Spammers Find New Way To Clog Up Your Inbox
For solution providers, however, today's onslaught of spam spells opportunity. As more commercial e-mails manage to sneak through spam filters and into employees' inboxes, many companies are realizing they need to upgrade their antispam defenses. Their concerns are driven by spam volumes that have risen to 75 billion per day in November from 63 billion messages per day worldwide in October, with spikes as high as 85 billion per day toward the end of the month, according to security vendor IronPort, San Bruno, Calif.
One reason more Viagra sales pitches, stock tips and mortgage offers are showing up in inboxes is that spammers have been converting their advertisements from text into image format to slip them past spam filters. So far, this is working well for the spammers: So-called image spam has doubled over the past year and now accounts for about one-third of daily worldwide spam message volume, according to research from Trend Micro.
"I think people grossly underestimated just how big the image spam problem was going to get," said Tom MacArthur, principal at Storbase, a Waltham, Mass.-based VAR.
To meet the challenge of neutralizing image spam and other tactics used by spammers, companies will need to upgrade to next-generation e-mail security platforms that are capable of adapting to changing threat vectors, said Greg Hanchin, a principal at DirSec, a security integrator in Denver. "It's more important than ever for solution providers to be aligned with the right vendors," he said.
Image spam is becoming a major problem for spam filtering programs, which now need more time and processing power to determine whether an e-mail is spam, said Bill Stearns, an incident handler at the SANS Internet Storm Center. "Image spam is the forefront of spammer technology right now. If you put text into an image, it's much harder for filters to figure out if it's spam," he said.
Of the 190,000 images Stearns has been working with in his spam research efforts, 42 percent are related to so called pump-and-dump stock scams, 27 percent are pill advertisements, 11 percent are hawking deals on Rolex watches, and 7 percent are mortgage offers.
Meanwhile, so-called botnets, or legions of compromised, remotely controlled PCs, have become spammers' favorite tool for sending out large quantities of commercial e-mail. The ever-growing stealth and sophistication of botnet technology makes them effective as image spam conduits because they're difficult to detect, Stearns said. The use of botnets for spam also highlights spammers' shift away from channeling commercial e-mail through SMTP servers, a fact that was underscored by the December shuttering of the Open Relay Database, a nonprofit effort to collect and blacklist IP addresses of verified open SMTP relays.
Solution providers believe vendors that don't tailor their product portfolios to counteract spammers' ingenuity risk getting left behind. "Image spam is going to drive a huge amount of business for us. It definitely will cause demand for new products because legacy antispam systems are just not going to work at stopping it," said Stephen Nacci, regional account manager at TLIC Worldwide, Wakefield, R.I.
Image spam relies on spammers' ability to add random elements to messages to keep them from being flagged by antispam signatures. Spammers often will change image dimensions, alter background colors and throw in different borders and fonts, all in an effort to get their messages past spam filters. Another common tactic involves "slicing and dicing" the image into pieces that, when assembled within the body of an e-mail, form a completed "puzzle," Nacci said."What makes image spam so insidious is that images can be stacked three deep in a .gif file, which makes them even harder to detect," he noted.
Vendors initially addressed image spam though optical character recognition (OCR) technology, which extracts the source code of the image and scans it for text strings commonly associated with spam. However, the scanning process is too time-consuming, particularly for enterprises and service providers, and is also weak at dealing with randomization techniques. Plus, the process of extracting and filtering all of the source code consumes network resources and can bring the performance of e-mail systems to a crawl, many solution providers say.
As a result of these inefficiencies, some vendors are developing new ways of tackling the image spam problem. Trend Micro is putting the finishing touches on a proprietary technology it calls Adversarial OCR that weeds out image spam by searching only for specific words that are indicators of spam, as opposed to scouring the entire image source code. This is a faster, more efficient approach than OCR-based antispam solutions, said Christine Drake, product marketing manager of messaging products at the Tokyo-based security vendor. Trend Micro filed for a patent on the technology in November and plans to roll it into its antispam offerings sometime in the first quarter, she added.
Adversarial OCR could catapult the vendor into the burgeoning market for data leak prevention solutions. Companies face a risk of disgruntled or corrupt employees stealing confidential information, putting it into an image and e-mailing it out of the corporate network. But Adversarial OCR could scan for and identify confidential information and then flag any images in outbound e-mails containing that data, Drake noted.
IronPort is another vendor on the leading edge of the battle against image spam. Its technology uses a system of hundreds of thousands of rules to calculate whether a message is image spam, said David Mayer, product manager at the company. Cisco Systems last week announced plans to acquire IronPort for $830 million in cash.
IronPort also uses 17 different parameters to decompress images within messages to determine whether they're spam. In addition to examining the width and height of an image, IronPort examines the color gradations within the image to figure out how much text it contains and also looks at a color palette of an image to match it against palettes commonly used by spammers. "We look at the image as a human would, not as a computer would," Mayer said.
To ensure that the technology adapts to the ever-changing tactics of spammers, IronPort updates its rule definitions and weighting scores every five minutes, Mayer added. "Instead of waiting for an OS update, we can adjust our scanning engine code and get an update out in a matter of days," he said.
But despite vendors' efforts to stop image spam, most understand that they're fighting a never-ending battle. As spammers and botnets grow more sophisticated and outwit the security infrastructure that aims to stop them, it's unlikely that the volume of image spam will wane anytime soon, said Scott Chasin, CTO of MX Logic, an e-mail and Web managed security services vendor in Englewood, Colo.
"Unfortunately, spammers are ahead of the game because antispam technology is reactive, and it's always going to be reactive," Chasin said.