Cover Story The changing face of spamming

PROLOGUE
Image spam has exploded in 2006, as spammers have found it to be an effective means of bypassing traditional spam filters. The flood of image spam is frustrating end-users and taxing the already strained email infrastructures of many companies. Spammers have rendered traditional anti-spam technologies ineffective by hiding content in embedded images and subtly randomizing these images so that each message appears unique to spam filters. Some anti-spam vendors are looking towards introducing OCR technology to stop this problem. Unfortunately, this technology is too slow for many customers and can easily be defeated by simple changes in spammer tactics.
Until a while ago, spam was the domain of text- or html-based emails. For anonymous delivery, these messages traditionally relied on abusing open SMTP relays. When open SMTP relays became less common, spammers switched to proxy servers, dial-up services and more recently, hijacked computers. Spammers designed personalized template emails to deliver their messages and then made use of bulk mailing software for distribution. To block spam, email service providers and companies often relied on keyword 'detection', and drew up a list of keywords that commonly appeared in most of the spam email. This list would often include keywords such as 'disease' or 'bank'. However, this method often blocked genuine email and adding more keywords simply resulted in more false positives which in turn blocked legitimate email. But spammers became smarter too, and they addressed keyword blocking by replacing keywords such as 's@les' (note a is replaced by @) or 'sa1es' (L is replaced by one).  Another attempt at blocking spam includes making use of blacklists that contain a list of IP addresses of known spammers or compromised hosts. However, these lists have to be constantly updated because spammers have learnt to counteract this by rapidly changing the origin of spam.
Textual based spam filters have proved to be very effective. Signature based system scan the content of emails for URLs or phrases that are known to be found in spam. Bayesian systems analyze the usage of the words in the email and decide if the pattern of language usage fits best with spam or non-spam messages. These approaches have had so much success that spammers have had to resort to inserting spaces and punctuation marks to break up words and phrases so that the language cannot be easily analyzed by computer.
The following spam message is an excellent example:
H'E'R_E WE GO AG,AIN!
T H-E B+I-G O_N_E BEFO.RE T*H'E SE'PTE'MBER.RALLY!
T_H+E M-ARKET IS ABOU_T TO P-O,P+,
However, breaking up the text like this renders the email difficult to read by the intended recipient, and results in it being relatively simple to detect heuristically. The language is obviously very different from normal text. Heuristic rule bases can be built up that search for messages that either contains too much punctuation or that contain clear attempts at hiding key words. One way of countering such defenses is, quite simply, not to include any text in the email at all, but to hide the content within an image. By including the text as an image, the recipient is able to identify and read the words without difficulty, but the words remain invisible to textual analysis techniques. The spammer hopes that the spam filter will see an email that contains an image without any suspicious words or phrases categorize the email as non-spam and allow it to pass.

Spam is the abuse of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social networking spam, and file sharing network spam.
Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions. People who create electronic spam are called spammers. It is believed that majority of spammers are using home PCs for this purpose.

Image Spam: The Email Epidemic
End-users around the world are reporting an increase in spam. Much of this increase can be attributed to a resurgence of spam in 2006 - driven by the emergence of new, more sophisticated forms of image spam. Image spam is a technique with which spammers advertise the "call to action" of their message as part of an embedded file attachment (like a .gif or .jpeg) rather than in the body of the email. These images are automatically displayed to end-users, yet the content of the image itself remains hidden from most spam filters. The increase in more complex image spam attacks has caused spam capture rates across the email security industry to decline, resulting in wasted productivity and end-user frustration as more spam gets delivered to their inboxes. The sheer increase in the volume of spam, combined with a higher percentage of larger-sized spam, is also clogging the email infrastructure as many mail systems are unable to keep up with these spam volumes. The root cause behind this sharp increase in spam volumes is money. Spammers are single-minded: they send spam to make money. The more messages that are delivered to inboxes, the better the chances recipients take action on the messages, resulting in more income for spammers.
A randomized image spam is especially difficult for most spam filters to detect - causing more of the spam to get delivered. Spammers can also make their images appear quite normal and compelling to users, resulting in higher response rates. Since neither of these factors is likely to change in the near-term, anti-spam software expects image spam to remain a problem for the foreseeable future. This software has also seen spammers innovate rapidly in their use of image spam, suggesting that image spam will soon become even more challenging to detect.
What is Image Spamming?
Image spamming is a new method of email spamming. The text is imbedded in image or picture files, which most anti-spam software ignore. They are not detected as spam simply because they are pictures and not text.  Blocking image spam is proving difficult, as images and pictures (whether as attachments or embedded in the body of the message) are an expected part of a person's daily email intake - for business reasons (e.g., company logos, product shots, electronic newsletters, etc.) or personal purposes (family photos, vacation shots and so on).

Generation one: spam that loads images automatically from the Internet
Rewind back to 1997 to some of the first usages of images in spam messages. At this point, image-based spam messages did not contain any image files; rather, images loaded directly from the Internet. After the image loaded, the actual spam message remained very small (generally less than 10k), saving bandwidth. The big value to spammers was that they could include the email address of the spammed user in the URL used for loading the image and consequently track the user. By opening the message and enabling the image to download, the end-user inadvertently verified his or her email address as active. In order to combat this first generation of image-based spam, anti-spam products used SURBL (Spam URL Real-time Block-lists) or large databases containing offending URLs to block the spam. As a by-product of this spam technique, email clients no longer load images from the Internet automatically.

Generation two: spam that contains embedded images
Fast-forward to 2003 and second generation image-based spam. Now, spam messages contain embedded images to circumvent blocking by email clients. The spam message size becomes noticeably larger, but fortunately for spammers, bandwidth has increased to the point that it is no longer a concern. Many of the embedded images are "clickable." This means there is still a URL available that the spammers can use to validate email addresses. To counter these techniques, anti-spam products could still rely on large databases or SURBL containing URLs to block the spams with reasonable effectiveness. Additionally, products began to use image fingerprints to block this type of spam.

Generation three: spam that contains embedded images with random variations
By 2005, spammers started using image variations, such as random borders, variations in background color or random pixels, to circumvent filtering. These image variations ensure that each image is unique. Another approach used by spammers is to randomly fragment the images. This meant that in reality there were up to dozens of images embedded that looked like one image or one continuous piece of text in the email client, much like a puzzle. This type of spam is much harder to filter out by traditional spam filtering techniques. The ability to perform basic image analysis is necessary in order to accurately determine image fingerprints that are still valid, even with variations, such as color palette changes and pixel movements.

Generation four: spam that contains animated image files
Last year, fourth generation spammers began using animated GIFs to drive image-based spam distribution. This new technique opened the door to a wide variety of tricks, such as:
• Using the first few frames to confuse the filters by showing them only for some milliseconds and afterwards presenting the main frame
• Creating a combined spam message from many source frames using transparency schemes.
To be effective against these tricks, anti-spam products have to overlay the frames and simulate the animation to calculate an appropriate fingerprint.
Generation five: spam that contains multi-colored backgrounds
Right now, spammers are implementing new techniques to circumvent more sophisticated image fingerprints. Much like the effect new zero-day viruses have had on anti-virus solutions, these types of image-based spam have the potential for individualization. For example, spammers have started to fill the background randomly by multicolored geometric forms. These images rely on botnets and are calculated in a way that makes each and every spam unique. Also notable, the text is often not placed on a rectilinear baseline but rather on a rolling one to circumvent optical character recognition (OCR). Countering these types of spam becomes much more difficult. Anti-spam products must use sophisticated image structure fingerprints based on characteristics - such as multicolored text, multicolored background, percentage of text, or color distribution - to block this type of spam.

Next generations
Animated image files and multicolored embedded text in images that cannot be easily separated from the background by an algorithm - or a combination of both - provide many options to outwit new detection methods dedicated to image-based spam. Even by using all features of animated image-based spam to create corresponding detection methods - transparency of pixels, overlaying frames, showing the last frame several minutes after the frame before - there is no easy way to analyze these images without a significant increase of computing power. That being said a preemptive email security vendor should be focused on the development of image-based spam detection methods that effectively detect these types of spam without straining performance - a formidable but necessary task.

Current Scenario
Image spamming is, in a sense, an escalation of the spam - anti-spam 'wars' of the early 21st century. Junk email had reached such alarming proportions that people considered it as both a nuisance and a threat. Many anti-virus companies and ISPs launched major efforts to reduce or lessen the problem. Anti-spam filters originally offered as 'add-ons' to anti-virus software, quickly became standard features of email programs like Outlook, and even web-based programs like Yahoo! Mail and Google's Gmail. The filters are, in a way, 'text readers' and were geared to recognize and 'lock on' keywords beloved by spammers (such as 'offers,' 'miracle' and so on). Email messages that carried these keywords were shunted off to a 'holding area' where the recipient could review them in safety and at his leisure, deleting those that were truly spam and retaining genuine messages.
In response to tighter anti-spam filters, cyber-criminals began sending image spam. Some image spammers have taken the idea a step further - combining text with photos intended to lend an aura of legitimacy around the activity.

Pump-and-Dump Scam through Image Spamming
In pump-and-dump schemes, cyber-criminals buy low-cost stocks from legitimate stock exchanges and send out image spam using real stock market symbols in the hope of getting gullible investors to buy in and raise the stock's prices far above its actual value. The image spammers then wait until the stock hits a high and then cash in before the value of the stock falls, leaving the investors with near-worthless stocks and their monies depleted. Pump-and-dump scams have become so prevalent that the US Securities and Exchange Commission (SEC) has stepped in and is monitoring the situation carefully - going so far as to suspend trading on stocks suspected of being used for this scheme.
Blocking Image Spam
Optical character recognition (OCR) programs are one approach that could be used. However, they hog bandwidth, are easy to deceive, are CPU-intensive, and are time-consuming. Some spammers also use handwritten messages which are almost impossible for OCRs to read. Other methods of getting around OCRs include using background colors, graphics as background or even "tiled" images (slicing up pictures randomly and reassembling them) to avoid image recognition programs that detect previously used image scams. While time and money are being spent to counter image spam, most security experts believe that the best way to avoid being hit by these is the straightforward approach - for recipients of such emails to ignore the messages, and delete these from their inboxes.

The Real Issue
Spammers are developing more and more sophisticated methods to avoid filters. Generally, this entails attempts at sending out e-mail "waves" in which each and every e-mail is in some way unique and different from its predecessors. The relative success of each wave is then analyzed by the spammer and the resulting finds become "features" of the next spam wave. New methods of detecting spam waves, such as extracting their core characteristics and pushing these characteristics out to clients as spam signatures, are in the final phase of development. Attempts are also being made at finding methods to predict spam changes.
Many of the filtering methods used by Bit-Defender (a software solution of to provide anti-spamming capabilities) have become more robust at dealing with all of the little variations encountered in spam flows. However, in 2006 there has been an increase in image spam. Simple e-mails with apparently similar images (but unique, judging by their computational differences) started polluting our inboxes in large quantities. At the time image spam-fighting techniques were just emerging, an effective image spam detection method was that of making signatures based on the image metadata. However, given that the BitDefender anti-spam lab have, in the meantime, found in-the-wild spam e-mails using fresh new techniques of image poisoning intended to defeat spam filters, an entirely new technology is now needed to defeat this new development.
Spam images usually contain pictures of pills, computer hardware, pornographic images, or just the classical spam message (some text and a URL) but written in a noisy image.
To do any sort of content analysis on such e-mails would mean, on the face of it, that the pictures need to be run through an optical character recognition (OCR) module. Yet common OCR filters are computationally expensive and their accuracy leaves much to be desired.

Why Image Spam Is Difficult To Detect
Image spam has been around for years. It was originally created in order to get past "heuristic" filters, which block messages containing words and phrases commonly found in spam. Since image files are in an entirely different format than the text found in an email, heuristic filters never "see" the content of the message. Therefore, these filters were easily defeated by this type of spam.
To deal with this problem, anti-spam vendors developed "fuzzy signature" technologies. These signature-based technologies collect samples of known spam and then classify "near-identical" messages as spam. These signatures were sometimes written against just the message attachment, so that messages with different content but the same attachment would still be marked as spam.
Signature-based defenses remained effective for several years. In 2006, however, spammers began randomizing images to appear the same to the human viewer but totally different to spam filters. For example, some spammers are sending messages advertising the purchase of stocks with an attached .gif file that has random "dots" inserted in the image and borders with subtly different color and width. The signatures that most anti-spam vendors rely on to detect these attacks vary dramatically, based on these small changes to the image. This means that anti-spam vendors may publish a rule that stops one instance, but this rule doesn't stop all the rest of the spam messages in the attack.
There is an almost infinite number of ways that spammers can randomize images. In addition to inserting dots, spammers have recently used techniques such as varying the colors used in an image, changing the width and pattern of the border, altering the font style, and "slicing" images down into smaller pieces (which are then reassembled to appear as a single image to the recipient). Following are the two examples of the many techniques recently used by spammers to get past signature-based defenses.
POLKA DOTS
An embedded .gif file containing all "text" with dots randomly inserted in the image to make every message appear unique to spam filters
Slice & Dice
Images are broken down into many smaller files of varying sizes and then reassembled in the mail client so as to appear as a single image to the email recipient. The rectangle highlighted represents the border of one of over a dozen image files used to construct this message. This technique is used to defeat signature-based defenses and breakup words that could be found by OCR.
Some vendors have recently introduced Optical Character Recognition (OCR) as a means of detecting image spam. OCR is a technology used to extract typewritten text from an image. While more effective than signature-based solutions alone, OCR has several limitations. First, OCR is very computationally expensive. Fully rendering each message and then looking for word matches against different character set libraries can take as long as several seconds per message. This lowers system throughput below levels acceptable to most ISPs and enterprises. OCR is also extremely vulnerable to obfuscation. While modern OCR technology can reliably detect typed letters and numbers, it can be easily fooled by basic techniques used by spammers. For example, OCR is ineffective at detecting image spam that includes hand-written text, graphics or any abstract data.
Context adaptive Scanning
Most anti-spam filters depend heavily on content-analysis for stopping spam. This is like building a house on a weak foundation. These filters all share a common weakness - relying heavily on something that can easily be manipulated by spammers themselves. Image spam is just one instance where content-based filters fall short. As in the examples on page 3, the "content" of the spam is invisible to many filters because it is embedded in the image itself.
To detect image spam, anti-spammers have augmented traditional content-based techniques with techniques that analyze the full context in which the message was received. Specifically detects threats by analyzing four broad areas:

1. Who sent the message and what do we know about this sender?
2. Where does the call to action in the message take you?
3. What is the nature of the message content?
4. How the message was technically constructed?

Instead of generating a signature based on the content of the message, they create a specific spam profile for an image-based spam attack that combines the "who, where, what and how" of a message.
For example, one profile might be created for message that originated from a dynamic IP address, contains a certain header pattern, has an embedded image of a specific size-range and type and contains little or no text in the body of the email itself. None of these factors alone are likely to indicate with certainty that a message is spam, but they are highly accurate when combined. Context adaptive scanning allows anti-spammer to filter the majority of image-based spam attacks without decoding the image file. The second layer of protection is provided by Multidimensional

Pattern Recognition (MPR)
Multidimensional Pattern Recognition
To the human eye, image spam is extremely recognizable. In fact, this is one of the properties of image spam that make it attractive to the spammer - they don't have to go to nearly the same lengths to obfuscate their content when sending image spam to avoid filtering as they do with traditional text spam. But, if this spam is so obvious to the end-user, why can't spam filters identify it?
The challenge is that humans interpret the content of messages using a much richer data set than just the text displayed. Attributes such as image color, shape, font size and type, graphics and many other characteristics also shape a reader's perception of a message. This information is entirely hidden from traditional content filters - and technologies like OCR only capture a fraction of this information. Anti-spam software "IronPort Anti-Spam" developed a patent-pending technology called Multidimensional Pattern Recognition (MPR) to address this problem. After decoding the binary image files, IronPort uses MPR to analyze the decompressed image data across over 13 dimensions to determine whether or not the message is spam.
Color is an example of a dimension that provides rich information about the content of a message.
of colors found in each message to establish the likelihood that the message is spam. For example, MPR can scan a .gif file to look for pixel patterns indicating that the image file is displaying "all text" to the user, a pattern that is common in spam but rare in legitimate email (most legitimate .gif files contain pictures not text). MPR can also detect anomalous "dots" in images that don't fit the "smoother" gradients of light typically found in legitimate email (these dots may represent attempts by the spammer to defeat signatures). To make this level of inspection possible without compromising performance, "IronPort" applies the concept of "early exit". This means that the more intensive MPR process is only applied to messages with images that have already passed through the regular context adaptive scanning process. This same concept is applied within MPR as well. If part of the image file has been analyzed and there is sufficient data to determine that the message is spam, the full image file will never be analyzed. The end result is a process that is not only more accurate, but also several times faster than traditional OCR technologies. Critical to the effectiveness of this technology is the real-time nature of "IronPort Anti-Spam". Updates to the system are made every five minutes, ensuring immediate and accurate protection from image-based threats.
IronPort has taken a fundamentally different approach to the problem. By interpreting image content more along the lines of how a human would interpret the image, using Multidimensional Pattern Recognition, IronPort has turned the spammers' own techniques against them. In their efforts to defeat traditional anti-spam systems, image spammers are leaving behind subtle traces that IronPort Anti-Spam is using to stop over 98 percent of their messages. IronPort Anti-Spam is available on IronPort's email security appliances. IronPort technology protects the infrastructures of organizations worldwide - not only from today's threats, but from those certain to evolve in the future.
As with most spam tactics, as folks who do any kind of email filtering continue to develop solutions to effectively block one type of spam, the spammers adapt and change their methodologies to something else. That is what we are seeing here. We have started to see a couple of new types of image spam:
The first type is one where the spammers are using legitimate image hosting providers such as Imageshack and Flickr to host their images. There are a couple of problems with this tactic from the spammer's perspective. For one, the user has to click a link in order to see the image. Secondly, the image hosting providers are pretty quick to shut these down and take the images offline. Third, from a filtering standpoint, it is pretty easy to block. I wouldn't expect to see this tactic used for too long even though it currently accounts for about 4% of our spam volume.
The second type is one that we have started to see only within the past couple of days, and it is a hybrid of the original image spam tactic of attaching the image to the message and using an external image host. With this new tactic, the location of the image is used as the background attribute to the body tag within the HTML code of the message. So, the image itself can be hosted by a free image host or a compromised web server, and since the image is being called as the background in an HTML page the image renders within the body of the message. This way the user does not have to click a link in order to see the image. No solid volume numbers to report on this tactic yet, but I would expect it to become more popular.
So, it looks like the next wave of image spam is upon us. These new tactics actually open up quite a few new possibilities for image spam to morph into other types of spam such as flash movies. Expect to see more experimentation over the next couple of months as spammers continue to tinker with this new tactic to find new and more creative ways to get their junk delivered to your inbox.

New trends: Dynamic Zombie botnets
Botnets can be defined as networks of compromised computers which can be controlled by a single master. The number of nodes (also known as zombies) of these botnets can run into millions and these machines make use of different software vulnerabilities to gain full access to the infected hosts and add it to their existing array of zombies. Computer hackers had long been using botnets to launch DoS (denial of service) attacks and distribute network hacking attacks. Computer criminals had also been using botnets for money-making schemes, such as stealing credit card information and scamming pay-per-click advertising companies. Seeing huge potential in botnets, spammers started financing hackers to make use of zombie machines. Hackers were able to offer services such as renting of botnets for a few minutes or hours and collections of email recipients (spam lists). The anti-virus industry noticed correlations between the spam industry and botnets. Not only were malware writers allowing spammers to make use of their creations, but they were writing malicious code to specifically suit their needs. An unholy alliance had been created.
Most anti-spam vendors had added Bayesian filtering to their arsenal of spam blocking methods. The fight between spam and anti-spam looked like it was taking a positive turn. However, by the end of 2006, the nature of spam had totally shifted. Whereas spam had been mainly text based, this time spam started looking more graphic in nature. Spammers began making use of images to bypass text-based content filtering, simply by no longer using any text content. By making use of image spam, spammers were attacking the defenses of most anti-spam solutions; while the images displayed text messages to the end-users, the antispam software was only able to see pixels. Some email anti-spam solutions decided to go with OCR (Optical Character Recognition) to turn the images into text that the software could then use. However, spammers took their images to the next level. In an approach usually applied to CAPTCHA (an anti-spam solution that is used on web forums), they started fuzzing (including noise and distortions) images to make it even harder for the machine to recognize text. Although it is possible for the machine to read this text, the process is very CPU intensive - especially when it is handling multitudes of images every few seconds.

The latest trends
Although spammers registered considerable success with image spam (picture, right) the anti-spam software industry had not lost the battle and quickly came out with new counter-measures to stop image spam. Realizing that filters had a problem with images, the answer was to hit spammers at source - that is where the email originated from. This new approach had an immediate positive result and considerably decreased the effectiveness of image spam and gave back to email users some control over their mailbox. As with every cat-and-mouse game, spammers had to respond and in June 2007, they came up with a new technique that is not only ingenious but even more problematic than image spam. Instead of embedding the image within the email itself, they 'repackaged' it within an attachment using one of the most common file formats in use today - a PDF file. This move is clever for a number of reasons:

• Email users 'expect' spam to be an image or text within the body of the email and not an attachment.
• Since most businesses today transfer documents using the PDF format, email users will have to check each PDF document otherwise they risk losing important documentation.
• With most anti-spam software products on the market geared towards filtering the email itself and not attachments, spam has a longer shelf-life within a network.
• An attachment that is a PDF file has greater credibility in an email thus making social engineering attacks much easier.
• The ability to send large PDF files could result in a single spam attack causing huge bottlenecks on a company's email server, reducing the quality and amount of bandwidth available.
• By sending PDF attachments, spammers can also resort to phishing by attaching supposedly authentic documents from a bank or service provider.
• The use of PDF spam was short-lived as anti-spam software vendors quickly came out with updates and filters that analyzed the body of every PDF file. Not to be defeated, spammers took less than a month to come out with a new option: Microsoft Excel files for push-and-dump scams. This move was clever for reasons similar to those above for PDFs:
• Email users 'expect' spam to be an image or text within the body of the email and not an attachment.
• Excel is another extremely common file-type in use and users are very familiar with this format.
• Since many businesses use Microsoft Excel for spreadsheets, databases and so on, email users will have to check each document otherwise they risk losing important documentation
• With most anti-spam software products on the market geared towards filtering the email itself and not attachments, 'Excel' spam has a longer shelf-life within a network.
• Taking the game to a new level, in early August 2007, spammers started compressing their text-based and Excel-based spam documents using the ZIP file format. This is effective for two main reasons:
• Companies that do not use anti-virus software on their network could be easy targets for this type of spam.
• Users who may not be aware of security issues surrounding attachments are prone to opening these ZIP files. With spammers and hackers thriving in their unholy alliance, the risk of malicious files being packaged with pump-and-dump spam is all too real.
• The use of multiple file format combinations that are most commonly in use by email users appears to be spammers' way forward for spammers.
The damage that spam can cause any business should never be underestimated. Efficiency, productivity and profitability can all take a serious hit if electronic junk email gains access to inboxes, with valuable time and effort eaten up in identifying and deleting unwanted messages. Spam currently accounts for a staggering 83.4% of all emails heading to corporate gateways. As spam filters become more effective spammers have to adopt new techniques to attempt to outwit anti-spam defenses and ensure their unsolicited emails are delivered to their targets. By encoding their message as an image rather than as plain text, spammers hope to hide the content of the spam from spam filters. Their reasoning is that only the recipient will be able to view and read the image; spam filters will not be able to understand the content and let the email pass. Nevertheless there are subtle clues hidden within the images which identify them as spam.

References
www.bitdefender.com
www.ironportstore.com/Image-Spam.asp
http://social.technet.microsoft.com

Disclaimer
Views expressed in this article are generally accumulated from published material from Internet especially from Internet magazines. The article also contains major excerpts from research papers and other pdf documents.

About the Writer
Mr. Zaki Rashidi is a contributing editor of @Internet magazine. He is assistant professor at FAST-School of Business, Karachi.