Blogs
Amir Lev's picture
Amir Lev

Security Levity

More posts |

October 8, 2009 - 9:09 A.M.

The return of image spam

. What's this?

Another theme I want to talk about here on Security Levity is spammer tactics. I'm sure you remember the huge growth in image spam in 2006. At the time, it was typically used in stock kiting (or pump-and-dump scams).

As we noted in our recent threat trends report, we're seeing it again. Yes, like Arnie's Terminator or the typical horror movie monster, it's back.

Image spam exampleAs you may know, the idea of image spam is to hide the text content of the spam in an image, which is surprisingly hard for content-based spam filters to convert back into text. The spammers continued to adapt their techniques; for example, by randomly changing the image contents to foil attempts to detect recurring patterns.

However, the spam filtering industry quickly got wise to these tactics, and so image spam largely died out.

Three years later, we're seeing a new trick, leading to a revival of image spam. Some of these messages include an image embedded in a way that email clients can see, but many spam filters can't. Basically, the spammers are taking advantage of oddities in the way Microsoft Outlook parses email.

They've found a way to construct a message so that Outlook displays an image that many spam filters can't. Strictly-speaking, it's a badly formed email message, but Outlook manages to display it.

 
How do they do that?

Like most Internet standards, MIME -- the part of the email standards that allows you to send more than just plain text -- is usually implemented in a permissive way. The late Jon Postel's robustness principle applies: "Be conservative in what you do, be liberal in what you accept from others." Outlook's MIME parser is being more liberal than many spam filters; so allowing the user to see the image where the spam filter misses it entirely.

And, of course, if your spam filter doesn't realize the image is there, it can't tell if it's spammy or not, which means more spam in your inbox.

The best spam filters are clever enough to cope with malformed messages. In fact, they often use the knowledge that a message is malformed to help them decide whether a message is spam.

 
This has been the first in a series of posts about the changing tactics of spammers. Let me know if there are other spammer tactics that you're interested in.

I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!
 
 

When he's not reading RFCs, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?

Related Posts

Latest spam zombie research data
How good is your outbound spam protection?
Spam Judo: ultimate solution or academic reinvention?
Spammer trick: exploiting CAN-SPAM loopholes

Today's Top Stories

Essential browser tools for Web developers
Hands on: The new iPad
Microsoft cuts the prices of some Office 365 plans
Google works to overhaul its search
Mozilla will start Firefox silent updates in June
Preston Gralla: Big backlash is building against Windows 8. Will Microsoft listen?