Image Spam! Image Spam! Where for art thou, Image Spam?

Starting in May and continuing into June we are starting to see a rapid decline in the volumes of what people have been accustomed to as "image spam." Image spam is commonly referred to as spam messages which when rendered in the user's mail reader look like an image containing the text of the spam as opposed to the advertisement/scam being transmitted in clear text. These image based spam messages are typically either rolex ads, ads for various medical enhancement type of products (Cialis, Viagra, and Xanax are popular), or stock pump and dump scams where the scammer is trying to get you to buy the stock to pump the price so that they can dump it for a profit and leaving the victim holding the bag.

To give a little background as to the increase in prevalence of image based spam, it was about 10% of all spam traffic back in December, 2005. By October, 2006 it had risen to about 33% of spam traffic. This was causing problems for service providers of all types as the increase in spam volume was also accompanied by a non-linear increase in spam bandwidth because the average size of a spam message had almost doubled because of the size of these image based spam messages. The 33% of spam volume being taken up by image spam was also accounting for 70% of the bandwidth!

Image spam continued its popularity reaching almost 40% of all spam traffic earlier in 2007. April's rate was about 37%, but in May dropped significantly to 24%. So far June appears to be continuing this downward trend.

So, does this mean that image spam is gone? Have we won the image spam war?

Not quite.

As with most spam tactics, as folks who do any kind of email filtering continue to develop solutions to effectively block one type of spam, the spammers adapt and change their methodologies to something else. That is what we are seeing here.

We have started to see a couple of new types of image spam:

The first type is one where the spammers are using legitimate image hosting providers such as Imageshack and Flickr to host their images. There are a couple of problems with this tactic from the spammer's perspective. For one, the user has to click a link in order to see the image. Secondly, the image hosting providers are pretty quick to shut these down and take the images offline. Third, from a filtering standpoint, it is pretty easy to block. I wouldn't expect to see this tactic used for too long even though it currently accounts for about 4% of our spam volume.

The second type is one that we have started to see only within the past couple of days, and it is a hybrid of the original image spam tactic of attaching the image to the message and using an external image host. With this new tactic, the location of the image is used as the background attribute to the body tag within the HTML code of the message. So, the image itself can be hosted by a free image host or a compromised web server, and since the image is being called as the background in an HTML page the image renders within the body of the message. This way the user does not have to click a link in order to see the image. No solid volume numbers to report on this tactic yet, but I would expect it to become more popular.

So, it looks like the next wave of image spam is upon us. These new tactics actually open up quite a few new possibilities for image spam to morph into other types of spam such as flash movies. Expect to see more experimentation over the next couple of months as spammers continue to tinker with this new tactic to find new and more creative ways to get their junk delivered to your inbox.