The New Wave of Spam

Spam continues to be a pervasive problem that all small to mid-sized businesses must deal with. According to the most recent Symantec Internet Security Threat Report:

  • Between July 1 and December 31, 2006, spam made up 59% of all monitored email traffic. This is an increase over the first six months of 2006 when 54% of email was classified as spam.
  • 65% of all spam detected during this period was written in English.
  • Spam related to financial services made up 30% of all spam during this period, the most of any category.
  • During the last six months of 2006, 44% of all spam detected worldwide originated in the United States.

Dealing with spam is a waste of valuable employee time. According to a new study conducted by Nucleus Research, two out of every three email messages received by today's business users are spam. The study also says that users are spending 16 seconds identifying and deleting each spam email, at a cost of $712 per employee in lost productivity, which translates into an annual cost of $70 billion to all U.S. businesses.

In addition, spam often contains offensive material, and can possibly expose the recipient to fraud. Spam also has the ability to consume email servers and negatively impact network performance. Today’s spammers are turning to a new form of spam called "image-based spam," which is not only a means of bypassing anti-spam filters, it also uses a great deal of bandwidth and storage space — commodities that are in short supply in many small and mid-sized businesses.

Image-based spam
"Image-based spam" has become a popular technique among spammers because of its ability to bypass traditional anti-spam filtering technologies. Instead of sending messages as text with or without accompanying images, spammers have started sending messages that are comprised only of images.

Image spam is an unsolicited email message that contains only an image (typically an embedded .JPG or .GIF file). This image is formatted to have whatever message the spammer wants to convey. There might be a picture as well as some "text" in the email; however, the "text" is part of the image. Spammers also try to confuse filters by slightly varying the images in each email. These are subtle changes, like lightening the background or border color, changing margin size, or adding tiny spots to the background. These changes are invisible to the eye (or irrelevant to the reader), but make it very difficult for anti-spam technologies to detect them as a single spam attack since all of their spam "signatures" are different.

Image spam has enjoyed explosive growth recently; in fact, Richi Jennings, senior analyst for Ferris Research, says that the number of image spam emails has increased tenfold (900%) over the past year. Image spam is also a particularly heavy consumer of bandwidth and storage space. While a text-based spam message usually runs 5-10KB, the typical size of image spam ranges from 10-100KB, Jennings said.

Automated spam
Much of the image spam is coming from botnets, a network comprised of PCs that have been infected with a virus in order to allow an unauthorized user to control the computer remotely. Using botnets, spammers can control a large number of compromised computers, which can then be used to launch coordinated attacks. Between July 1 and December 31, 2006, Symantec observed an average of 63,912 active bot-infected computers per day. This is an 11% increase over the previous six-month period. Having the computing power of thousands of PCs at their disposal enables spammers to send out more messages using more creative techniques, and that has likely led to the popularity of image-based spam today.

Addressing image spam
As image spam becomes more prevalent, and continues to bypass traditional spam filters, Symantec has made thwarting it a top priority. Symantec is currently addressing these attacks in several different ways, including enhancing rule filters to target different aspects of the message body and headers as the attacks quickly mutate. Symantec is also improving the zombie detection for image spam. In addition, Symantec has two sets of resources focused on this problem:

  • Engineers: A team of engineers dedicated solely to creating several new technologies to fight image spam.
  • Email Security Group and the Business Intelligence Team: These teams focus on addressing these attacks in two different ways: Predictive and IP Filtering.
  • Predictive: The Predictive approach consists of predictive heuristics rule filters that target different aspects of the message body and headers. Predictive heuristics rule filters not only address the current image spam attack but also take into account common patterns that these attacks will most likely morph into. Symantec has enhanced these rules in its Mail Security products, to aggressively target these attacks as quickly as they are mutating. Customers must be running full heuristics within their environment in order to benefit from these filters.
  • IP Filtering: A more immediate and direct approach to controlling spam is IP Filtering. Symantec has deployed honeypots (decoy systems) that collect IP addresses of systems generating spam. Many of these systems are "zombie" systems, compromised machines which send spam without the owner’s knowledge. These IP addresses are updated to a "blacklist" every 5-10 minutes, which are distributed to Symantec Premium Antispam users for blocking spam mail addresses. Symantec is improving the zombie detection for image spam messages by actively enhancing our Open Proxy List. The items below are a list of those enhancements that we are looking to target within a short period of time:

Increase the Open Proxy List based on zombie verdicts — Zombie verdicts are based on IPs that Symantec has identified as compromised machines sending spam. We are growing this dynamic list on a weekly basis.

Extracting IP addresses from image spam samples — This data is not only being incorporated into the Open Proxy List but is also contributing to a new range of Heuristics rules.

Optimizing IP gathering methods — Symantec is improving our IP harvesting scripts to minimize potential gaps in latency.

Connection Management — Creates local reputation data on the fly to mitigate the risk posed by low volume bot-net senders.

With millions of probe email accounts scattered throughout the world and a highly efficient heuristic rules engine, Symantec is confident that its email filtering techniques will play a large role in stopping image-based spam attacks.

Looking ahead
Going forward, it looks like small and mid-sized businesses will continue to receive a lot of spam, and the message techniques will continue to change. Spammers will continue their quest to bypass anti-spam filters — not only with image spam, but also using broken images or animated GIFs. In order to protect your email systems, you need an anti-spam solution that utilizes that latest data and constantly updates the filter rules to keep up with the changing nature of spam.

from Symantec