Image spam

by Brian on December 8, 2006Permlinkantispam, mailessentials, gfi

Image spam is a big problem. It is a problem for our clients who rightly complain about the amount of image spam, mostly pump and dump scams, making it through.

And its a big problem for GFI, specifically, me. Catching such spam is damn hard. We have MailEssentials installed, obviously, and the Bayesian filter catches a significant amount of this kind of spam.

The problem with image spam is that its very hard to check for. We can just block all spam containing gif files. But clients would complain because of the false-positives and spammers can always use jpgs of which I am seeing increasing numbers. As most people email photos in jpg format blocking this format too is unthinkable.

OCR’ing the image is out of the question; CPU intensive and trivial to bypass.

Hashing the image is trivial to evade. Even fuzzy hashing algorithms can be evaded without too much trouble.

Etc, etc…

Due to the difficulties we couldn’t just release some half-baked solution to clients. It would be a pain to rev MailEssentials each time spammers change something in image spam.

For the record we are testing internally a couple of ideas; they are promising and keep false-positives low. We’ll try to have something public next week.

The last few months things were getting boring in the spam field (which is how we like it) but this pump ‘n dump epidemic is making things, er… interesting again.

Spam in all its forms

by Brian on March 1, 2006Permlinkmicrosoft, spam, antispam, mailessentials, gfi

Blog spam is annoying. Methods for dealing with it? CAPATCHs seem like a good way to do it. I saw a Bayesian plugin for WordPress but depending on how its implemented it will most probably need maintenance and training. Only one way to find out.

Regarding mail spam: a new form of spam has been hitting me and most people I know. The spammers have been reading up on their CSS to create what I’ve termed floating spam. Basically, the oh so clever spammers set certain tags in the email with display: float; so that while the source of the mail looks like a bunch of divs and spans with random single characters interspersed throughout, when rendered in a browser it will nicely spell viagra for you.

Traditional mail filters will be crap at detecting such spam. The only hope is a statistical filter - a bayesian should do the trick. GFI’s current shipping version will struggle a bit, but I’m working on an update. I feel our clients’ pain and an update is winding its way through testing and QA. If you want to know when its released, GFI ME12 only at the mo, then send me an email or leave a comment. Or subscribe to this blog ;)

One final “spammer” - MSN Messenger. My ‘lil sis wanted it installed to IM her friends. I had already set the default browser to Firefox (ofcourse). So why does MSN insist on bringing IE up? No excuses - its behaviour like this which keeps getting Microsoft in legal hotwater. They don’t need the hassle and neither do I.