Network World's Messaging Newsletter, 06/20/06
How IronPort tackles image-based spam
By Michael Osterman
Following my discussion with Vircom about the problems the e-mail security firm is finding with image-based spam (as reported in last week's newsletter), I spoke with IronPort about the issue.
IronPort is finding that about 12% of all spam is currently image-based, but that only a small handful of spammers are currently using it. However, because of the inability of many spam filters to adequately detect and stop this type of spam, the capture rate is much lower than for conventional spam. The result is that upwards of 50% of the spam received by end users is image-based spam.
Conventional anti-spam systems using heuristics are quite poor at stopping image spam. Signature-based approaches are also inadequate because randomization techniques easily bypass these signatures. Randomization can take the form of inserting random pixels in a GIF image, which are imperceptible to viewers but that can easily break traditional binary signatures, or by changing palette or border colors. While randomization capabilities for image-based spam are not yet built into spam tool kits available on the Web, it's probably only a matter of time before this is the case.
IronPort's approach is to use what it calls Context Adaptive Scanning - basically, profiling image spam to look for patterns across the message, the reputation of the sender, whether or not a dynamic IP address is used, how the message is constructed and other information. IronPort's approach also looks for color patterns within an image that can identify the presence of text within an image, since the vast majority of valid images sent through e-mail rarely contain a substantial quantity of text. Using these techniques, IronPort is currently able to stop about 98% of image-based with a very low false positive ratio.
How much of a problem is image-based spam for your organization? Are you finding an increase in this type of spam and are you having difficulty detecting and stopping it?
From: Alan Premselaar [mailto:[EMAIL PROTECTED]
Sent: Tue 6/20/2006 12:57 AM
To: jdow
Cc: users@spamassassin.apache.org
Subject: Re: How to detect current images-only messages?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
jdow
wrote:
> From: "Chris Santerre"
<[EMAIL PROTECTED]>
>>> From: Yves Goergen [mailto:[EMAIL PROTECTED]]
>>>
>>>
Hello,
>>> I keep receiving messages that contain of nothing but
composed images.
>>> They're HTML messages with only <img/>
tags in them. There seems to be a
>>> rule that checks if the
message has *any* image and compares it to its
>>> length. That gave
my spam some scores recently but not so today. I
>>> received a
message that looks just like the others but has no score at
>>> all
due to the fact that it only contains of images.
>>>
>>>
Is there any way to detect this type of message with SpamAssassin?
I
>>> cannot think of a regular _expression_ that would do it, and
even if I
>>> could, SA offered no way to match it reliably. (See
the line-by-line
>>> problem with 'rawbody' and encoding problems
with 'full'.)
>>
>> I keep hearing this is a problem, but I'm
not seeing it on my end.
>> Most are
>> being caught:
>
....
>>
>> I'll have to adjust for those 2. :)
>
>
In case he means no score and no SA markup there is still a way this
> can
happen. If an email comes in during a very tiny window when spamd
> is
reloading its configuration (-HUP) the email can sneak through.
>
>
{^_^}
Of course this can also happen if the message size is greater than
the
upper size limit set (default 250k) ... being that it's an image
only,
I'd say it's definitely a possibility. (I've seen that happen on
my
system in the past)
Alan
-----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with
Mozilla - http://enigmail.mozdev.org
iD8DBQFEl45SE2gsBSKjZHQRAmKdAKCmcutB8fkoZZQCVMDsZSfBHXpwxACffS9X
5T96aD/02CijQdHB+uoy54c=
=XRir
-----END
PGP SIGNATURE-----
