Spammers are finding new ways to fool e-mail filters and HTML mail is the most common tool used in getting offending messages through gateways, says an expert examining the problem.
During a Tuesday Webcast hosted by Vancouver-based ActiveState
Corp., Dr. John Graham-Cumming discussed ways in which spammers are tricking spam filter programs. About 80 to 90 per cent of all spam is being sent using HTML, said Graham-Cumming.
“”There are actually some people who, for this reason, who consider HTML e-mail to be harmful,”” said Graham-Cumming who is the research director on ActiveState’s anti-spam task force.
“”I just do not view HTML messages. I insist everyone who e-mails me do not do so in HTML. Not everyone will be able to do that, but I have found it to be a pretty effective way.””
Graham-Cumming says there are three ways spam ends up getting through. They include using plain text, using HTML and using the underlying language of e-mail (known as Multi-purpose Internet Mail Extensions or MIME), which is the way e-mail sends attachments and other kinds of data other than plain text.
“”It turns out that MIME can be used for all sorts of tricks,”” said Graham-Cumming.
“”What we’ve noticed is that spammers seem to have realized spam filtering is working and they don’t like it. They are actively trying to evade filters and are using a large collection of tricks to fool the simplistic keyword-based filters such as the ones that look for the word ‘Viagra’ and decide that is a piece of spam,”” he said.
Most e-mail clients, and specifically Outlook and Outlook Express, deal with HTML-formatted e-mail. Users typically send two versions -— one in plain text and an HTML version such as colours and other style options. Users on a Unix-based system will see the plain text version of the MIME and Outlook users will typically see the HTML version.
Since most e-mail clients now support HTML, spammers like to use it. The reasons are two-fold: It provides a language for rich graphics, colour and font sizes to make the message more compelling, and it also provides ways to obfuscate messages.
These sorts of obfuscation can include things like “”Web bugs”” or tiny images in an e-mail that will be loaded by your e-mail program when the e-mail is read.
“”The spammer constructs the name of the image in such a way that they know instantly that you read it and can validate your e-mail address and send you more spam,”” he said.
“”What the spammer is trying to do is let you the human see the message they want to send and let the filter see something completely different.””
Using the word Viagra, Graham-Cumming demonstrated a number of ways spammers are fooling computers to get spam through filters. The simplest way is to put characters or spaces between the letters of a word. Because humans are good at pattern recognition everyone recognizes it, but a simple filter will be confused by it.
A good filter will reconstruct the word and note the use of the trick for later, said Graham-Cumming.
“”The more clever the trick the easier the spam is to spot. In some ways when spammers are using these tricks they are fooling the simple filters but helping more sophisticated filters that can detect the trick,”” he said.
Another technique is to try and put spaces between letters using HTML. Rather than putting a simple space, the spammer puts an invisible space so the word Viagra comes out normally but in the actually message it is obscured.
Messages are also being cut vertically into strips and the letters are sent through in the order they are in the strips making it hard for the filter to read. It relies on HTML tables to make it happen.
“”The spammer can send through ‘Viagra Samples Free’ vertically and the spam filter is confused,”” he said.
A more recent spam method is to not use identical colours, but very similar colours in HTML. You can specify colours as red, green or blue or specify a “”recipe”” to deliver a certain colour. The word Viagra would be put in a specific colour other than the background but is close to the background so to the eye it would be indistinguishable with the innocent words in the colour of the background.
The cost of ignoring spam trickery includes time, pain and effort on the part of an organization’s employees says Michael Argast, manager of sales engineering for Vancouver-based ActiveState.
“”On an organizational basis it can be quite high, but also from a bandwidth perspective and the licences to support it all,”” said Argast. “”It is estimated 50-70 per cent of messages that arrive at a company’s gateway today is spam. We find the most significant concern is not the cost in time or systems but potential cost in terms of liability. The fact that individuals in organization becoming offended by the messages. It is very important an organization have the protection in place so saving users time and effort, systems not over-taxed and protect from liability.””
ActiveState is a vendor of PureMessage to protect against viruses and spam and enforce e-mail policies.
Graham-Cumming’s advice to avoid spam is to not give out e-mail more than necessary or use the mailto HTML tag as spam software will pick it up easily.
“”I’m hoping we can reduce it to the point where it is background noise, not a nuisance,”” he said.
Comment: [email protected]