IronPort Reports Surge in Image Spam

IronPort released spam data that ISPs should pay attention to even though the data supports IronPort's products.

by Alex Goldman ISP-Planet Managing Editor [July 10, 2006]

Last week, San Bruno, Calif.-based IronPort announced that image spam is increasing. As ISPs and other companies deploy text-based anti-spam engines, the spammers are responding by using images instead of words to convey the message.

IronPort said that a study of its own SenderBase data showed that image-based spam messages have increased from less than 1 percent of all spam in June of 2005 to more than 12 percent of all spam in June of 2006.

Of course, the research also touts IronPort's own products, which do more than just text-based filtering. IronPort uses a worldwide database, called SenderBase, to track the reputation of senders and their behavior. If a particular server starts doing anything suspicious, IronPort appliances throttle that server's throughput to IronPort customers.

So what is image spam?
Craig Sprosts, senior product manager at IronPort, says that spammers have started embedding images in messages to avoid filters. Each image is made unique by altering a few barely-visible dots in the corner or edge of the image. IronPort can detect this spammer randomization and block such messages.

"A further tactic," Sprosts says, "is sending multiple images that, when presented in the e-mail client, appear as one image."

Domain kiting
Earlier this month, ISP-Planet author Jim Thompson forwarded to us an article by GoDaddy founder Bob Parsons on Domain Kiting, a process whereby a spammer registers a domain but lets it expire within five days. Parsons wrote that of 35 million domain names registered in April, 32 million were allowed to expire.

IronPort therefore tracks the reputation of domains, but this is not very useful in the case of the spam because the domain names keep changing. IronPort therefore also checks to see how recently a domain was registered, flagging any domain name registered in the last five days as suspicious.

Spammers used to send all mail from one domain, until blacklists started blocking them. Since then, spammers have compounded their crimes by hijacking residential computers with viruses and trojans and using those computers to send the spam. IronPort therefore does not devote as many resources to tracking the e-mails from which spam is sent.

A few bad actors. . .
"Does this mean that all spam is the result of just a few bad people, and that if we could find them, we could end spam," we ask.

"It is true that there is a smaller number of actors than there are servers sending spam," says Sprosts.

. . . A flood of spam
He adds that ISPs need to have universal spam prevention. Image spam is a threat that the designers of IronPort did not anticipate, but which IronPort was able to block. Spam will only get more sophisticated over time, he warns.

As it is, the amount of spam is increasing. "The absolute increase in spam has not gotten a lot of attention," Sprosts warns.

IronPort reports that spam increased 40 percent worldwide in the last two months, from April 2006 to June 2006.

IronPort is generally seeing the same spam topics. "Drugs remain number one," says Sprosts. "We're seeing an increase in stock spam. Adult spam remains significant but is not the top spam topic."

— End