues. The logical way to deal with this is to "look" at the image -- e.g., OCR -- to try to see if it has spam characteristics. However, this is resource-intensive.

... Steve Kille

One Comment

  1. Posted November 30, 2006 at 10:22 AM | Permalink

    According to IBM Internet Security Systems spam honeypot data, image-based spam is now approximately 30% of all spam, and all spam has increased dramatically as well in the past few months. So end users are shocked by the total volume of spam in their inboxes. Many customers are now asking if xyz antispam product performs OCR on embedded images on the fly. Interestingly, a product does not have to perform OCR on the fly in order to be effective against image-based spam. And even if they did perform OCR on the fly, it is very likely that spammers would tweak the images to be hard for OCR to read. The key is to have a variety of techniques for detecting spam and a research group that can actively tweak those techniques on a daily basis to keep the spam detection rate high and the false positive rate low. Using this pro-active research and rapid product update technique, IBM ISS has maintained approximately 98% spam filtering rate throughout the spam and image-spam upsurge in all the products that filter mail. Since all vendors claim 95% effectiveness or better, the key to knowing if their techniques work is to collect your latest spam for the last week or so and have the vendor demonstrate their effectiveness against that spam.

Post a comment

You must be logged in to post a comment. To comment, first join our community.