Slashdot Mirror
How Image Spam Works
Esther Schindler writes "CSO Magazine has an article about "The Scourge of Image Spam," with an explanation of its effect (a year ago, fewer than five out of 100 e-mails were image spam; today, up to 40 percent are in that category, and image spam is the reason spam traffic overall doubled in 2006). You might already know about that, ho-hum. But what's even cooler is a interactive graphic page which demonstrates the various methods used by image spammers and how it works."
This is a great article describing how it is formed, why it looks like that, what that is designed to trick, etc.
The key point they're missing is that it works under the assumption that a very small part of the populace doesn't recognize this as spam. These people then think that an investment firm decided to tip everyone off and they mistakenly buy the stock so that it goes up a nickel only to watch it drop shortly after the spammer drops the stock.
What's ironic is that I'll bet there's people out there with money that know this scam but buy the stock to also cash in on people who think this is a real tip. It might even be that the initial assumption is wrong and that the only people scamming each other are scammers trying to take advantage of another scammer's scam. Scam. Oh, the irony if that's the case. Either way, the article mentions the SEC removing stocks that went up that were junk stocks in spam mailings!
It's a scam. Stay away and alert your loved ones if you think they may fall into the initial category of the small part of the populace. The safest way to stop spam is to alert people and teach them how to identify it.
You don't buy stock that an angry fruit salad told you was hot just like you don't sleep with the girl who leaves dead spots of grass where she sits on the corner. Awareness is a valuable key to our solution against spam.
My work here is dung.
Agreed but I'd go further. Reduce emails to plain text and attached files. No HTML. If you need to send images then post them to a web site and send the url or put them in a zip file.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
You don't even need to be that uptight.
Seriously, I once read something about using OCR software to "read" images that come through in e-mail to make sure that they don't contain stock spam or penis pump messages. Who thinks this is really necessary? Has anyone you know really gotten so frustrated with the limited font choices in regular e-mail that they started composing their messages in Photoshop?
Trained Bayesian filters seem to have no problem at all spotting image spam.
Breakfast served all day!
Lots of websites use the same techniques to obfuscate the little images used to differentiate real users from bot software. There have been lots of proof of concept examples of software that automatically "solve" these CAPTCHA images (http://en.wikipedia.org/wiki/Captcha#Computer_cha racter_recognition). If spammers move to increasingly complex image spam, I could see spam filters growing to include some of these algorithms, converting the images into a best-guess text representation, then subjecting that text to standard spam filtering. Even if the image to text conversion was only 50% accurate, I bet that would be enough to train up a modern spam filter like SpamBayes to recognize and reject the message.
Of course, I just read all my mail as plain text, so this is a non-issue as far as I'm concerned.
"Parsing an image, on the other hand, ain't so easy. "
.gif
p p-rule-to-catch-image-spam/
So use a manual rule to block these messages, discarding them on the basis of how they're put together.
If *all* of the following conditions are met:
Any attachment name contains
+ Content-Type contains multipart/related
+ Sender is not in my address book
Move message to "Junk".
http://www.hawkwings.net/2006/12/20/another-maila
Just a quick note on this story. One of the important lessons of image spam is it's a problem regardless of whether or not you actually receive it in your inbox. As the print version of the story points out, most image spam emails are at least twice the size of a text email (and they are getting much much bigger than that). That means spam is clogging up pipes along the way. Also, it's hogging massive amounts of storage at companies that can't filter it well and backup/archive email and junk inboxes that don't get cleaned out. Also, it still gets through to many many inboxes, as the fact that the SEC banned trading on penny stocks that were part of a pump and dump image spam campaign points out. The question is, and will increasingly be, why are we trying to filter this stuff at the email server rather than on the backbone? To date, ISPs and backbone operators have been hands off. That's good. No judgment on traffic and what's "good" or "bad." But it's also bad--all this crap clogs up the network and leads to any number of frauds and scams. Watch--there will be more of a push on these guys to start making value judgments on traffic and scrubbing "bad" traffic like spam and suspected DDoS etc. That's good--less spam in inboxes, cleaner pipes, better service and reduced chance of fraud. That's also bad--who is Joe Backbone that he gets to decide good and bad packets and what if he makes a mistake?
Anyone with a Gmail account ever notice that your targeted advertising links are all about spam recipes (i.e. Spam Meat Loaf) when you're in your spam folder? I've always loved that, and figured that it may have started out as a bug, but one that the Gmail team sort of fell in love with.
u-bend
Every 4 to 5 seconds is not bad, I was hit by a similar attack.
I run a webserver on my home connection, all it hosts is MythWeb, and it is password protected. I am the only person who should have to access it, and am on a dynamic IP address (not a problem I thought when setting it up, and have been very successfully using DynDNS.) About a year ago my IP address was changed to a new one, as it happens. My internet was going as slow as molasses about 10 minutes later, although I just thought it was a temporary thing with my connection. The next day it is even slower, and so I begin to investigate - I perform a speedtest and get very good results for download (but not perfect), but almost no upload. I thought this was odd and checked with my ISP to make sure there were no known issues with the connections in my area - there were not. So I then plugged my modem directly into my computer and it was still happening (which made me think it was something with my ISP, as it affected my router and my computer), and so I then clicked on my bandwidth monitor to see what speeds I could get, and before doing anything there was a constant stream of about 100kb-150kb of downstream traffic. And so I plugged the internet back through the router (I was running a software firewall by the way, so I considered bypassing the router safe).
I then looked at my webserver logs, and it took forever to load. So instead I did a "tail -f" on the error log. I must have been receiving hundreds of requests per second for websites that were nothing to do with me. It was scrolling so quickly I could not read entries as they went past. Examining it more closely I realized what happened: the owner of the IP address before me had been running an open proxy on port 80, and when the IP address changed all their requests were redirected to me, killing my much slower connection (from all the 404 responses apache was sending). So I closed port 80 for a week, and my connection returned to a somewhat normal state. However, I was still receiving about 20 requests a second, despite being offline (seemed mainly to be people trying to do dos attacks through a proxy). After a month this was down to only 1 or 2 a second, and it has remained like that till today.
Because of your post I checked my webserver logs, and at 1:27:18am I received my last request for a website, and looking into it my IP address changed to a new one (only took a year), and so some other unfortunate person is now receiving a few requests a second to be a proxy server.
I'd like to add that there is a forth party involved and it's the one all we sysadmins hate - the cracker who's hired by the spammer to root boxen left and right. I believe most people trying to break into my server are looking for a compromisable host to set up a mail server.
On an unrelated note, has anyone else noticed a huge drop in the effectiveness of greylisting as a spam countermeasure? I used to receive close to zero spam messages up until 2-3 weeks ago and suddenly they're flooding me! Any hint?
Global warming is a cube.
... the easier it becomes for a human to pick it out. Anything that has a garbled or gobblygook subject is going to be spam these days. Anything in plain english, but forming nonsensical sentences is going to be spam. Anything that looks like someone copy'n'pasted from a book on english poetry is going to be spam. Those three rules alone should cut out most of anyone's spam. Then you can delete anything advertising fake rolexes, pump and dump stock schemes and OEM software. And offers of naked pictures and singles websites. That should about do it...
Julie Moult is an idiot.
Right after the OCR talk started to lead them (antispam people) in some common/working solutions, Spammers begun to use anti-OCR systems. I made a friend working at a big newspaper to test the anti OCR measures via some very expensive professional OCR software, he said it failed to read anything meaningful.
That was the day OCR as antispam became real irrelevant for me. They also figured resolution filters are coming, they immediately started to randomise gif resolutions by 1-5 pixels. There goes that method too.
About the images? I bet there are millions of "fw:fw:fw:look, funny!!!!!" messages around just having a single image. Yes, even at flickr/imageshack ages. They now drag Flickr images to mail window and send it like that.
For some people, they are "messages from their friends" and they will go nuts if they figure out that actual junk was filtered as spam. Of course, lets not go too harsh, there could be people trading family photos like that and that 12 kb jpeg becomes really precious.
I suggest the long term but real solutions: http://www.spamcop.net/ (for mail) and http://www.projecthoneypot.org/ (for web/blogs) . I even started to CC: my Microsoft Pirated software spam to piracy@Microsoft, let the evil care about evil.
It also works because, despite the fact that I only send emails that consist solely of text, and am only interested in receiving emails which consist solely of text, it's apparently beyond the wit of Gmail and other email based software vendors to allow me to reject any emails which contain html and/or graphics. I don't want 'em! It's always either spam or some other lame shit. I don't know about the rest of you, but that'd sort me out nicely.
The most effective way is whitelisting... I setup an exim filter that captures outbound addresses and adds them to a whitelist DB. If you send a short email with a single image and are not on the whitelist, you get rejected. Result is zero image spams and no known false positives. This may or may not work for others, but it works for me.
I sell software volume licensing.
:-)
You would not believe how many times I receive as a forwarded message from my customers a piece of spam that promotes "OEM" software at 90% off asking me "Should we get this?". The Adobe CS3 for $90.9 instead of $999, for example.
I reply to such clients with an explanation of what OEM software really is and how it's different from unlicensed software.
Not every one of the spam recipients has someone like me with whom to consult, so I'd imagine the spammers are making a decent profit off this warez websites. I am sure everyone remembers that the best place to go find a new species of malware for research is to visit a serial numbers site.
I am guessing that _very_ few (I know that the overwhelming majority of them is in the legitimate line of work now and it's just a few bad apples who are spoiling the scene) of the kids who ran the early warez sites have either grown up or their work was noticed and copied. Either way, warez e-commerce is big business.
Leonid S. Knyshov
Find me on Quora
We need anti-forgery technology like SPF to be widely deployed, but that will only help up to a point. SMJ, the admin of SDF, has proposed an STMP registry (FAQ) which is basically a database of SMTP servers registered with verified contact details, not unlike registering a domain. This isn't a problem for companies setting up a few long-term STMP servers, but it is for spammers with tens of thousands of constantly changing spam hosts. This could work in principle, although it has the obvious problem of needing widespread adoption before people can decide to only accept 'registered' mail.
It seems that a lot of image spammers have tried to circumvent newer spam-blocking technology by using animated GIFs: the first frame of which is blank, and the second of which contains the ad.
For months, we had consistent problems with clients e-mails (using a major ISP I won't mention here) not reaching our server. Curiously, it would happen most often with replies to our original e-mails.
After months of anguish and highly accusatory phonecalls to the ISP's tech support, we discovered the problem. Our company e-mail signature contains GIF images. When a client replied to us, quoting the original e-mail, the ISP would scan the e-mail, detect the inline GIF, and block the e-mail.
Since we changed the format of our signature to use JPEGs instead of GIFs, we've had no problems with the ISP blocking client replies.
So once again I assert: the biggest problem with spam isn't even the spammers, it's the n00b sysadmins who implement agressing spam-blocking rules before thinking about the consequences. I'd rather get more spam that have legitimate e-mails blocked by false positives.
"The first thing we'll do is kill all the spammers..."
Actually I wouldn't be surprised if "To Catch that dumbass who responds to SPAM" is next on the list. They recently have done "To catch an ID theif." Actually a pretty interesting investigation. They confronted people who thought they had internet girlfriends/boyfriends who happened to also be shipping packages for their alleged significant others. These people were shocked and embarrased, but they then helped track the criminals by playing along for a little longer and shipping packages with tracking devices. It was really interesting to see where that package ended up and even more interesting when they tried to lure the "girlfriend" into another "lucrative business deal" followed by a "My name is Chris Hansen..." unmasking. Pure gold.
"It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
I've almost deliberately exposed my email address all over the place, without the ridiculous antispam obfuscations (no "ninja AT slaphack DOT com" here), because I prefer not to use CAPTCHAS where I can help it, and that's just a poor-man's CAPTCHA.
The reason? Simple:
Statistical spamfiltering of any kind -- bogofilter, in this case -- is creepily accurate.
Recently, I lost my bogofilter database (due to my own stupidity). It took one day for it to get back to 95% accuracy, and another day to get up to 99%, with one false positive -- the first I had seen in about six months.
Don't thank God, thank a doctor!
I wish that somebody would do a TV show like "To Catch a Predator" except that they would go after the people who buy spam. Embaras them a little.
ABC did this with 419 spammers. They actually went to to Nigeria and found a spam operation running there. They were able to contact some of the people who sent money and interviewed them to ask why they fell for the scam. Summary: the "victims" were universally dumb, poor, and avaricious. Definitely at the extreme end of the bell curve.
I am becoming gerund, destroyer of verbs.
The main culprit are your work-at-home-and-make-big-bucks programs you find advertised on TV late at night and such. This is increasingly so since computers, always on internet, and lazy people with spare time are often correlated.
... subcontracting out.
These programs are designed by people who work at so called "network marketing firms". You pay them half of your third mortgage, and they set you up with a turn-key virtual server somewhere (which you still need to pay for over time) and give you campaigns to run and leads to follow up on (or lists of people from which to procure leads). It's up to you to make that campaign make money for you, and most people get desperate when they find its not so easy to "be a viral marketing company" so they turn to private forums that trade email lists and get you in contact with spammers.
Meanwhile the network marketing firm has your money, takes no risk, and is not responsible for the spam it's "independant contractors" are sending out, nor the bespoke Russian viruses and network of zombies the more successful of these employees are cooking in their own home businesses.
Finally, it's the people looking to sell products who are also harmed. The network marketing company promises them the world, takes a check, and then forwards the campaign scatter-shot to their contractors. And that's all they do, besides interact with the customer on the contractor's behalf. Little firewall there...
I doubt they give them any useful metrics, nor would they sign a performance-based contractor. They're looking for desperate small-time campaigns.
Which sometimes are are the same independant contractors that work for the firms in the first place
It's a big clusterfuck.