Waiter! Waiter! There are dots in my spam. Could it be stego?
August 16, 2006 2:09 PM   Subscribe

Waiter! Waiter! There are dots in my spam. Could it be stego?

I've recieved a number of very similar spam messages in the last few weeks, and have noticed something a bit odd about them. The actual body of the message is a gif, which in itself is not unusual. What is unusual is that "random" pixels within the image appear to be set to "random" colours for no obvious reason. Could this be someone hiding a message steganographically within the spam and burying the actual intended recipient amongst the presumably thousands of spamees? Or is it just a spammer adding random noise to the image to try and thwart some kind of image analysing spam filter? It seems to me that adding the random pixels is deliberate, as just typing some text on an image in something like photoshop wouldn't give this effect.

Here is an example image:

posted by blacksky to Computers & Internet (14 answers total)
Or is it just a spammer adding random noise to the image to try and thwart some kind of image analysing spam filter?

Yes. To make each email different without actually being different, which would help against spam filters that work off matching spam message content.
posted by malphigian at 2:18 PM on August 16, 2006

So that's what all those blank emails with .gif attachments are?! I figured they were spam, but of the broken-not-sent-properly persuasion. /me loves the goodness of text-only email clients.
posted by shepd at 2:32 PM on August 16, 2006

I read about this exact thing in, I think, the NYT a few weeks ago. Yes, definitely, it's a way to ensure that the GIF can't be quickly identified by its checksum or whatever.

And you could easily add the noise programatically with GD or ImageMagick.
posted by AmbroseChapel at 2:33 PM on August 16, 2006

Could "  " be the same thing? I often see things like that in junk mail and wonder what they are.
posted by popcassady at 2:36 PM on August 16, 2006

Yeah, I used to work for a spam filtering company. This is just an attack on filters. Most filters have fairly sophisticated text processing and are okay at dealing with mutations in the message text. Image processing is a considerably more difficult problem, both conceptually and computationally, and currently no spam filters (that I know of) really do anything sophisticated with this kind of mail.
posted by aubilenon at 2:47 PM on August 16, 2006

That's interesting, but as easy as it would be to add a small amount of random noise, it should be almost as easy to detect that one image file like this is a trivial variation on another. Then again, with the torrent of spam, the added work might be too computationally expensive.
posted by adamrice at 2:56 PM on August 16, 2006

it should be almost as easy to detect that one image file like this is a trivial variation on another
Throw in a slight variation in height and width? Colour lookup table? Offset the content a couple of pixels right or left against the background? I think you're wrong, in the nicest possible way.
posted by AmbroseChapel at 5:16 PM on August 16, 2006

Or it could be stego and the secret government agents assigned to cover MeFi have just outed themselves in trying to explain it away.

/looks at malphigian, AmbroseChapel and aubilenon
//wonders nervously whether they work for the same government or three different ones
///puts on tinfoil hat
posted by Pryde at 5:16 PM on August 16, 2006

From the NYT article I finally tracked down:
The spammers were trying to circumvent the world's junk-mail filters by embedding their messages — whether peddling something called China Digital Media for $1.71 a share, or a "Hot Pick!" company called GroFeed for just 10 cents — into images.

In some ways, it was a desperate move. The images made the messages much bulkier than simple text messages, so the spammers were using more bandwidth to churn out fewer spams. But they also knew that, to filters scanning for telltale spam words in the text of e-mail messages, a picture of the words "Hot Stox!!" is significantly different from the words themselves.

So the bulk e-mailers behind this campaign seemed to calculate that they had a good chance of slipping their stock pitches past spam defenses to land in the in-boxes of prospective customers.

It worked, but only briefly. Antispam developers at MessageLabs, one of several companies that essentially reroute their clients' e-mail traffic through proprietary spam-scrubbing servers before delivering it, quickly developed a "checksum," or fingerprint, for the images, and created a filter to block them.

Advances in spam-catching techniques mean that most computer users no longer face the paralyzing crush of junk messages that began threatening the very utility of e-mail communications just a few years ago.

But spammers have hardly given up, and as they improve and adapt their techniques, network managers must still face down the pill-pushers, get-rich-quick artists and others who use billions of unwanted e-mail messages to troll for income. "For the end user, spam isn't that much of a problem anymore," said Matt Sergeant, MessageLabs' senior antispam technologist. "But for the network, and for people like us, it definitely is."

Shortly after MessageLabs created a filter to catch the stock spams, the images they contained changed again.

They were now arriving with what looked to the naked eye like a gray border. Zooming in, however, the MessageLabs team discovered that the border was made up of thousands of randomly ordered dots. Indeed, every message in that particular spam campaign was generated with a new image of the border — each with its own random array of dots.
So it's not just a few dots here and there, it's a border composed entirely of random dots, in this case. And checksumming is the way anti-spam software is used against image-spam.
posted by AmbroseChapel at 5:25 PM on August 16, 2006

It's pretty simple to take two images next to each other and say "these two are basically the same", but it's not so easy to take a million images on tens of thousands of computers and say which ones look like which other ones.
posted by aubilenon at 7:57 PM on August 16, 2006

devil's advocate: gifs with lossy compression can sometimes have a little random noise, so sometimes a cigar is just a cigar, not a message from al qaeda.
posted by condour75 at 8:36 PM on August 16, 2006

condour75: Did you look at the image? This is not some kind of dithering, this is clearly deliberate random pixels sacttered around.

Also, GIFs use LZW compression, which is lossless; the lack of support for more than 256 colors is the part that causes GIFs to look like crap, not the compression.
posted by aubilenon at 1:54 AM on August 17, 2006

I've been getting about two/three spam messages a day for the last month, as opposed to my usual c.1 a month before that as I'm very protective over my personal email address.

The spam is all of a similar nature/style - it makes me wonder if it isn't all coming from the same source which has yet to be shut down.

Anyone experiencing the same? I'd post a sample bit of text but I'm at work...
posted by dance at 2:17 AM on August 17, 2006

The spams I have been getting through gmail have images, which are all cut up into separate attachments. Except that gmail doesn't reconstruct them correctly, so it ends up being incomprehensible.
posted by delmoi at 3:19 AM on August 17, 2006

« Older what is nsfw?   |   Choking on search logs Newer »
This thread is closed to new comments.