Educause Security Discussion mailing list archives
Re: Image SPAM Increase?
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Wed, 19 Apr 2006 08:37:26 -0700
Gary mentioned: #Over the past few weeks we've seen a slow increase in SPAM messages #related to stock market advice. Yes. Stock spam has become popular because people have recognized the potentially lucrative nature of the spam, and the relatively low level of enforcement activity to-date (however see: -- "SEC Files Fraud Charges Against Dallas Investment Adviser and Its President in $1.9 Million Junk-Fax 'Scalping' Scheme" http://www.sec.gov/news/press/2006-35.htm March 9, 2006 -- "SEC Files Emergency Action to Stop Ongoing Microcap Stock Fraud," http://www.sec.gov/news/press/2006/2006-50.htm April 6, 2006 -- "Long Island Man Arrested for Internet "Pump and Dump" Stock Scheme Involving False Claims Designed to Prey on Public Concern About Terrorism and Bird Flu Virus" http://newyork.fbi.gov/dojpressrel/pressrel06/stockscheme040606.htm April 6, 2006 Stock spam may also be something where the benefitting party may have a mistaken sense of being cut-out, or insulated, from the spamming activity. #We're starting to see regular reports #from our users of this new ( for us ) activity. The messages are #composed: # #1) entirely of images You're seeing the impact of things like SURBLs and SpamAssassin on spam formatting. Because SURBLs have become *SO* good at blocking spam based on enclosed URLs and spam-related text characteristics, the spammers have gone to an image-only format. #--or-- # #2) Images prepended with gibberish Anti-baeysian hash busters, presumably. #Messages have been received from computers around the #world and sources don't seem to repeat. Most likely spam zombies. If you see examples with full headers, I'd encourage you to report them to SpamCop.net. #How would any SPAM filter be able to deal with a message #made up entirely of an image and sent from varying #computers? Is it safe to assume there are no filters #that have OCR capabilities :) I believe these will end up getting dealt with (ultimately) by building databases of image checksums (md5sum etc.), along with accelerated enforcement activity. Yes, the spammers may eventually go to per-message customized images with unique md5sums, but so far that's not been the case. It is also worth noting that many major email service providers have web interfaces that make links unclickable (which is why you see verbiage in much spam talking about copying and pasting URLs), and interfaces that disable display of images from suspicious sources. When that becomes more common, the use of image-only spam will decrease. #What actions do you take and/or what recommendations do #you offer to users when faced with an increase in #unfilterable messages? If you're not already doing so, you may also want to insure that you're using the Spamhaus SBL+XBL to block known spam sources and known spam zombies. If you're running SpamAssassin or a SpamAssassin derivative, the weights associated with SpamAssassin tests should not be taken as cast in stone. Adjusting suitable tests upwards may be all you need to take care of the issue. Regards, Joe
Current thread:
- Re: Image SPAM Increase? Joe St Sauver (Apr 19)
- <Possible follow-ups>
- Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Ken Connelly (Apr 19)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Bruggeman, John (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
(Thread continues...)