I am imagining the amount of processor resource scanning 100,000
messages per day let alone the tens of millions or more that some
sites see. I think Google could do it with their machine.
It's not needed, either. VERY few get through in practice. All ya
need is SpamAssassin and SARE. Then Bob's your uncle.
(I figured "checksum" right off. Thirty millisecond later I figured
the random pixels - one is enough per image - counter. And maybe 60
milliseconds later I realized that the image is just a large captcha
and that the captcha problem has been "solved", although it takes a
lot of computational resource. About a day later a lower usage
solution presented itself - take blocks of data from the image
and look at their average color. For an optimal size and number of
such blocks you can create a fairly reliable signature. Ba-da-bing.
Then multiple images appeared. Of course, during the whole flight of
thought I kept in mind the question, "But WHY?" SARE and SpamAssassin
plus the BLs have not let a ONE of either of those through yet this
year.)
{^_^}
----- Original Message -----
From: "Thomas Raef" <[EMAIL PROTECTED]>
This thread might be dead, but I just read this and thought it might provide some insight,
or thought, or something:
Network World's Messaging Newsletter, 06/20/06
How IronPort tackles image-based spam
By Michael Osterman
Following my discussion with Vircom about the problems the e-mail security firm is finding
with image-based spam (as reported in last week's newsletter), I spoke with IronPort about
the issue.
IronPort is finding that about 12% of all spam is currently image-based, but that only a
small handful of spammers are currently using it. However, because of the inability of
many spam filters to adequately detect and stop this type of spam, the capture rate is
much lower than for conventional spam. The result is that upwards of 50% of the spam
received by end users is image-based spam.
Conventional anti-spam systems using heuristics are quite poor at stopping image spam.
Signature-based approaches are also inadequate because randomization techniques easily
bypass these signatures. Randomization can take the form of inserting random pixels in a
GIF image, which are imperceptible to viewers but that can easily break traditional binary
signatures, or by changing palette or border colors. While randomization capabilities for
image-based spam are not yet built into spam tool kits available on the Web, it's probably
only a matter of time before this is the case.
IronPort's approach is to use what it calls Context Adaptive Scanning - basically,
profiling image spam to look for patterns across the message, the reputation of the
sender, whether or not a dynamic IP address is used, how the message is constructed and
other information. IronPort's approach also looks for color patterns within an image that
can identify the presence of text within an image, since the vast majority of valid images
sent through e-mail rarely contain a substantial quantity of text. Using these techniques,
IronPort is currently able to stop about 98% of image-based with a very low false positive
ratio.
How much of a problem is image-based spam for your organization? Are you finding an
increase in this type of spam and are you having difficulty detecting and stopping it?
