Spammers are clever. You can say lots of other things about them (most of which aren't printable in this UPDATE), but you have to give them their due: In the ongoing fight between spammers and antispam providers, the spammers are continuing to show a high degree of adaptability and resourcefulness. The latest example: image spam.

Early attempts at image spam a few years ago were fairly clumsy; they consisted of conventional-looking multipart MIME messages with the spammer's pitch tucked into an image attachment. These turned out to be pretty simple to block because most spammers used the same image filename across spam runs. Over time, spammers figured out how to improve the basic mechanism by doing things such as adding blocks of text that attempted to confuse Bayesian filters.

In late 2006, though, there was a sharp increase in the amount of image spam; some estimates put the increase at 50 percent or more. What made this spam onslaught so insidious—beyond the huge increase—was that it used a variety of new techniques. For example, as antispam vendors such as Barracuda Networks started deploying optical character recognition (OCR) to convert the images to text for filtering, spammers started using blurred fonts and color combinations that can confuse the OCR software.

Some vendors were faster to respond than others, of course. Users of hosted services such as Microsoft Exchange Hosted Filtering or Postini Integrated Message Management fared well against the recent image spam because hosted services can recognize and tag the message as spam quickly when the same message is sent rapidly to lots of people. That's exactly what the spammers were doing, so hosted services had an edge over other types of spam protection. One of the big advantages of Exchange Server 2007 is that Microsoft is finally releasing regular updates to its built-in spam filter, which will help in the future.

If you're not using one of these services already, what can you do to improve your spam protection? One option is to change spam filters. Several filters, including Vamsoft's ORF (with its companion tool, Image Spam Agent), Barracuda Network's Barracuda Spam Firewall, and Sunbelt Software's Sunbelt Messaging Ninja, have features targeted exclusively at image spam. You might also be able to set up filtering rules in your existing antispam solution; for example, the Hawk Wings blog at http://www.hawkwings.net/2006/08/01/mailapp-rule-fix-for-image-spam explains how to catch image spam based on its frequent use of a particular MIME type; you can apply the same technique if your filtering solution supports filtering by MIME type.

In the past, I would have recommended examining the sender IP addresses of spam messages and using them to block traffic from the originating countries; previous outbreaks seem to have come primarily from a handful of countries. However, as spammers get smarter, they're increasingly turning to arrays of compromised computers that don't have contiguous address ranges that are easy to block. For drastic cases, you might consider filtering all incoming messages that contain GIF or JPEG attachments, but that solution will probably be too severe for most environments.

Antispam vendors will continue to attack the problem, and their efforts will no doubt bear fruit—until those regrettably clever spammers come up with a new wrinkle. I guess that's why they call it an arms race!

Reader Comments

This technique is so out of date on what is happening out there...

I'd welcome your suggestions on what other worthwhile measures you'd recommend. Image spam certainly isn't going to get any better, so I think the suggestions in the article are useful.

NONE

I've had very good results fighting Image Spam with the latest build of MailEssentials from GFI.

Thanks - would like to read more articles on fighting spam

This is a huge problem. I need a solution. We use Mimesweeper and they have no answer yet.

The best thing is to put the business OUT OF BUSINESS. They should all have their IP's revoked. They all have a way to get back to the site they want you to visit. So, WHAT IS THE PROBLEM. Take them out!

We use a "managed service" run by MX Logic. It works great. In using since August or September, it blocked all the spam. In December and January I have had a few users tell me that they have received 1 spam or 2 spams. But nothing like before when we were doing the filtering ourselves. [If you call them, tell them Metal Exchange Corp. was the reference.]

"Exchange Server 2007 is that Microsoft is finally releasing regular updates to its built-in spam filter" Sorry, had to comment on this. Wasn't their last update in like November 2006? How frequent is that?!?!?!? Symantec Brightmail updates every ten minutes. I must say, I have found that product to work the best in my environment. Hosted services, like Frontbridge and MX Logix, filtered out Spam alright, but they also filter out TONS of Ligit emails. I mean TONS!!!!!!! Bank Statements, Airline e-tickets reservations, client emails, etc. UNACCEPTABLE! It caused such a hassle! I have never had to tweak anything in Brightmail. I have like 5 domains on the white list over 3 years. Anyway, there is my 2kb. I feel better now :)

I use mailsweeper appliance and it grabs most (but not all) of this;you need to look at the emails and play with the rules. My home ISP uses Brightmail and I get a lot of image spam there...it all depends on your level of tolerance for spam/pain for False positives. nobody is perfect..the spammers go out of their way to make themselves look like regular mail, and we, with logos, backgrounds, embedded GIFs/jpgs...we enable them to do this.

I use MessageLabs hosted service - their service performance is exceptional - no false positives and minimal spams getting through.

Pah! OCR will never work, just look at the 'hazing' the spammers are putting over the images now. We've tried all the usual suspects, even Message Labs, but they're all barely adequate. The latter suffered huge slowdowns due to the volume of spam they process. We now use Mimecast which is by far the best solution I've seen for years. No spam, no false positives, its a dream.