Zérospam

As most email servers are now protected by effective anti-virus programs, spammers have found a new way to send viruses. They send messages to innocent victims telling them to click on a link to read a virtual greeting card that someone sent them. If the email recipients are fooled into clicking the link, they are redirected to a Web site that hosts a cocktail of viruses.

This technique offers two advantages to spammers. First, it allows them to bombard their victims with a greater number of viruses with just one click, and then, as the message itself does not contain a virus, it easily bypasses anti-virus programs that protect email servers.

In the summer of 2007, spammers made image spam even more difficult to detect by incorporating images into PDF files. Until recently, spam images were incorporated directly into the message bodies. PDF spam now camouflages the spammers' sales pitch in a PDF file attachment. As PDF documents are commonly used by businesses, people haven't been suspicious of them so far. But now, email users should be leery of PDF attachments.

Fortunately, the message fingerprinting layer incorporated into ZEROSPAM's filtering architecture is extremely effective at detecting and blocking PDF spam campaigns targeting its customers.

Since first appearing at the beginning of 2006, image spam has increased at a dizzying pace in 2007. This type of spam has been very successful, as it effectively eludes heuristic detection. Words contained in messages are integrated into images, which makes them almost impossible to detect.

This new problem obviously presented a challenge to the entire anti-spam industry. Their all-out efforts to develop countermeasures were to no avail. Genotype detection turned out to be the only effective technology. Many high-end filters now incorporate some type of genotype detection and provide effective protection against image spam. However, the effectiveness of generic tools such as SpamAssassin greatly decreased after the appearance of image spam, as it is impossible to define reliable heuristics to analyze the content of image spam messages.

The image spam technique currently accounts for up to 50% of spam. Spam with PDF or FDF attachments—basically a variation on the same theme—have recently appeared.

Since May 2007, ZEROSPAM has been using message fingerprinting technology by Cloudmark™ which compares the images received to those contained in a central register. It then identifies images associated with spam campaigns in a way that is quite similar to anti-virus scanning. This technology put an end to the problem of image spam for ZEROSPAM's customers.