MoMusings: Who Removed The Pictures?

Those of you who read my blog from time to time, or are in the computer-security sector, will know that since the last quarter of 2006 the spammers have been converting from ASCII/HTML based spam to image based spam [*.gif, *.png, *.jpg, etc.]. This move caused many who work on anti-spam products and solutions a lot of sleepless nights trying to work out how they could add detection for such spam, without too many false positives or negatives.

Well, it seems that their prayers [the vendors and service providers] have been answered as I'm increasingly seeing a switch back to ASCII/HTML based spam, although a number of botnets used to send spam are still using images.

Here are three examples of one of the latest tricks the spammers are using:

Did you notice the lack of images in the spam itself? What these spammers have done is to host the graphical spam images at a image hosting/storage service known as 'ImageShack'. As you might have expected this technique only worked for a while before the anti-spam tools caught-up and 'ImageShack' started to actively purge the hosted spam images.

This next one take this minimalist approach to the highest level, take a look:

Couldn't be much more compact could it? As with the first three examples, the link takes you to a graphical spam message hosted on one of a number of sites, but not on 'ImageShack'.

The final one in this series is not as minimalist, in fact it is almost at the other end of the scale; being rather wordy. That is because it uses social engineering techniques 'borrowed' from the malware authors. have a look and see what I mean:

Doesn't that look rather like a rip-off of a mass-mailing worm or dropper seeding e-mail, such as those we are seeing right now [Nuwar/Zhelatin/Storm Worm]?

Now why would they want you to think you've bought a copy of 'Windows Vista'?

Well, guess what? You haven't, and if you click on any of the hyperlinks all you are doing is confirming that the e-mail address the spam was sent to is 'alive-and-well' and that a 'real-human-being' is actually reading it [and clicking on links, too].

Now isn't that sneaky?

I've said it before, and I'll say it again: "Never click on anything in a spam e-mail, or you may just end up proving that your e-mail address is valid, and live. This makes that e-mail address more valuable and you'll end up on more spammers lists, and get loads more spam."

Also:

Use a good anti-spam solution, such as the one built-in to Thunderbird.

Don't allow remote images to be loaded when the spam e-mail is rendered.

Don't click on any links provided in the spam, especially any 'unsubscribe' links offered, as this will again prove your e-mail address is valuable, and as expected you'll end up getting more, not less, spam.