Advanced Spam Mails

Posted by Martin in Email, Security  Tags: , , , ,

12

Mar



Spammers tend to use more advanced spam methods to avoid the dreaded spam filters that become better and better. I would like to present some examples from my personal mail folder and analyze the latest image spam trends. Many spam filters concentrate their efforts on blacklists and the text that the mail contains. Spam that is not caught immediately will be caught in the future if the user marks that mail as spam. Language and keyword filters and white lists do their part and reduce spam and false positives.

spam image exampleImage spam on the other hand is on the rise because of several new spam techniques that make it pretty hard for the filters to automatically recognize spam.

The left image is an example of a typical image that is send in spam mails. The following techniques were used in this mail to bypass the spam filter. The first obvious element are random pixels that overshadow some part of the image. This is done to create random images which can bypass spam filters even though an image with the same information arrived before in your mailbox.

Another option to create a unique image would be to use colors that look the same to the human eye but differ for the computer. Randomizing the process creates unique images as well.

Some spammers use different layers for a set amount of pixels which makes it incredibly hard to to use hash values to determine spam images.

The last aspect of such a spam mail is seemingly random text that is copied before or - more often - after the image. The text itself has nothing to do with the intention of the spammer. It is solely used to simulate a normal mail with a set amount of neutral and positive words.

spam image exampleThe image on the left shows another image that is often used to bypass spam filters. It uses random colors much like the previous image used random pixels that made the image unique.


Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!

3 Users Commented In This Post

Subscribe To This Post Comment Rss Or TrackBack URL
lyndonmaxewell says:

I guess the only way now is to bring the ‘manual’ way back into the picture. That is, physically deleting and getting rid of those spam. Nothing beats a human at doing it!

Peter Louies says:

At MX Lab (www.mxlab.be) we use of course several techniques like OCR to identify and block image based spam. Not all image based spam are detected and the spammers tends to change the images quite fast to make some techniques less effective.

It is true that nothing beats the human way of doing it but this is very time consuming. It is possible if you only want to protect your own inbox but again, spam is getting on your system and you spend time in deleting it.

We use a very simple technique now and have implemented it just before delivery of emails towards the mailboxes. I can’t go too deep into details, spammers might read this also, but it keeps the emails with images for reviewing and also works with whitelisting.

Richard Lindley says:

The best way to beat spam is to stop playing the game.

I use spam assasin on my front end which catches 98-99% of my companies spam. The remaining 1-2% of mail gets treated to SpamLion (http://www.spamlion.com). SpamLion uses smart sender validation. A first time sender will recieve a challange mail to validate that they are a real person and not a spammer. Once they respond their email will go through to the users inbox. After that, they never have to validate again. Obviously a user can decide to block them. Users can also go through their personal quarantine and release items.

Some people do not like sender validation because they think it floods the internet with validation mails. If you set it up right and put spam assassin in front of it there is no problem. I have it setup so that an email address will only recieve a challenge mail once every 30 days so if a spammer is using it to send out millions of emails the mail address will never get bombarded. Also whenever a user sends out an email it gets automatically white-listed so a challenge mail is never sent.

After about 30 days most users stop checking the SpamLion quarantine as by this time their normal contacts have all been white-listed.

As a mail admin, I must say it is nice not to have to update my rules with the latest spelling of Viagra every week to keep spam out.

Leave Your Comments Below
Hello, please leave your thought below

Please Note: Each comment will be manually approved by an admin. There is no guarantee that a comment will be posted. Please do not submit the comment multiple times.