Image-Based Spam a Server Threat

With spam now embedded in graphics files, e-mail servers are getting creamed.

By Andy Patrizio | Posted Jan 11, 2007
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Spammers often change tactics to try and stay ahead of the curve, and the latest is image-based spam.

Because spam blockers have become so efficient at detecting text-based spam, no matter how many different ways they try to spell "mortgage" and "Viagra," the spammers have added a new weapon to their arsenal: the graphic file.

By spamming people with a small .jpeg or .gif file with the embedded text, spam blockers usually let the letter go through. The problem is these image-based spam letters are considerably larger in size than text-based spam, which wreaks havoc on the e-mail servers, and they take longer to process.

"This is the huge size increase in the size of spam. Even a small increase in image spam means a huge increase in the file size of spam being sent around," Mikko Hypponen, chief research officer for antivirus vendor F-Secure, told internetnews.com.

Hypponen puts image-based spam at around 35 percent of all spam currently clogging the Internet. Fortunately, said Hypponen, e-mail accounts for very little of the total Internet traffic. So alarmist stories that image-based spam could bring the Internet to a crashing halt are unfounded.

"The Internet as a whole is not going to come to a standstill from e-mail, but e-mail of itself is a different thing," he said. SMTP-based e-mail used today is the same design from the late 1960s when the Internet was born as a Defense Department project with a few dozen users.

It still has no real authentication, no security and no guarantees of e-mail delivery in the protocol. "The only reason e-mail works as well as it does is the goodwill of the people, because they aren't trying to break things," he said.

Peter Firstbrook, security research director for Gartner, confirmed the explosive effect of image spam on e-mail servers. He said it went from 6 percent of all spam in Q3 of 2006 to 30 percent by Q4, a near sevenfold increase in one quarter.

"E-mail isn't the biggest bandwidth hog, but it is a CPU and MTA [Message Transfer Agent] hog," he said. He's talked to clients that had to turn off mail queuing to allow the backlog to be processed, and as soon as they opened up the mail servers, they got overwhelmed again.

The solution is not easy. Stopping to examine graphics files means a log jam at the mail server and MTA, which could mean lost or bounced e-mail. And while client-side spam blockers like Symantec's Brightmail and Cloudmark Desktop work well, the best place is to block spam at the edge of the network. Most developers of client-side spam blockers, including Symantec and Cloudmark, do offer a server-side protection.

"It saves bandwidth between the server and user and doesn't pile up the user with image files. Most corporations don't even want [spam] in their e-mail servers. You've got to block at firewall, before the mail server," said Hypponen.

Firstbrook agrees. "You gotta drop this stuff at the boundary. You can't process everything. You gotta say, 'I can't trust this sender; I'm not accepting this message.'" That means if you get a dozen letters from a known spammer e-mail address or IP address, it's likely that future letters will also be spam.

To get around this, authentication and secure delivery are necessary, along with reputation-based systems at the firewall. But there's a simpler solution, too: check your own computer.

"Eighty to 90 percent of spam comes from bot-infected  computers, and almost all North American spam comes from bots. There are more than 200,000 new bots every week. As a community, we're all less safe because of those people," said Firstbrook.

"Those people" are regular users, most likely home users, whose computers are infected and they don't know it, because they aren't using any form of security or malware  detection.

Firstbrook said ISPs are in a position to know who is infected because they can see the traffic patterns, and they should warn customers, if not shut them off outright.

AOL originally sold McAfee VirusScan but found it was more economical to give it away to its customers. "They got fewer helpdesk calls and saw less bandwidth use," he continued. "Other ISPs need to follow this example and help their customers be more secure."

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter