In November last
year, Southeby’s brokered what is believed to be the most expensive
painting sold to date. To some, Jackson Pollock’s classic drip
picture ‘No.5,
1948’ is one of the greatest works of art to come out of the
abstract expressionist movement, but to others less appreciative,
it looks more like the back drop of the latest image spam.
A few years ago, image spam was simply straight text on a white
background, sent as an email attachment. Back then, this was enough
to overcome the majority of anti-spam filters, because they just
searched for specific text in the body of the email. To combat this
new development a leaf was taken from the book of
anti-virus techniques and a signature based defence against
spam was developed.
Until recently at least, this method has been relatively
effective. However, in the past twelve months image spam has
changed considerably as spammers update their technology in a bid
to keep ahead of advancements in anti-spam scanning. In response,
many anti-spam vendors introduced optical character recognition
(OCR) technology into their solutions to detect the text within. So
once again spammers have been forced to step up their game.
Increasingly, spammers are now trying to obfuscate scanners
by introducing more complex images and colours, often using
backgrounds with a variety of different hues in the hope that they
will fool scanning techniques. Text has also been disguised by
changing its colour throughout the image and is often distorted.
Spam messages are frequently made up of several files that come
together in the end user’s inbox as one image, but may be seen by
some scanners as just innocent portions of text.
These changes make it difficult for less sophisticated anti-spam
OCR scanners to detect, but the resulting image looks so appalling
that it makes the majority of previous spam messages look almost
professional. Since the main objective of spam is to sell goods, it
won’t be long before spammers start using more sophisticated
images, along with their current techniques.
Image spam is most frequently used with ‘pump and dump’ scams.
These emails try to tempt the user to buy particular shares in the
knowledge of a ‘hot tip’, but no sooner have enough people bought
the shares, then the spammer sells theirs for a profit and the
share price collapses.
Although it appears that this technique is currently used mainly
for American stocks, it is occasionally seen occurring in European
stock markets too. The number of pump and dump email scams has
grown considerably in recent months and they are continually
adapting in a bid to beat the spam filters by using techniques such
as Bayesian poisoning, whereby words not normally associated with
spam messages are added. Since many anti-spam scanners use Bayesian
probabilities in determining the likelihood of a message being
legitimate or spam, this helps to increase the probability that the
message will pass through the scanner undetected.
There are also variations to the way pump and dump emails are
presented. Last year a new twist was added aimed purely at
encouraging the recipient to buy when scammers emulated
the 50s film industry and included subliminal messaging in
their emails. To encourage users to take action they included an
additional image with the word ‘buy’ repeated several times to
appear for a split second every so often in the email. The
effectiveness of subliminal messages has been widely argued for
years, but one thing is clear: if you’re planning on investing in a
company, make your own enquiries or consult a professional; don’t
believe an email from a service you didn’t subscribe to.
Although OCR scanning is a very effective way of
eliminating image spam, because of the CPU power required and the
time it takes to scan the files, it is not a viable method to deal
with large volumes. Scanning all of the image spam received would
ultimately result in delayed legitimate email. However, it is
possible to detect which servers are distributing spam and to
automatically block traffic from them. In this way, large
quantities of spam can be removed, reducing the load on the
scanning system and minimising the effects of other new techniques
introduced by spammers, not just image spam.
These ‘Reputation Filters’, perform an assessment of the sender
each time an email is accepted by the server. It looks-up the IP
address in a number of databases that collect data about the
senders of spam and viruses. Once an IP address has been identified
as responsible for sending spam, messages from it are then blocked
before they are even sent to the spam filter and before
conventional blacklists have time to update.
The increase in image spam has also brought other problems for
organisations. Since September last year the average size of a spam
message has increased by 77% and continues to steadily grow. This
enlargement of file size can be directly attributed to the
noticeable rise in image spam in recent months and will add to the
cost managing email for some organisations that have to scale-up
bandwidth and storage requirements to meet demands.
Since September last year individual spam emails have increased
from an average of 6.62 KB to 11.76 KB. Although still relatively
small in size, the sheer volume of spam that many businesses
receive means that even only a slight rise can have a significant
effect. Organisations that stop spam at their email servers
still have to pay for the bandwidth to receive it and depending on
how their email back-up is configured storage costs may rise too if
spam is included in the archive.
This moves away from the traditional thinking that spam is just
an issue of user productivity. The growth in file size combined
with the increasing volume of spam now means that many different
aspects of the business infrastructure, from network administration
to internet bandwidth, are affected. Email file size will become a
real headache for businesses, particularly if spammers start to use
other types of medium such as audio or video files once the tactic
of image spam no longer works against the majority of filters.
Although it is unlikely that an individual spam message will
ever induce anyone to spend the $140 million that ‘No5, 1948’
fetched, spamming as an industry is big business. It is a cheap way
of marketing products regardless of whether it’s pirated software,
counterfeit medicines or pornography and you only need a few people
to respond to make a profit.
So maybe there is a comparison between a Jackson Pollack and the
latest generation of image spam, and not just to the undiscerning
eye. Image spam too can be worth a small fortune – to somebody at
least.
