Spammers have been including images in their email to evade anti-spammers.
Anti-spammers have been using OCR to identify spammy words in images.
Spammers have recently come up with tricks to work around OCRs,
by doing steganography with animated GIF images.
One approach they're taking is to build the real image progressively,
first drawing a background, then drawing parts of the image
(one spammer uses transparent pixels to do parts of it, showing dark parts
of background),
then waiting a long time and drawing a blank page in case anything's
checking the final image.
http://www.networkworld.com/community/?q=node/8977
Spammers dodging OCR with .gif 'cut-and-paste'
By Paul McNamara on Fri, 10/20/2006 - 2:11pm
Spammers have begun slipping their junk past optical character recognition
(OCR) software through a variety of animated .gif "cut-and-paste"
techniques, says John Graham-Cumming, an anti-spam activist who maintains
The Spammers' Compendium and also founded Electric Cloud.
On blog posts this week -- here and here
http://www.jgc.org/blog/2006/10/why-ocring-spam-images-is-useless.html
http://www.jgc.org/blog/2006/10/spam-image-that-slowly-builds-to.html
-- Graham-Cumming explains two of the OCR-evading methods that were brought
to his attention by Nick FitzGerald, a New Zealand anti-spam consultant and
regular contributor to The Spammers' Compendium. (It being 3 a.m. in New
Zealand, I'm relying on Graham-Cumming's account here.) ... (Update:
FitzGerald explains his advantage.)
"I don't know how widespread it is," Graham-Cumming told me this afternoon.
"(The second spam message) was targeted for this Wednesday, so I think it's
probably pretty new."
The second of the two techniques takes animated .gif spam "to a new level,"
he said on his blog.
From the blog post: "The first image is the .gifs background and is
displayed for 10ms then the second image is layered on top with a
transparent background so that the two images merge together and the image
the spammer wants you to see appears. That image remains on screen for
100,000 ms (or 1 minute 40 seconds). After that the image is completely
blanked out by the third frame.
"My favorite touch is that it's not the entire image that's transparent,
not even the white background, but just those pixels necessary to make the
black pixels underneath show through. If you look carefully above you can
see that some of the pixels appear yellow (which is the background color of
this site) indicating where the transparency is."
In our interview, Graham-Cumming belied more than begrudging admiration for
what this spammer has achieved.
"What's really neat about what this guy has done is that he takes a piece
of text and he randomly kills pixels in it so that each frame of this thing
is unreadable," he told me. "But when you merge them together, you get a
readable piece of text. It is immensely clever. He's used animation with
transparency in .gif so what happens is that although this is actually
animated you don't see the animation because the two frames which have got
the pixels killed on them are animated together so fast
that it looks
like a static image."
Despite the fact that Graham-Cumming headlined his blog item "Why OCRing
spam images is useless," he tempered that assessment in our talk.
"Saying OCR is useless is an overstatement, of course," he said. "There
will be some value in OCRing because the history of spam shows that there
are bleeding-edge spammers who fight to get through every filter and
there's a large pool of spammers who use out of date software, essentially,
so it's always worth going with techniques that worked a few months ago.
The problem with OCR is that it's very expensive to do in terms of CPU and
so that's why it hasn't been rolled out widely. It's pretty clear that
spammers are thinking about this. That (animated .gif) technique and the
previous one I showed in the previous blog entry both make OCRing difficult."
Coincidentally, the two anti-spammers involved here had recently been
discussing the possibility of such techniques emerging.
"What's amazing about this one is that (FitzGerald) and I had gone back and
forth in a conversation about -- 'You know what spammers could do, is
something like this.' We had anticipated that something like this was going
to happen; the particular technique is very close to what we had been
discussing and (FitzGerald) actually sent me an e-mail today saying, 'Look
at this one, maybe they're reading our mail.' "
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
