Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Image SPAM (Played out)

I know that most of you are tired of hearing about Image SPAM. It seems like a new article is written ever day or so:
http://news.google.com/news?hl=en&ned=us&q=image+spam

I'm curious. I have to give a short presentation to some management in IS, and would like to know what others are seeing and what you're doing to combat it. While the articles seem to indicate that it is growing, it seems to have dropped off (at least for me) in the past couple of weeks. Anyone have any idea what some of the AntiSPAM companies are doing to be able to claim that they're blocking it? I think that Senderbase is what is blocking most of ours, but I'm not completely sure of that. To be honest, I haven't had much time to really dig into it lately.

14 REPLIES
New Member

Re: Image SPAM (Played out)

At the last peak of image spam a few weeks back we were getting about 5-10 per minute. Now it is much quieter - HOWEVER there is much more variety, it only took a few days and now there are viagara, watch, mp3 player image spams plus other types of stock dumping. They seem to rely on the end user typing in the URL into a browser.

We tried the Ironport message filter, but as there were so many it was not really helpful due to false positives (eg background pictures in emails or signatures).

Brightmail really struggled with it - well I'm not sure how much actual struggling but certainly it wasn't very effective.

We've been trialing Ironport AS and it was pretty effective against the image spams. It also seemed to be on par with Brightmail.

I've seen some vendors offering OCR type anti-image spam solutions.

Political parties/"terrorist groups" will certainly like image spam.

New Member

Re: Image SPAM (Played out)

We also noticed a sharp drop in image spam. Our security office found a byte pattern common to all the image spam we were seeing that didn't seem to appear in any legitimate mail, and they were able to watch it in their IDS. That's how we noticed that we were getting much less of it inbound to us. Now it's back again, but Brightmail seems to be dealing with it this time because it's not getting into our mailboxes. We sent the pattern we found to IronPort's anti-spam team, so maybe they passed it along to Brightmail.

Regarding using OCR to catch image spam, that will be trivial to thwart via simple optical distortions of the image.

Re: Image SPAM (Played out)

Funnily enough, our IPAS customers are taking a lot less flak over image spam than our BrightMail customers in this territory, where the efficacy of BrightMail across all platforms seems to have gone tits up. I've run the image spam filter on a few sites too, but with the glut of image content in evil HTML mail, ended up with too many false postives. While it seems primitive, a fair chunk of people run their mail systems in an "inclusive" fashion, i.e. if they don't know who you are, forget attachments period. Trusted senders only are permitted to send controlled attachments.

New Member

Re: Image SPAM (Played out)

I am starting to here it from management regarding the image based SPAM.

I have SBRS setup to allow 1 messages per hour from SRBS -0.1 to -1.0 and I throwaway everything below -1.1 and still it we get dozens of messgaes through to each user a day.

How does Ironport AS rate versus BM for SPAM overall and specifically for Image Based SPAM?

-Matt

New Member

Re: Image SPAM (Played out)

In a fairly brief period we found that IPAS was similar in effectiveness to BM for spam in general, but appears more effective against image spam (BM appears to rely on the open proxy list a lot for that).

BM appeared more effective in blocking double bounced spam messages (another user annoyance).

Saying that, I don't know how technically IPAS detects image spam. Maybe an Ironport person can tells us.

It's pretty much impossible to rate them definitively as both systems update their filters many times a day - so they can have good and bad days.

New Member

Re: Image SPAM (Played out)

If it was possible to configure the Ironport to copy all messges to a single recipient and rewrite the destination address of the copied address and then send the original to BM and the copy to IPAS and send it to a different internal mailbox, I could tell how effective it was or wasnt.

Is this possible?

If so, I could get a 30-day IPAS key to do a real compare.

This is the kind of info we need so that we decide if we want to change from BM to IPAS.

As I stated in the previous post, my SBRS strategy is pretty aggressive, so I would like to see how such a comparison would work with the stuff that is getting past the SBRS, namely this image SPAM crap.


-Matt

New Member

Quarantining Image Spam

I've seen a big increase in the amount of image spam, I spoke with Ironport support and they had me use the following filter:

stock_spam:
if ((recv-listener == "IncomingMail") AND (body-size < 63488) AND
(attachment-filetype == "gif") AND (attachment-size < 61440) AND
(body-contains("(?i)cid:[0-9a-zA-Z]")))
{
quarantine ("Policy");
}

which is working however, it caught me offguard last night when it said my Policy que was 60% full --needless to say I had alot of deleting to do.

I need to have the ability to quarantine these messages because I had someone ask for a message yesterday --luckily I hadn't deleted it yet. Does anyone now how to send messages to the quarantine server I tried it using the following

route2quart: if mail-from == "mickey@mouse.com" {
alt-mailhost ("[10.95.196.253]");
}

this failed so I also tried adding the port as well, that didnt work either. Ironport support suggested creating a route but that hasn't worked either.

Just curious if someone has done this already.

New Member

Re: Image SPAM (Played out)

You should be able to enter an SMTPROUTE to your quarantine.

Example:
q.companyname.com 192.168.1.10:41025

Then do your alt-mailhost to q.companyname.com

Make sense?

Re: Quarantining Image Spam

I've seen a big increase in the amount of image spam, I spoke with Ironport support and they had me use the following filter:

stock_spam:
if ((recv-listener == "IncomingMail") AND (body-size < 63488) AND
(attachment-filetype == "gif") AND (attachment-size < 61440) AND
(body-contains("(?i)cid:[0-9a-zA-Z]")))
{
quarantine ("Policy");
}


That filter will catch a lot of image spam. Unfortunately, it will also catch a lot of legitimate messages, too. Within two minutes of enabling that filter on our system, it had quarantined 8 messages, but 2 of them were from vendors we work with regularly. Seems to be quite a few legitimate applications that generate messages containing inline graphic attachments, and this filter will stop all of them.

I've noticed that Outlook with Word as the editor will generate messages with inline graphic attachments, so anyone who uses this and includes a logo in their signature will run into this. Just FYI. I've seen messages from Microsoft support people get caught by these types of filters. Not good for business, so we just have to put up with the spam until we can find a better way to filter it out, but this isn't the solution.

New Member

Re: Quarantining Image Spam


stock_spam:
if ((recv-listener == "IncomingMail") AND (body-size < 63488) AND
(attachment-filetype == "gif") AND (attachment-size < 61440) AND
(body-contains("(?i)cid:[0-9a-zA-Z]")))
{
quarantine ("Policy");
}


I also use this stock_spam filter but I have also added a line that checks for the SBRS score, if it is below 0 then I quarentine if not it passes. This has all but eliminated the false positives and catches a good chunk of the image SPAM.

New Member

Re: Quarantining Image Spam


stock_spam:
if ((recv-listener == "IncomingMail") AND (body-size < 63488) AND
(attachment-filetype == "gif") AND (attachment-size < 61440) AND
(body-contains("(?i)cid:[0-9a-zA-Z]")))
{
quarantine ("Policy");
}


I also use this stock_spam filter but I have also added a line that checks for the SBRS score, if it is below 0 then I quarentine if not it passes. This has all but eliminated the false positives and catches a good chunk of the image SPAM.


Any chance of posting your filter?

Thanks.

Re: Quarantining Image Spam


stock_spam:
if ((recv-listener == "IncomingMail") AND (body-size < 63488) AND
(attachment-filetype == "gif") AND (attachment-size < 61440) AND
(body-contains("(?i)cid:[0-9a-zA-Z]")))
{
quarantine ("Policy");
}


I also use this stock_spam filter but I have also added a line that checks for the SBRS score, if it is below 0 then I quarentine if not it passes. This has all but eliminated the false positives and catches a good chunk of the image SPAM.


Any chance of posting your filter?

Thanks.


here it is


stock_spam:
if (((((recv-listener == "IncomingMail") AND
(reputation < 0.0)) AND
(body-size < 63488)) AND
(attachment-filetype == "gif")) AND
(attachment-size < 61440)) AND
(body-contains("(?i)cid:[0-9a-zA-Z]"))
{
quarantine ("Stock");
}

New Member

Re: Quarantining Image Spam


stock_spam:
if ((recv-listener == "IncomingMail") AND (body-size < 63488) AND
(attachment-filetype == "gif") AND (attachment-size < 61440) AND
(body-contains("(?i)cid:[0-9a-zA-Z]")))
{
quarantine ("Policy");
}


I also use this stock_spam filter but I have also added a line that checks for the SBRS score, if it is below 0 then I quarentine if not it passes. This has all but eliminated the false positives and catches a good chunk of the image SPAM.


Any chance of posting your filter?

Thanks.


here it is


stock_spam:
if (((((recv-listener == "IncomingMail") AND
(reputation < 0.0)) AND
(body-size < 63488)) AND
(attachment-filetype == "gif")) AND
(attachment-size < 61440)) AND
(body-contains("(?i)cid:[0-9a-zA-Z]"))
{
quarantine ("Stock");
}


Great - thanks.

New Member

imagespam

Like everyone else we have seen an increase of imagespam email.

Although IRP's are our primary line of defense we also use MailMarshal as a 2nd filter both for Spam and AV (via Mcafee)

The beauty is that MM uses different Antispam techniques with a more versatile filter policy. As such it only took a minute to deploy an accurate filter to stop spam that was getting through the IRP.

IRP (using IPAS) is excellent and the best purchase i've made in the past couple of years, but i believe that no 1 product is good at everything. Using MM (cheap) we greatly enhance our security and detection rates for Spam and AV

Rates: > 180M email p/m less than 2% legit
some still gets through IRP
some caught by MM (McAfee is better at stopping phishing)

250
Views
0
Helpful
14
Replies