Re: Image SPAM Increase?

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Gary mentioned:

#Over the past few weeks we've seen a slow increase in SPAM messages
#related to stock market advice.

Yes.

Stock spam has become popular because people have recognized the potentially
lucrative nature of the spam, and the relatively low level of enforcement
activity to-date (however see:

-- "SEC Files Fraud Charges Against Dallas Investment Adviser and Its
   President in $1.9 Million Junk-Fax 'Scalping' Scheme"
   http://www.sec.gov/news/press/2006-35.htm
   March 9, 2006

-- "SEC Files Emergency Action to Stop Ongoing Microcap Stock Fraud,"
   http://www.sec.gov/news/press/2006/2006-50.htm
   April 6, 2006

-- "Long Island Man Arrested for Internet "Pump and Dump" Stock Scheme
   Involving False Claims Designed to Prey on Public Concern About Terrorism
   and Bird Flu Virus"
   http://newyork.fbi.gov/dojpressrel/pressrel06/stockscheme040606.htm
   April 6, 2006

Stock spam may also be something where the benefitting party may have a
mistaken sense of being cut-out, or insulated, from the spamming activity.

#We're starting to see regular reports
#from our users of this new ( for us ) activity. The messages are
#composed:
#
#1) entirely of images

You're seeing the impact of things like SURBLs and SpamAssassin on
spam formatting. Because SURBLs have become *SO* good at blocking
spam based on enclosed URLs and spam-related text characteristics,
the spammers have gone to an image-only format.

#--or--
#
#2) Images prepended with gibberish

Anti-baeysian hash busters, presumably.

#Messages have been received from computers around the
#world and sources don't seem to repeat.

Most likely spam zombies. If you see examples with full headers, I'd encourage
you to report them to SpamCop.net.

#How would any SPAM filter be able to deal with a message
#made up entirely of an image and sent from varying
#computers? Is it safe to assume there are no filters
#that have OCR capabilities :)

I believe these will end up getting dealt with (ultimately) by
building databases of image checksums (md5sum etc.), along with
accelerated enforcement activity.

Yes, the spammers may eventually go to per-message customized
images with unique md5sums, but so far that's not been the case.

It is also worth noting that many major email service providers
have web interfaces that make links unclickable (which is why
you see verbiage in much spam talking about copying and pasting
URLs), and interfaces that disable display of images from
suspicious sources. When that becomes more common, the use
of image-only spam will decrease.

#What actions do you take and/or what recommendations do
#you offer to users when faced with an increase in
#unfilterable messages?

If you're not already doing so, you may also want to insure that
you're using the Spamhaus SBL+XBL to block known spam sources and
known spam zombies.

If you're running SpamAssassin or a SpamAssassin derivative, the
weights associated with SpamAssassin tests should not be taken as
cast in stone. Adjusting suitable tests upwards may be all you need
to take care of the issue.

Regards,

Joe