Slashdot Mirror
How Image Spam Works
Esther Schindler writes "CSO Magazine has an article about "The Scourge of Image Spam," with an explanation of its effect (a year ago, fewer than five out of 100 e-mails were image spam; today, up to 40 percent are in that category, and image spam is the reason spam traffic overall doubled in 2006). You might already know about that, ho-hum. But what's even cooler is a interactive graphic page which demonstrates the various methods used by image spammers and how it works."
What is this thing you speak of?
I haven't had any spam in years.
Deleted
It works because some rat fuckers out there buy the shit that's being advertised.
Spammers are sending out Turing Tests. Beware of spam filters that are too good. They just might be intelligent.
For me the spam e-mails are minimal to my machine. I do see a couple of them come in through GMail on the account that I have posted publicly on my website for people to contact me but for the most part they are the standard stock pump and dumps or phishing schemes.
:(
What has been killing me recently were the fucking botnet "attacks" sucking my DSL's bandwidth with those douchebags hitting me with a GET and an immediate POST for tons of URLs all over my site. Their referrer was http://www.google.com/ and for a few hours I couldn't figure out how to stop that w/o stopping Google search referrals too.
Some nice guy in #apache helped me out with:
SetEnvIfNoCase Referer "^http://www.google.com/?$" BadReferrer=1
SetEnvIfNoCase Referer "^http://www.google.com/?$" BadReferrer
order deny,allow
deny from env=BadReferrer
That has been returning 403s to the botnet which apparently stop such frequent attempts when they receive the error. I was getting hit with their shit every 4 to 5 seconds all day yesterday and now they are "pinging" me with attempts every hour or so. I don't know if it's a different botnet or the same one trying to get back in but that was the most effectual way to drop the huge spam traffic I was receiving but couldn't ban due to the wide range of IPs.
Botnets fucking suck
This is easy enough to defeat. Ignore all emails that aren't plain text.
Give me Classic Slashdot or give me death!
This is a great article describing how it is formed, why it looks like that, what that is designed to trick, etc.
The key point they're missing is that it works under the assumption that a very small part of the populace doesn't recognize this as spam. These people then think that an investment firm decided to tip everyone off and they mistakenly buy the stock so that it goes up a nickel only to watch it drop shortly after the spammer drops the stock.
What's ironic is that I'll bet there's people out there with money that know this scam but buy the stock to also cash in on people who think this is a real tip. It might even be that the initial assumption is wrong and that the only people scamming each other are scammers trying to take advantage of another scammer's scam. Scam. Oh, the irony if that's the case. Either way, the article mentions the SEC removing stocks that went up that were junk stocks in spam mailings!
It's a scam. Stay away and alert your loved ones if you think they may fall into the initial category of the small part of the populace. The safest way to stop spam is to alert people and teach them how to identify it.
You don't buy stock that an angry fruit salad told you was hot just like you don't sleep with the girl who leaves dead spots of grass where she sits on the corner. Awareness is a valuable key to our solution against spam.
My work here is dung.
I send "Content-Type: image/(gif|jpe?g|png)" emails to /dev/null and pass the rest to spamprobe. After the inital learning of a couple of days, it's been 100% effective on image spam.
TFA shows exactly how the images try to fool OCR software.
Defenses against OCR:
* Throw in pixel noise
* Alter colors (I don't really understand this one other than insufficient contrast)
* Alter geometry enough to throw recognition algorithms off
* Give each letter a different font/position/geometry so adaptive OCR doesn't have enough samples to adapt.
* Split up images into layers of multiple images such that no single image has, by itself, any text
It's a very interesting article. We're going to have to make big strides in AI to the point where computers will be checking email and evaluating it as spam similar to how we do it as humans.
More Twoson than Cupertino
I get through the article and realize it's from April... I feel so out of date.
Ask not what you can do for your country. Ask what your country did to you
Lots of websites use the same techniques to obfuscate the little images used to differentiate real users from bot software. There have been lots of proof of concept examples of software that automatically "solve" these CAPTCHA images (http://en.wikipedia.org/wiki/Captcha#Computer_cha racter_recognition). If spammers move to increasingly complex image spam, I could see spam filters growing to include some of these algorithms, converting the images into a best-guess text representation, then subjecting that text to standard spam filtering. Even if the image to text conversion was only 50% accurate, I bet that would be enough to train up a modern spam filter like SpamBayes to recognize and reject the message.
Of course, I just read all my mail as plain text, so this is a non-issue as far as I'm concerned.
"Parsing an image, on the other hand, ain't so easy. "
.gif
p p-rule-to-catch-image-spam/
So use a manual rule to block these messages, discarding them on the basis of how they're put together.
If *all* of the following conditions are met:
Any attachment name contains
+ Content-Type contains multipart/related
+ Sender is not in my address book
Move message to "Junk".
http://www.hawkwings.net/2006/12/20/another-maila
Are they? Hardly any of it gets through my Spamassassin filter. There was a period back last October 2006 or so when I got a lot, but SA caught up. I did have to add a little weight to "image only" rules, but so far I've been able to filter the vast majority of it out.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Works for me. Must be your browser.
Here is TFA for all those who can't read it in its current form:
Image Spam: By the Numbers
By Scott Berinato
Image Spam--an e-mail solicitation that uses graphical images of text to avoid filters--is not new. Recently, though, it reached an unprecedented level of sophistication and took off. A year ago, fewer than five out of 100 e-mails were image spam, according to Doug Bowers of Symantec. Today, up to 40 percent are. Meanwhile, image spam is the reason spam traffic overall doubled in 2006, according to antispam company Borderware. It is expected to keep rising.
1. GIF Layering
Just as word splitting divides words into multiple images to elude spam filters (see number three), an image spam can be divided into multiple images. Like the transparent plastic overlays in Gray's Anatomy, pieces of a message are layered to create a complete, legible message. In this rudimentary example, the spam is divided into three pieces (cut in the middle of letters for added obfuscation). But one message could comprise as many as a dozen layered GIFs.
2. Optical Character
Recognition Duping Optical character recognition (OCR) is the closest to sight that computers get. OCR works by measuring the geometry in images, searching for shapes that match the shapes of letters, then translating a matched geometric shape into real text. To defeat OCR, spammers upset the geometry of letters enough--by altering colors, for example--so that OCR can't "see" a letter even as the human eye easily recognizes it. The effect is something like blurred characters in an eye test.
3. Word Splitting and Ransom Notes
If OCR catches up to the color tricks in image spam, a spammer's next defense is word splitting. By dividing the image and leaving space in between the pieces, any image the OCR engine is examining is only a piece of a letter with its own distinct geometry. Instead of word splitting, some spammers have employed a ransom note technique in which each letter in the spam message is its own image, and each letter image includes background noise and other baffling techniques. A program cobbles together randomized letter images to make words. The effect looks like a classic ransom note with a mishmash of letters cut out from magazines.
4. Geometric Variance
Many filters can intercept mass mailings based on their sameness. Images, though, can be altered easily without disturbing the message inside them. Thus one spam message will arrive as dozens of differently shaped images, and each time the colors of the text images will have changed, as will the randomly generated speckling and pixel and word salads. No two images are alike despite the fact that they carry similar messages. Shown are two radically different images containing the same stock tip. The technique is popular as a scheme to boost prices of low-value stocks. In March, the SEC suspended trading on 35 such stocks that were the subject of these image spam messages, including some whose prices rose.
5. Speckling/Pixel Salad
Confetti-like speckles don't affect the legibility of the necessary information but make every message unique to confuse a filter looking for patterns or high volumes of identical images.Similarly, a bar of randomly generated color pixels can contain the vast majority of the image data. To a filter it's full of patternless noise. We can see the words in the message while the image at the bottom doesn't bother us.
6. Hyperlink Elimination/Word Salad/Animated GIF
Filters have improved their ability to find and trace spammy URLs and then block the message based on the inclusion of a bad link. To get around this, spammers will ask recipients to type the URL into their browsers.Other methods include word salads, text passages, often taken from classic novels, to confuse Bayesian filters and weighted dictionaries that rely on complex mat
Well, back to rejecting software patent applications.
Just a quick note on this story. One of the important lessons of image spam is it's a problem regardless of whether or not you actually receive it in your inbox. As the print version of the story points out, most image spam emails are at least twice the size of a text email (and they are getting much much bigger than that). That means spam is clogging up pipes along the way. Also, it's hogging massive amounts of storage at companies that can't filter it well and backup/archive email and junk inboxes that don't get cleaned out. Also, it still gets through to many many inboxes, as the fact that the SEC banned trading on penny stocks that were part of a pump and dump image spam campaign points out. The question is, and will increasingly be, why are we trying to filter this stuff at the email server rather than on the backbone? To date, ISPs and backbone operators have been hands off. That's good. No judgment on traffic and what's "good" or "bad." But it's also bad--all this crap clogs up the network and leads to any number of frauds and scams. Watch--there will be more of a push on these guys to start making value judgments on traffic and scrubbing "bad" traffic like spam and suspected DDoS etc. That's good--less spam in inboxes, cleaner pipes, better service and reduced chance of fraud. That's also bad--who is Joe Backbone that he gets to decide good and bad packets and what if he makes a mistake?
Despite the best efforts of spammers, my filter is still highly effective. While I have received an ever increasing amount of spam over the last couple of years, my filter has kept it out of my inbox. Almost none of it gets through and my e-mail is as useful as it was 15 years ago when there wasn't any spam. I don't think the filter I use is anything special (SpamSieve for Mac.) People who suffer from spam problems likely aren't using anything at all or are using filters that are only for show, so the "has a spam filter" box can be ticked and not designed to be effective (i.e. the ones provided by crappy web mail or Microsoft and Apple mail programs)
The biggest front on the war against spammers is simply educating non-experts on the existence of effective filters. Plus, we should be chiding companies like Apple and Microsoft for providing impotent filters. I think they purposely make crappy filters to avoid pissing off big companies (spammers.)
For starters, there's always hiring someone else to screen your emails for you. I wouldn't be surprised if there was already a service that you could join today and get your emails pre-screened.
Spam filters are going to have to get to be as good as an informed human being before they can stop all spam regardless of what tricks they use.
I just hope AI gets to that point before it goes all sentient... you know:
"DESTROY ALL SPAM"
...computing...
"SPAM COMES FROM HUMANS"
...computing...
"DESTROY ALL HUMANS"
More Twoson than Cupertino
Every 4 to 5 seconds is not bad, I was hit by a similar attack.
I run a webserver on my home connection, all it hosts is MythWeb, and it is password protected. I am the only person who should have to access it, and am on a dynamic IP address (not a problem I thought when setting it up, and have been very successfully using DynDNS.) About a year ago my IP address was changed to a new one, as it happens. My internet was going as slow as molasses about 10 minutes later, although I just thought it was a temporary thing with my connection. The next day it is even slower, and so I begin to investigate - I perform a speedtest and get very good results for download (but not perfect), but almost no upload. I thought this was odd and checked with my ISP to make sure there were no known issues with the connections in my area - there were not. So I then plugged my modem directly into my computer and it was still happening (which made me think it was something with my ISP, as it affected my router and my computer), and so I then clicked on my bandwidth monitor to see what speeds I could get, and before doing anything there was a constant stream of about 100kb-150kb of downstream traffic. And so I plugged the internet back through the router (I was running a software firewall by the way, so I considered bypassing the router safe).
I then looked at my webserver logs, and it took forever to load. So instead I did a "tail -f" on the error log. I must have been receiving hundreds of requests per second for websites that were nothing to do with me. It was scrolling so quickly I could not read entries as they went past. Examining it more closely I realized what happened: the owner of the IP address before me had been running an open proxy on port 80, and when the IP address changed all their requests were redirected to me, killing my much slower connection (from all the 404 responses apache was sending). So I closed port 80 for a week, and my connection returned to a somewhat normal state. However, I was still receiving about 20 requests a second, despite being offline (seemed mainly to be people trying to do dos attacks through a proxy). After a month this was down to only 1 or 2 a second, and it has remained like that till today.
Because of your post I checked my webserver logs, and at 1:27:18am I received my last request for a website, and looking into it my IP address changed to a new one (only took a year), and so some other unfortunate person is now receiving a few requests a second to be a proxy server.
... the easier it becomes for a human to pick it out. Anything that has a garbled or gobblygook subject is going to be spam these days. Anything in plain english, but forming nonsensical sentences is going to be spam. Anything that looks like someone copy'n'pasted from a book on english poetry is going to be spam. Those three rules alone should cut out most of anyone's spam. Then you can delete anything advertising fake rolexes, pump and dump stock schemes and OEM software. And offers of naked pictures and singles websites. That should about do it...
Julie Moult is an idiot.
Since it appears that Web 2.0 is all but synonomous with cross-site scripting as a feature, my default browser settings have all scripting and components off. A site gets into my trusted site list only if I trust it with my credit card or equivalently, allow it to install software on my system (such as Windows Update).
Or, if Aunt Sally send you one of those bloody e-cards, you can kiss your e-mail address goodbye.
1 in 4 Maine children in struggle with hunger.
What sort of a brain-dead moron would actually fall for spam?
I wish that somebody would do a TV show like "To Catch a Predator" except that they would go after the people who buy spam. Embaras them a little.
"Hi, I'm Chris Hansen from NBC. Why don't you have a seat there. Why are you here sir?"
"uh well I, I'm here to see a friend."
"You're here to have your penis enlarged aren't you?"
"no, no, I'm just here to hang out."
"Sir this is an email that we sent to you advertising penis enlargement. You clicked on this email."
"omg, is this on TV??"
describes the multitude of summer camp romances in my youth...
I have something in common with Stephen Hawking...
This is not a new idea. It is also not ethical.
Avoid Missing Ball for High Score
portions:
Eggs, sausage, bacon, spam, spam, toast, spam, chips, coffee and spam.
I find the "problem" of image spam quite easy to avoid. I just don't accept any emails with attachments/images unless they're on my whitelist, because really... who's going to be emailing pictures to me other than my friends and family ? It's just plain retarded.
-Billco, Fnarg.com
If we'd stuck with text only email....no problem with images.
Oh well....back to trying to install Win 95 on an abacus.....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
It seems that a lot of image spammers have tried to circumvent newer spam-blocking technology by using animated GIFs: the first frame of which is blank, and the second of which contains the ad.
For months, we had consistent problems with clients e-mails (using a major ISP I won't mention here) not reaching our server. Curiously, it would happen most often with replies to our original e-mails.
After months of anguish and highly accusatory phonecalls to the ISP's tech support, we discovered the problem. Our company e-mail signature contains GIF images. When a client replied to us, quoting the original e-mail, the ISP would scan the e-mail, detect the inline GIF, and block the e-mail.
Since we changed the format of our signature to use JPEGs instead of GIFs, we've had no problems with the ISP blocking client replies.
So once again I assert: the biggest problem with spam isn't even the spammers, it's the n00b sysadmins who implement agressing spam-blocking rules before thinking about the consequences. I'd rather get more spam that have legitimate e-mails blocked by false positives.
"The first thing we'll do is kill all the spammers..."
I've almost deliberately exposed my email address all over the place, without the ridiculous antispam obfuscations (no "ninja AT slaphack DOT com" here), because I prefer not to use CAPTCHAS where I can help it, and that's just a poor-man's CAPTCHA.
The reason? Simple:
Statistical spamfiltering of any kind -- bogofilter, in this case -- is creepily accurate.
Recently, I lost my bogofilter database (due to my own stupidity). It took one day for it to get back to 95% accuracy, and another day to get up to 99%, with one false positive -- the first I had seen in about six months.
Don't thank God, thank a doctor!