Image Spam Gaining Weight

In our earlier blog posting on obfuscated URL attacks we reported on the transition of image spam attacks to URL-obfuscation attacks, and we also mentioned how resources such as domains and subject lines were being recycled. In this blog post we will be discussing another aspect of the image spam attack, that of message size. We have observed a sudden growth in message sizes during the month of August. Similar jumps in message size were reported on the Symantec Security Response Blogs in November 2008.  

After monitoring the messages during the month of August (so far), we came to the following conclusions:

•    9.3% of image spam had a message size greater than 100kb.
•    14.43 % of image spam had an average size of between 10kb-50kb.

In the last week or so, we have also seen a variation in the approach of image spam. Spammers are again inserting Shakespearean text into their messages. In the last two or three months we have seen similar messages with similar attachments, but with only a single line or no text at all. However, this has perhaps added weight (though not so significant) to the message size along with the image attached. The below chart illustrates our observations. It displays image spam data collected for the last three months.

Larger messages cause a significant burden on IT resources and delay legitimate messages from reaching their intended users. We are continuously scanning these attacks for any change in spammer’s tactics so that Symantec users are not impacted.