How Image Spam Works

Esther Schindler writes "CSO Magazine has an article about "The Scourge of Image Spam," with an explanation of its effect (a year ago, fewer than five out of 100 e-mails were image spam; today, up to 40 percent are in that category, and image spam is the reason spam traffic overall doubled in 2006). You might already know about that, ho-hum. But what's even cooler is a interactive graphic page which demonstrates the various methods used by image spammers and how it works."

Here's how it works from another perspective

[Richard+McBeef]

It works because some rat fuckers out there buy the shit that's being advertised.

Re:Here's how it works from another perspective

[Qoroite]

You know, I've always wondered how true that really is.

What sort of a brain-dead moron would actually fall for spam? There can't be many people that dumb surely?(I hope....)

Re:Here's how it works from another perspective

[jfengel]

You know that the IQ bell curve has two tails. Somebody's got to be in the left tail. And since spam is nearly free, you only need to find a few idiots.

Then again, they've got to be coming to the intersection point between "Dumb enough to buy v1@gra from a spammer" and "Too freaking stupid to use a computer or have any money".

Re:Here's how it works from another perspective

[plover]

You have to look at the business of spam to understand why it hasn't gone away yet.

There are actually three parties involved in spamming: the merchant, the spammer, and the victims/recipients. The merchant is the trailer trash dude who fished a case of expired viagra out of some pharmacy's dumpster. He wants to sell it online and make a fortune. So he hires a spammer who agrees to send out 10,000 emails for $60.00.

Whether or not the merchant makes a single sale has no effect on the spammer. The spammer made his money just by sending the crap emails out. And the supply of idiots with get-rich-quick schemes is virtually infinite, guaranteeing the spammers a never-ending stream of fools willing to hand them $60.00 apiece.

This means we'll probably be fighting spam until the world runs out of greedy idiots.

Re:Here's how it works from another perspective

[Mr+Z]

I once made a calculation that if every person on the Internet responded positively to precisely one spam, that would be enough to make spam wildly profitable. Granted, that was a few years ago, but bandwidth (and therefore spam) has only gotten cheaper and bot nets more prevalent (making spam cheaper still).

You don't have to go too far down the left tail of the bell curve to make up for the folks on the right half. After all, in terms of positive response, the best the folks in the right half can do is respond positively to zero spams. The further you go into the left tail, the more likely you are to run into people who respond positively to spam on a somewhat regular basis. The cut-over line for "responds to spam" vs "does not respond to spam" can be pretty far into the left tail and still have spam be profitable.

Making matters worse, negative responses to spam rarely do anything to the spammer. Instead, they just annoy IT departments into implementing ever heavier spam filters. Every so often somebody gets sued, but it's hardly enough to make a real dent in things.

Re:Here's how it works from another perspective

[Bob-taro]

Actually, you don't even need one stupid person falling for the spam-vertisements. All you need is stupid marketing managers who will pay for the spam campaign -- whether or not it is working.

Re:Here's how it works from another perspective

[MenTaLguY]

It isn't even always an IQ issue -- some people simply have problems "saying no". Imagine an intelligent person with poor sales resistance, for example.

The other problem is that offers of sex or money tend to make people stupid.

Re:Here's how it works from another perspective

[gmuslera]

On an unrelated note, has anyone else noticed a huge drop in the effectiveness of greylisting as a spam countermeasure? I used to receive close to zero spam messages up until 2-3 weeks ago and suddenly they're flooding me! Any hint?

Greylist don't "magically" stop spams, dont even have to know that is spam or not what is stopping. Only asks that the sending server is well behaved and try again to send the same message (same sender, same destination) after some minutes/hours and it works against spam because most spam-sending bots usually dont retry. But you only need to be targetted by machines that behaves well in this sense to get again spam.

Re:Here's how it works from another perspective

Seriously, that is more +5 insightful than it is +5 funny.

Re:Here's how it works from another perspective

[Jimmy_B]

It works because some rat fuckers out there buy the shit that's being advertised.

No, they don't. Even if no one ever bought a single item that was advertised by spam, the spam would still be sent. That's because there are two people involved: the seller and the spammer, usually not the same person. The spammer convinces the seller that a spam campaign will increase sales, and the seller pays the spammer to send them. It doesn't have to be true, it only has to be convincing.

It's A Turing Test

Spammers are sending out Turing Tests. Beware of spam filters that are too good. They just might be intelligent.

That's odd

[techpawn]

I get through the article and realize it's from April... I feel so out of date.

Funny, I haven't noticed

[burris]

Despite the best efforts of spammers, my filter is still highly effective. While I have received an ever increasing amount of spam over the last couple of years, my filter has kept it out of my inbox. Almost none of it gets through and my e-mail is as useful as it was 15 years ago when there wasn't any spam. I don't think the filter I use is anything special (SpamSieve for Mac.) People who suffer from spam problems likely aren't using anything at all or are using filters that are only for show, so the "has a spam filter" box can be ticked and not designed to be effective (i.e. the ones provided by crappy web mail or Microsoft and Apple mail programs)

The biggest front on the war against spammers is simply educating non-experts on the existence of effective filters. Plus, we should be chiding companies like Apple and Microsoft for providing impotent filters. I think they purposely make crappy filters to avoid pissing off big companies (spammers.)

Re:What about captcha-busting software?

[Dynedain]

I really believe that the first instance of a true AI that passes the Turing test will have grown out of spam filtering...

Re:What about captcha-busting software?

[drinkypoo]

If spammers move to increasingly complex image spam, I could see spam filters growing to include some of these algorithms, converting the images into a best-guess text representation, then subjecting that text to standard spam filtering.

This is directly related to a realization I just had (you almost had it yourself.) Image-based spam is fucking brilliant but not just because it works. There is a secondary effect - a positive one for the spammers.

Right now the strongest weapon in the defense against web spam is the CAPTCHA. Most of them depend on obfuscated text to defeat machine recognition.

Spammers lack the resources to effectively defeat CAPTCHAs permanently through technology. Their current solution is to use a network of humans, ala Amazon Mechanical Turk, to solve them. Computers are simply bad at doing this, but this is largely because we have not figured out how to make them good at it.

By using the same techniques to obfuscate spam as the rest of us use to create CAPTCHAs, they ensure that someone else will do the work of defeating text obfuscation-based CAPTCHAs in order to better recognize and classify spam.

I'm sure I'm not the first to have this realization (at the bare minimum, spammers have realized it) but I think it's a pretty good one.

Re:Because it isn't just you.

[AlHunt]

Or, if Aunt Sally send you one of those bloody e-cards, you can kiss your e-mail address goodbye.

Where is Chris Hansen on this?

[oni]

What sort of a brain-dead moron would actually fall for spam?

I wish that somebody would do a TV show like "To Catch a Predator" except that they would go after the people who buy spam. Embaras them a little.

"Hi, I'm Chris Hansen from NBC. Why don't you have a seat there. Why are you here sir?"
"uh well I, I'm here to see a friend."
"You're here to have your penis enlarged aren't you?"
"no, no, I'm just here to hang out."
"Sir this is an email that we sent to you advertising penis enlargement. You clicked on this email."
"omg, is this on TV??"

Re:FTFA

[MightyYar]

That's great for you and me, but the "average Joe" has no idea what you are talking about. For instance, one of my friends took some pictures of my niece playing with my daughter. She has a digital camera and uses Picasa. She has absolutely no idea what she is doing... all she could figure out is to click the "email these photos" button. Please don't ask me to talk her through opening a zipped folder of photos over the phone!

My only use of HTML mail is for sending links. A very long url will wrap around on the screen and cause trouble when the recipient tries to click it or cut-and-paste it, so using an <a> tag seems appropriate. Actually, I now use tinyurl.com, but that wasn't always available.

Re:Fighting botnets

[soft_guy]

This is not a new idea. It is also not ethical.

Re:tutorial?

[cayenne8]

See? I used to bitch years ago that email should be TEXT ONLY, but, no...we all want html mail and purty graphics.

If we'd stuck with text only email....no problem with images.

Oh well....back to trying to install Win 95 on an abacus.....