This week the proportion of image spam attracted to our spam honeypots reached a new high of 48.9%. In fact, it was so high that it went off the scale on our image spam gauge. Now, almost every other spam message is image spam. The phenomenon is continuing to cause headaches for ISPs and email administrators everywhere. The rise suggests continuing success by spammers in using image spam techniques in getting their message through anti-spam filters.

While many anti-spam vendors are scrambling for new technology to combat this threat, the MailMarshal SpamCensor is maintaining a very respectable detection rate of 99.7% against image spam, averaged over the last two months. Why the good result? The reason is that the SpamCensor looks for many different patterns or spam ‘traits’ – most of which have nothing to do with the attached image. In fact, to the SpamCensor, the image itself is almost irrelevant.

Open Relay Blacklist provider ORDB has announced it is shutting down.

Its website states:

"We regret to inform you that ORDB.org, at the ripe age of five and a
half, is shutting down. It's been a case of a long goodbye as very
little work has gone into maintaining ORDB for a while. Our volunteer
staff has been pre-occupied with other aspects of their lives. In
addition, the general consensus within the team is that open relay RBLs
are no longer the most effective way of preventing spam from entering
your network as spammers have changed tactics in recent years, as have
the anti-spam community.

We encourage system owners to remove ORDB checks from their mailers
immediately and start investigating alternative methods of spam
filtering. We recommend a combination involving greylisting and
content-based analysis (such as the dspam project, bmf or Spam Assassin).

DNS and the mailing lists will vanish today, December 18, 2006."

MailMarshal customers are advised to disable any ORDB checks by deleting the
ORDB listing in Server Array Properties | Host Validation tab.

More information: http://ordb.org/news/?id=38

In early November, the spammers started to send Christmas spam in earnest. This Christmas-related spike is nothing new – increased overall volumes of spam in the run-up to Christmas is a yearly phenomenon. However, what is different this year is the sheer scale of the problem. By the end of November the volume of Christmas spam had grown enormously, to the point where it accounted for nearly 10% of all spam traffic. The spammers are flogging the usual assortment of meds, Rolex watches, toys and handbags, touting them as ideal gifts for Christmas. In fact, the net result is a huge resurgence in Rolex watch spam, a type which had become much less commonplace in recent times.

Looking at the overall picture, spam volumes as a whole have risen to record levels in the final few months of 2006. The initial rise in October was related to high level of virus activity, and in particular the Stration worm. Couple this with the traditional spike before Christmas, and we are now faced with spam volumes which are nearly triple what they were several months back.

The image spam phenomenum shows no sign of stopping. Spam is at record highs and image spam makes up about one-third of it.

The TRACE team sees image spam morphing almost daily. In their quest to bypass anti-spam filters, spammers have taken their ‘art’ to extremes. What is obvious now is that the spammers are deliberately attempting to fool OCR (Optical Character Recognition) – technology that aims to scan images to extract text.

Some examples are using highly colored and patterned backgrounds, uneven letters, and randomly inserted pixels around the border. Each image is unique and hard to read by any software attempting to use OCR.

Another trick employed is the use of animated gifs. These are created by combining multiple gif images in one file, which when displayed one after another, gives the appearance of movement. Below are two frames from an animated gif spam. The first frame is random stuff, designed to make each image unique and to fool OCR technologies. The second frame is the actual spam message.

Another animated gif example gets around the issue of providing a URL in the message body for a user to click on. Instead the URL is provided in the image. The image is also animated which draws attention to the URL and the user must manually enter it in a browser. The aim here is to evade filters that utilize URL blacklists.

The irony about it all is that the more extreme the spammers make their images, the more difficult it becomes for people to read. Early examples of image spam looked almost professional. Now, it’s a real stretch to take them seriously. What these examples do show is the inventiveness and technical prowess of the spammers in attempting to evade anti-spam filters.

The increase in spam observed by the TRACE team recently shows no sign of abating. To understand just how significant this increase is, have a look at Marshal Spam Volume Index (SVI) below. The SVI is a measure of the overall volume of spam sent to a representative sample of the honeypot domains that we monitor. The spam volume on 9 July was set to 1000, and the SVI index measures changes over time relative to this benchmark. As you can see in the chart below, since mid-October the volume of spam sent to these domains has more than doubled.

Image spam has contributed significantly to this increase As a proportion, it now represents 38% of all spam – a record high (see our image spam chart here ). As we have reported previously, this double hit (increased spam, larger spam) has caused problems for some ISPs in coping with the extra load. Image spam, with its randomizing ability, has also been a challenge for some anti-spam vendors.

Despite the challenges, MailMarshal has performed very well against the recent spam onslaught, including image spam. Since 1 October, the MailMarshal SpamCensor alone (using no other anti-spam tools) has averaged 98.6% detection for all spam and an even better 99.0% for image spam.

More evidence has come to light that points to the Stration (aka Warezov) worm being behind the large increase in spam we have seen over the last month.

Initial research into the worm could not pinpoint the payload. When the email attachment was executed, it contacted a domain, searched out the domain of a remote server, and downloaded the worm. The Stration worm, in turn, then replicated by harvesting email addresses off the compromised system.

However, later research by iDefense shows that six hours after installation, the Stration worm also contacts a second domain, downloads a spamming Trojan, and then begins to send volumes of spam – a spam zombie.

Evidence links the rise in spam to infected zombies. According to report from SANS, the large increase in spam over the last few weeks mirrors the rise in the number of ‘Source IPs’ – addresses likely to be spam zombies. Further data from TQM3 shows a similar trend – a rise in spam from zombies.

The Stration worm has been particularly successful in evading the traditional anti-virus technologies with its self-varying nature. It highlights the clear links between malware authors and spam – beating one also means beating the other.

In the past few weeks the TRACE Team has observed a significant increase in the volume of spam. In October, the volume of spam to our honeypot domains increased by 30% on average. A key driver has been an increase in the proportion of image spam, which rose from its usual 20% in previous months to over 30% in October.

There is no one particular source of the spam. Rather the evidence points to many sources, as well as sources not seen previously – all suggestive of an increase in spam botnet activity.

An increase in volume like this is of concern for two reasons. Firstly, increased spam volume places increased demand on mail delivery systems and bandwidth – a three-fold effect in the case of image spam spikes as we described a few weeks ago. There have been reports of ISPs struggling with the extra load. Secondly, increased botnet activity suggests some success by malware authors in extending their botnets and evading detection.

Good news for users of Spamhaus. The proposed US Court order against Spamhaus seeking to have its domain name suspended has been denied by US District Court Judge Charles Kocoras. In a court statement he said that the relief e360 sought was "too broad to be warranted in this case", and that unproportional effects could be caused by suspending Spamhaus's service.

The statement also said "The suspension would cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention of this court's order." The judge continued: "While we will not condone or tolerate non-compliance with a valid order of this court, neither will we impose a sanction that does not correspond to the gravity of the offending conduct."

Although this is probably not the last we will hear of the issue, for the time being it is business as usual at Spamhaus.

There is a type of email-borne threat where the email itself contains not much more than a hyperlink to a web site containing the malicious code.

The TRACE team recently came across an example which served to remind us of this continuing threat. The message encouraged the user to click a link to view a postcard from a ‘friend’. The link pointed to a backdoor Trojan by the name of Backdoor.IRC.Zapchast that duly installed itself on the user’s machine.

This type of email threat represents a merging of traditional spam and virus activity. Such messages are typically spammed out with the intention of infecting machines to gain new bots for a spam botnet, or to steal personal information. In this case, the message was detected by MailMarshal’s SpamCensor and analysis reveals that it shares a lot in common with general spam suggesting the same sets of mass email tools are used behind the scenes.

In this example, the user was required to both click the link and download the file. Even more concerning are web sites hosting malicious code which exploit vulnerabilities in web browsers. Merely by following the link and viewing the site the user could be at risk. Recently, there has been a lot of focus on web browser vulnerabilities, both by security researchers and the bad guys, prompting a flurry of patches from vendors. This activity has been driven by the increasing popularity of web applications and the seemingly relative ease in which people find holes in them.

All this means the risk for unsuspecting users to be caught unaware via links in email is high. To help protect against this threat, enterprises should use good anti-spam, anti-virus, and web-filtering software, keep their browsers up to date, and discourage users from following links in any unsolicited email.