The newest e-mail irritation is less threatening, thanks to URLs that can't be spoofed … but it can still clog your systems Many people have heard of image spam as a new type of spam that’s hard to stop. It consists of an e-mail in which the “payload,” or actual advertising content, is an image file rather than the usual text. Generally, these Click for larger view. show up as a BMP, GIF or JPG file. There may be no text at all in the e-mail, or it may be text carefully crafted to resemble a legitimate message with no mention of product names, no clickable URL, and no pricing. This makes filtering these e-mails by looking for specific words very difficult.Many people have heard of image spam as a new type of spam that’s hard to stop. It consists of an e-mail in which the “payload,” or actual advertising content, is an image file rather than the usual text. Generally, these Click for larger view. show up as a BMP, GIF or JPG file. There may be no text at all in the e-mail, or it may be text carefully crafted to resemble a legitimate message with no mention of product names, no clickable URL, and no pricing. This makes filtering these e-mails by looking for specific words very difficult.(See related story, IBM ISS goes fishing for phishers, for information on anti-phishing appliances.)Some anti-spam solutions have gone so far as to add OCR (optical character recognition), enabling them to scan images for the specific words or URLs that might indicate spam. The spammers have responded by making the images much harder for OCR software to read, with random patterns and backgroups. Image 1 shows a first-generation image, and image 2 shows a second-generation image intentionally designed to defeat OCR technologies. Because an image cannot contain a clickable link and the e-mail cannot have a Click for larger view. separate link without betraying its spam identity to the filter, image spam is generally not as dangerous as phishing e-mails with links that spoof legitimate URLs. With image spam, the user has to read the link in the message and type it into a browser themselves (see image 3 for an example). This means that the URL cannot be spoofed, as in the case of a clickable link that shows one URL and then takes a user to an entirely different URL. Image spam is used primarily to sell diet pills, enhancement drugs, and other Click for larger view. nostrums, as well as “pump and dump” stock schemes — although anyone who would take a stock tip from a blurry image in a spam e-mail shouldn’t be allowed to trade in the stock market. The more serious threat in the corporate world is the fact that image spam messages are often much larger (20KB to 150KB) than typical e-mails (usually 1KB or 2KB). If your e-mail archiving solution causes you to store all these messages, they can dramatically increase your storage requirements.So what’s the best way to fight image spam? Rather than relying on OCR as a method of finding and blocking these messages, look for a solution with a stateful reputation filter that finds new spam senders quickly and then blocks the source IP addresses. That will help decrease not only image spam, but the standard type as well. SecurityMalware