How to detect Advanced Spam Mails
Email service providers and security companies work on technologies round the clock to identify and filter out spam messages before they land in the user's inbox.
People who send millions of spam messages per day do pretty much the same thing, only that they are creating new technologies to bypass the filters. It is a cat and mouse game.
I would like to show you some examples from my personal mail folder and analyze the latest image spam trends.
Many spam filters concentrate their efforts on blacklists and the text that the spam mails contain. Spam that is not caught immediately will be caught in the future if the user marks that mail as spam. Language and keyword filters and white lists do their part and reduce spam and false positives.
Image spam on the other hand is on the rise because of several new spam techniques that make it pretty hard for the filters to automatically recognize spam.
The first image below is an example of a typical image that is used in spam emails. The following techniques were used in the mail to bypass the spam filter. The first obvious element are random pixels that overshadow some part of the image. This is done to create random images which can bypass spam filters as it makes the image unique so that it cannot be as easily identified if a similar image has been identified as spam previously.
Other options to achieve a similar effect include using colors that look the same to the human eye but not to the computer, and randomizing processes to create unique images.
Some spammers use different layers for a set amount of pixels which makes it incredibly hard to to use hash values to determine spam images.
The last aspect of image based spam emails is random text that is copied before or - more often - after the image. The text itself has nothing to do with the intention of the spammer. It is solely used to simulate a normal mail with a set amount of neutral and positive words.
The image above highlights another technique that is often used to bypass spam filters. It uses random colors much like the previous image used random pixels so that it is seen as a unique image.
The problem with these new types of spam is that they look low quality, and can therefor often be identified as spam immediately by the user.
That's probably one of the reasons why image spam has declined in recent time.
Advertisement
The best way to beat spam is to stop playing the game.
I use spam assasin on my front end which catches 98-99% of my companies spam. The remaining 1-2% of mail gets treated to SpamLion (http://www.spamlion.com). SpamLion uses smart sender validation. A first time sender will recieve a challange mail to validate that they are a real person and not a spammer. Once they respond their email will go through to the users inbox. After that, they never have to validate again. Obviously a user can decide to block them. Users can also go through their personal quarantine and release items.
Some people do not like sender validation because they think it floods the internet with validation mails. If you set it up right and put spam assassin in front of it there is no problem. I have it setup so that an email address will only recieve a challenge mail once every 30 days so if a spammer is using it to send out millions of emails the mail address will never get bombarded. Also whenever a user sends out an email it gets automatically white-listed so a challenge mail is never sent.
After about 30 days most users stop checking the SpamLion quarantine as by this time their normal contacts have all been white-listed.
As a mail admin, I must say it is nice not to have to update my rules with the latest spelling of Viagra every week to keep spam out.
At MX Lab (www.mxlab.be) we use of course several techniques like OCR to identify and block image based spam. Not all image based spam are detected and the spammers tends to change the images quite fast to make some techniques less effective.
It is true that nothing beats the human way of doing it but this is very time consuming. It is possible if you only want to protect your own inbox but again, spam is getting on your system and you spend time in deleting it.
We use a very simple technique now and have implemented it just before delivery of emails towards the mailboxes. I can’t go too deep into details, spammers might read this also, but it keeps the emails with images for reviewing and also works with whitelisting.
I guess the only way now is to bring the ‘manual’ way back into the picture. That is, physically deleting and getting rid of those spam. Nothing beats a human at doing it!