topic GIF based spam in Email Security

new spam types

tminchin_ironport — Mon, 30 Jan 2006 06:17:12 GMT

Hi - are other people seeing two new types of spam which are currently evading Brightmail?

The first is usually pushing stocks - it consists of a standard subject, a random haiku of words and a GIF image with a randomised filename. Despite getting heaps of these into our probe accounts Brightmail is yet to positively identify it as spam (although it is labelled as suspect). They are usually botnet spammed at about 1 message per IP per hour.

This one is quite scary in that all the info is contained in the GIF. I'm not sure whether there are any serious anti-spam filters that look inside GIF images. Luckily they weren't very smart and the GIF image appears to be identical - if they were smarter, they would use a JPEG and randomise the compression to make each message fully unique. IP reputation doesn't hinder it as they slow spam them with a large number of IPs - nor does DHAP prevention.

The second is usually watches or online pharmacy - the email is crafted to look like a reply or a forward from someone else "who" recommends the product in question. The words are usually spammily mispelt.

Re: new spam types

Donald Nash — Thu, 02 Feb 2006 04:05:31 GMT

The first is usually pushing stocks - it consists of a standard subject, a random haiku of words and a GIF image with a randomised filename.

I'm seeing lots of these, too. I'm quite disappointed that these are getting past Brightmail.

I've noticed that the GIF images look like faxes with the original inserted at an angle, so the text lines are all slanted slightly. I suppose this is an anti-OCR measure, but I don't know if anyone is actually trying to use OCR to detect spam images.

Re: new spam types

Corey_ironport — Thu, 02 Feb 2006 06:32:29 GMT

Yeah, we're seeing them too. Although, they seem to have slowed down for me. They were really bad in Nov/Dec of '05.

Re: new spam types

NtroP_ironport — Fri, 17 Feb 2006 09:08:45 GMT

I've not been happy with Brightmail's spam filtering, period. We run all mail that makes it past our IronPort Gateway through another box that runs it through SpamAssassin. Not only does this catch messages like those, but it also allows us to include secondary virus scanning with clamAV which identifies phishing attempts. Because SpamAssassin is not the "black box" that Brightmail is, we are able to tailor the filters to our needs and wind up blocking thousands of additional messages every day that aren't even flagged as "supected spam" by Brightmail.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.

Re: new spam types

Donald Nash — Fri, 17 Feb 2006 12:50:01 GMT

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.

I have to defend Brightmail on this one. Keeping their rules secret is part of their defense. Spammers know how SpamAssassin works, and have been in a constant arms race against it since day one. And because spammers know how SA works, they can tailor their messages to play to its weaknesses. The fact that Bm's rules are secret means the spammers have a much harder time trying to game them.

Another point is that Bm is deliberately hands-off as a selling point: "We worry about tweaking the rules so you don't have to." That's one of the things that sold us on Bm in the first place: we don't have to devote nearly as much manpower to the spam wars. Essentially, we've outsourced that task to Bm. I just wish they'd pick up the slack a little.

Re: new spam types

NtroP_ironport — Sat, 18 Feb 2006 02:22:35 GMT

I can definitely understand their thinking on that, but you'd think they'd actually be better at blocking spam than Spamassassin then - this has not been my experience. I've found SA to have a much better track record of false-positives and a much better track record of catching spam - including phishing emails that have not been added to the clamAV signature database yet.

Of course, this is not with the "stock" SA configuration, I've sellected other addons from the community which allow it to more accurately reflect our environment. We catch a lot of those "gif" spams that the GP was complaining about in SA - they ALL made it through BM.

I agree that as a spammer, I'd rather be up against a system that I can see the rules so that I can learn to game them, but it would be nice if BM actually used their "closed" nature more to their advantage because SA seems to still come out way ahead. Although, to be fair it only has to work on messages that made it through BM. If SA was exposed to the entire load of spam - It's results may be entirely different.

I'm happy using both, as they give me the best of both worlds - heck, I'd throw a third one in there if I thought it would help ;-). Right now, if you disregard internal email, we average about 97% spam from the outside world - which we block - and I still get complaints from my users about "so much spam" :?

Re: new spam types

Donald Nash — Sat, 18 Feb 2006 03:01:22 GMT

I can definitely understand their thinking on that, but you'd think they'd actually be better at blocking spam than Spamassassin then

Brightmail also has their "one in a million" false positive promise to worry about. That makes the more conservative.

Re: new spam types

shannon.hagan — Sat, 18 Feb 2006 07:00:38 GMT

I can see about keeping the rules a secret; however, if they get a false positive and they refuse to adjust their rules or tell you what is causing the problem then I have an issue. We recently had an issue where official company mail got marked as suspect spam and many at the company thought it was an insult that it got marked as suspect spam. At first we were told a reason why that I could not bring to my management and eventually they did change the rule set; however, it wasn't easy convincing them that they needed to make a change.

Often the crap that makes it past Brightmail is suprising - but of course there is no way to tell what criteria it used to determine its spam score, so there's no way to "tweak" it.


I have to defend Brightmail on this one.  Keeping their rules secret is part of their defense. Spammers know how SpamAssassin works, and have been in a constant arms race against it since day one. And because spammers know how SA works, they can tailor their messages to play to its weaknesses. The fact that Bm's rules are secret means the spammers have a much harder time trying to game them.

Another point is that Bm is deliberately hands-off as a selling point: "We worry about tweaking the rules so you don't have to." That's one of the things that sold us on Bm in the first place: we don't have to devote nearly as much manpower to the spam wars. Essentially, we've outsourced that task to Bm. I just wish they'd pick up the slack a little.

Re: new spam types

Erich_ironport — Sat, 18 Feb 2006 10:34:46 GMT

We really haven't seen many false positive issues. In over two years I can still count them on one hand. I don't consider "suspect spam" to be a false positive, mainly because we don't use it very aggressively - almost not at all.

One of my concerns it the fact BM seems to be getting weaker at catching spam and slower at creating new rule sets. I mean the cycle time from when a new spam variant hits until they have new rules, seems over 5 days when it used to be under 2.

A second concern is every new BM engine upgrade really brings a lot more system load. I don't know exactly how much 6.0.2 added, but it noticeably lowered our overall through put. Now 6.0.3 clams to be adding 20% additional system load! This kind of lack of performance tuning on Symantec's part will drive us to spend the time to really compare IronPort's Anti-Spam engine. In two years with IronPorts in our environment the worst critical impact I've had to email delivery was directly due to a Brightmail definition which apparently did not get performance checked and caused a HUGE processing delay on all emails until they got the definition removed. (NOTE: This was back in May of 2004).

Overall I am still pleased with the Brightmail product, but the past 6 months my impression of it has gone down. And the idea of no tracking on missed spam or false positive submissions is just inexcusable.

Re: new spam types

MikeK_ironport — Mon, 20 Feb 2006 21:58:41 GMT

I totally agree with Erich. The performance of brightmail has steadily declined to a critical point.

In our environment we are looking at alternatives as well. We are very happy with Ironport, but the Antispam process is eating to much CPU... causing mail delays.

Re: new spam types

tminchin_ironport — Tue, 21 Feb 2006 11:00:57 GMT

Does CPU usage improve when Suspect Spam detection is turned off?

We don't have much throughput (about 6000/hour per C60) so our CPU is about 20% with 6.0.3

Re: new spam types

Donald Nash — Tue, 21 Feb 2006 23:23:33 GMT

Does CPU usage improve when Suspect Spam detection is turned off?

Someone from IronPort will correct me if I'm wrong, but I'm 99% sure the answer is "no." Brightmail assigns a score 1 - 100 to a message. Anything >= 90 is definitely spam. You get to set the threshold for suspected spam. Since the message is already scored, you're not going to save any significant resources by turning this off.

Re: new spam types

Corey_ironport — Thu, 23 Feb 2006 00:47:57 GMT

I also agree with Erich. We hardly use the Suspect Spam piece at all. We're also seeing a decline in Brightmail's shine that we used to like so much about it. The one thing that I would like to add is that reputation filtering is key to us. It's where we block most of our SPAM/malware. By the time our Brightmail license runs out, the IronPort AntiSPAM engine should be a bit more mature. We'll certainly give it a good look at that time.

Re: new spam types

Donald Nash — Thu, 23 Feb 2006 04:11:57 GMT

We're also seeing a decline in Brightmail's shine that we used to like so much about it.

Same here. I have to wonder if the acquisition by Symantec had anything to do with it?

By the time our Brightmail license runs out, the IronPort AntiSPAM engine should be a bit more mature. We'll certainly give it a good look at that time.

I'm already talking with my superiors about scheduling a field test.

From the symantec knowledge base (Note: Ironport uses 6.0.x)

shannon.hagan — Sat, 25 Feb 2006 03:45:08 GMT

An increase of large messages results in an unexpected decrease in scanner performance

Situation:

An influx of messages scanned by the Symantec Brightmail product very slowly. The messages are large and some and a check reveals some are not valid email. The scanner becomes backed up. The messages are queued for processing or pass through unfiltered.

One of the following versions is installed:
--Symantec Brightmail AntiSpam 6.0.x
--Symantec Brightmail 6.0
--Brightmail 5.5
--Brightmail 4.0

Solution:
This mostly affects Windows and Openwave mail transport authorities (MTA's), as sendmail and postfix both have an MTA limitation that prevents this from happening. What is occurring is that a sender is sending a message with an extremely large number of headers-- 1000's of them. This could be a spammer attempting a denial of service (DoS) attack. The Scanner software attempts to scan all of the headers and takes a long time doing so, tying up the CPU.

Symantec is working on this problem. Patches will be made available for Brightmail 4.0 and Symantec Brightmail AntiSpam 6.0.x.

Workaround
When you can determine where the messages are coming from, block the sender of any email that is not legitimate.

Big increase in GIF Stox spam

NtroP_ironport — Thu, 20 Apr 2006 08:33:52 GMT

Wow, we are seeing a huge increase in the last couple of days of the "GIF STOX SPAM". They blow right by our IronPort/BrightMail gateway without even slowing down!

I have to say, it's a good thing we run all of our "clean" messages through SpamAssassin before delivering it on to clients - we are blocking thousands of these things with SA which would normally go straight on through to the end user!

Here's what SA says about an average GIF spam message:

Content analysis details: (12.7 points, 3.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.7936]
1.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[201.247.223.216 listed in sbl-xbl.spamhaus.org]
1.7 SARE_GIF_STOX Inline Gif with little HTML

You'd think that after all these months of the same sort of spam comming in. Has anyone found IronPort's Spam filter to be more reliable than BrightMail? How's the comparison's comming?

Re: new spam types

ian_ironport — Tue, 25 Apr 2006 16:54:43 GMT

So we are still seeing these spams and Brightmail is still unable to detect them, after months of exposure to the problem.

Can Ironport put any pressure on Brightmail to increase the spam score for emails which only send an image? Or is it best practice to run the mail through SA or similar to detect spam mail missed on the Ironport/Brightmail...

The Senderbase scores I've seen for these spams are generally 0 to -1. This is above the range we block (-7 or lower) or warn about suspect spam (using a filter that tags the subject line if Senderbase score < -2).

Would it be possible to create a filter to block "image only" emails? Can anyone suggest what the filter would actually be to detect mails with only an image attachment? (maybe combined with the Senderbase score to only apply the rule if the score is "none" or <0). Even if we don't reject such mail we can tag the subject line to say it is suspect spam.

GIF based spam

shannon.hagan — Wed, 26 Apr 2006 01:37:05 GMT

I agree that Brightmail should be catching these at this point and from what I am seeing, they are letting a large number through; however, I will point out that some of them are coming through with text not just the gifs. They almost always are scoming in with blank html. We are working on a filter to catch them here and are going to archive for a few days to see if we have one that won't block legitimate mail.

P.S. Forward every last one of them that gets past brightmail to them so they know they have a problem.

Re: new spam types

MikeK_ironport — Thu, 27 Apr 2006 20:28:33 GMT

I am seeing these come through as well.

Let me know if you get a filter written. I am going to try and write one as well...

Thanks!
Mike

SPAM GIFs

shannon.hagan — Sun, 30 Apr 2006 05:55:36 GMT

Here is what I came up with. It does catch a few valid messages so I decided to archive them so I could go through and find the few valid messages if I needed to.

spam-gifs: if (rcpt-count == 1) AND (attachment-filename == "(?i)\\.gif") AND (attachment-size >= 45000) and (attachment-size <= 50000) and (reputation < 0) and (body-contains("(?i)windows-1252"))
{
log("spam-gifs");
drop();
}