Security experts warn about a technique that can be used to get past optical character recognition filters. The good news? The solution may be free
Captcha techniques – the wavy letters you have to decipher before continuing with your e-mail, for example – have traditionally been used for security purposes. But some spammers are spinning it around, using captcha to actually send spam.
The idea behind captcha (pronounced like “capture”) is to present the user with an image (captcha) or mathematical equation (maptcha) in order to discriminate against computers and automated programs that collect e-mail addresses and send spam.
But now spammers are using the same technique to defeat OCR, or optical character recognition technology, according to the January 2007 edition of Symantec‘s Monthly Spam Report. Spam used to be text-based with a URL, but now 35 per cent of all spam on the Internet is image spam, made up of an image a company is trying to flog, for example.
“Image spam is a way these guys came up with to try to defeat spam filters,” said Dean Turner, senior manager of Symantec Security Response. In the early days of image spam, they’d start changing one pixel of an image to get past the filter. But one of the latest techniques they’re experimenting with is captcha, since OCR technology has a hard time recognizing it.
“What spammers are doing now – knowing that some vendors rely heavily on OCR technology – are testing the waters with captcha to actually defeat spam filters,” he said. “It’s at very initial levels but it’s a very interesting technique.”
Just as captcha has been used to prevent spam, it can be used to send spam. “Since the algorithms are open source it’s easy enough to port them over and create an image,” said Claudiu Popa, president and CSO of Informatica Corp.
Over the past 18 months or so, spammers took text messages and dropped them into a simple jpeg, which still looked like text – but then OCR programs were added to spam filtering and that became easy enough to defeat. “Never mind that it’s pretty easy to flag an e-mail that is made up of one image,” said Popa. Now spammers are using the captcha algorithm to add fuzziness to the background of an image.
“For me as a user that would deter me from clicking onanything,” he said. “They don’t even have to decipher what the spam message is saying – it’s clearly a picture that has been distorted in some way.”
But he said using captcha as spam has a “limited window ofopportunity” and won’t be an effective spam method for long. A user’s best bet is to use anti-spam software based on a Bayesian algorithm, which you can get online for free, he added.
“The Bayesian algorithm uses artificial intelligence to see patterns in spam e-mail, so once you get your second captcha type e-mail, this program will learn to recognize it,” said Popa. “They all tend to look the same – one big image with nothing much in it – and it will drop it into a spam folder.”
According to Symantec’s Security Spam Report, we’ve seen a trend over the past three or four months where spam is increasing.And spam continues to account for a high percentage of all e-mail traffic, peaking at 80 per cent of messages sent in December.
“A lot of today’s viruses, worms and especially Trojans come in through e-mail, so there is a percentage of spam that contains malicious code,” said Turner. But it’s still very low because, in the end, spammers want to make money on click-throughs