Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Service



The use of images in spam is well known, and has been going on for as long as it has been possible to send images in email messages. There are many reasons for using images in email, from simply making the email more interesting, or adding a look of professionalism, to attempting to evade text based spam filters and signatures. The use of remote images in particular has been steadily increasing over the last 16 months.







In remote images, the image is not actually contained within the email itself. Instead the email uses HTML to link to a remotely hosted image, which most modern email clients will render just like a web browser. There are good reasons a spammer would want to use remotely hosted images. First, they can change the content of a spam run at any time without having to update templates or make any changes to their bots. Second, with a remotely hosted image, the spam mail itself only has to contain a few lines of HTML, but the image can contain whatever the spammer wants. This makes the spam emails much smaller, which in turn allows their bots to send out much more spam per minute than they could if the image were attached. Also, a remote image gives the spammer the chance to avoid image filters as well as text filters in anti-spam. Remote images also allow the spammers to use web monitoring tools to track the effectiveness of their own spam runs. When the image is downloaded, the spammer can log all the same information about the victim’s computer as a legitimate website, including IP address, email client used, etc.



So what are these spam images that have become so popular?



Unsurprisingly, the most common images in spam are advertisements for pharmaceuticals. In a sample set covering a seven day period, these were the most common by far, each in roughly equal volumes.









Interestingly, the spammers still try to avoid image filters even while using remote images. In the samples I looked at, the same image appeared several times, but in black and white, rotated to different angles, and with random "noise" added to the image. This is an attempt to evade spam image signatures.







Aside from the pharmaceutical images, other medical related spam is quite common. In this particular seven-day sample for example, there has been a run of Portuguese dental or orthodontic spam.







Close in popularity to medical spam is job offer spam.







Also popular is general "product" spam. Replica watches are a particular favorite, but the product for sale could be anything from facial creams to kitchen cabinets.







Those are the most common types of images seen in spam. But there are still spam messages that have had random images inserted in an effort to confuse signature based filters.



These images could have been taken from anywhere, and have no relation to the purpose of the email. Often they are made into a hyperlink so that when the recipient clicks on the image, they are taken to the spammer's website where the real purpose will become apparent. Below is a small selection of some of the random images from 7 days of spam.







Spammers will try anything to get their target to click through to their websites, or part with their money. Any email from an unsolicited source with an image should be treated as suspicious. Most mail clients have the option to prevent the downloading of remote images, this is an option that should be used. It prevents the spammer from knowing that the recipient has actually received their email, it can also prevent the recipient from accidentally clicking on any contained links.



