RealTime IT News

Spammers Find New Ways Around Filters

The seemingly endless creativity and intense effort of spammers is as admirable as it is a waste of talent. As soon as spam filter vendors get the hang of blocking image-based spam, the spammers find a new method to completely invalidate it.

Image-based spam exploded last year as a means of getting around the word filters used on client and server e-mail filtering software. Very quickly, image-based spam rose to account for 30 percent of all spam.

Rather than find weird ways to write "Viagra" or "mortgage" or stock symbols for pump and dump schemes, the text would be written in a JPG and the filters couldn't catch it.

So spam filter vendors went to work analyzing embedded images in e-mail files. Just as the products are making it to market, Secure Computing's labs have found that spammers are using image hosting sites and some HTML code to make the image appear in the e-mail.

Secure Computing's Chief Research Scientist, Dmitri Alperovich, said that because the image is hosted rather than embedded, image filters don't examine the file. And since HTML tags are used, the image appears within the e-mail just like am embedded image.

"As a result, they get a couple of benefits from this new technique," he told internetnews.com. "One is they no longer have to generate the image itself in their spam sending software, so they can increase the volume of spam they can send.

"Also, because of filtering technologies, spammers have had to introduce many randomizations and obfuscations into image spam, which reduces the readability. Now they don't need to do that, and they are even including logos of popular brokerage houses inside their image, directing people to these houses to place orders for the stock being promoted," he added.

There is good news in all of this. While it has been possible to embed actual malicious code into a JPG image, sites like ImageShack parse the image and will find hidden code and reject it. So at least this can't be used as a means to sneak malware  onto a computer.

As of now, Secure Computing has only seen one hosting site being used in this manner, called ImageShack. Unlike Yahoo's Flickr, you don't even need an account to upload pictures to ImageShack and then share links to it. But, Alperovich added, it would be a mistake to globally block all e-mails with links to ImageShack.

"These sites are used for legitimate images. People send out links to colleagues. So if you blindly block ImageShack, you may cause a lot of false positives that many individuals may not tolerate," he said.

For the end user, the solution is to set their e-mail client so it does not automatically display images embedded in an e-mail. Microsoft has this defaulted on in Outlook and Outlook Express.

Spammers remain determined to get around whatever roadblocks are throw in front of them because it's still profitable for them to do so, said Alperovich. "They don't need a lot of people to reply to be successful. They can make tens of thousands on pump and dump schemes with just a few hundred people. Getting a few people to fall for it is not very hard," he said.