I had a discussion with Vircom's CEO about the problems the e-mail security vendor is encountering with spam that contains only an image of an advertisement or other message with little or no meaningful text. (A typical image-based spam consists of just a single image that contains an advertisement, or a single image with nonsensical text designed to fool spam-filtering systems.) Here's what Vircom is finding:
* About 7% of spam today is image-based spam, up from 3% in 2003.
* The majority of image-based spam comes from zombie networks. Vircom is finding that 85% of such spam is being generated from these networks and that the traffic tends to be very spiky. As of the time of our discussion, Vircom was finding very little image-based spam, but the peaks can increase the amount the company finds dramatically - by 100 times in some cases.
* Image-based spam generators scramble their content so as to make detection more difficult. Vircom is seeing fonts and colors changes frequently in an attempt to avoid detection by signature-based filtering tools. In 2005, 51% of image-based spam was scrambled vs. 77% today.
* To a greater extent than conventional spam, image-based spam tends to be campaign-oriented, implying that relatively few people have control of the zombie networks that distribute most of this stuff. For example, a typical campaign for an image-based spammer might advertise some sort of stock deal, followed by a major campaign for medication, etc.
Vircom's approach to blocking image-based spam is to detect image similarities instead of using pattern matching or spam signatures. The company has found that it can block about 98.5% of image-based spam with a false positive ratio of under 0.1%.