Spammer using Graphical Steganography

Bill Stewart bill.stewart at pobox.com
Mon Oct 23 18:46:38 EDT 2006 

Spammers have been including images in their email to evade anti-spammers.
Anti-spammers have been using OCR to identify spammy words in images.
Spammers have recently come up with tricks to work around OCRs,
by doing steganography with animated GIF images.
One approach they're taking is to build the real image progressively,
first drawing a background, then drawing parts of the image
(one spammer uses transparent pixels to do parts of it, showing dark parts 
of background),
then waiting a long time and drawing a blank page in case anything's 
checking the final image.

http://www.networkworld.com/community/?q=node/8977

Spammers dodging OCR with .gif 'cut-and-paste'

By Paul McNamara on Fri, 10/20/2006 - 2:11pm

Spammers have begun slipping their junk past optical character recognition 
(OCR) software through a variety of animated .gif "cut-and-paste" 
techniques, says John Graham-Cumming, an anti-spam activist who maintains 
The Spammers' Compendium and also founded Electric Cloud.

On blog posts this week -- here and here
	http://www.jgc.org/blog/2006/10/why-ocring-spam-images-is-useless.html
	http://www.jgc.org/blog/2006/10/spam-image-that-slowly-builds-to.html
-- Graham-Cumming explains two of the OCR-evading methods that were brought 
to his attention by Nick FitzGerald, a New Zealand anti-spam consultant and 
regular contributor to The Spammers' Compendium. (It being 3 a.m. in New 
Zealand, I'm relying on Graham-Cumming's account here.) ... (Update: 
FitzGerald explains his advantage.)

"I don't know how widespread it is," Graham-Cumming told me this afternoon. 
"(The second spam message) was targeted for this Wednesday, so I think it's 
probably pretty new."

The second of the two techniques takes animated .gif spam "to a new level," 
he said on his blog.

 From the blog post: "The first image is the .gifs background and is 
displayed for 10ms then the second image is layered on top with a 
transparent background so that the two images merge together and the image 
the spammer wants you to see appears. That image remains on screen for 
100,000 ms (or 1 minute 40 seconds). After that the image is completely 
blanked out by the third frame.

"My favorite touch is that it's not the entire image that's transparent, 
not even the white background, but just those pixels necessary to make the 
black pixels underneath show through. If you look carefully above you can 
see that some of the pixels appear yellow (which is the background color of 
this site) indicating where the transparency is."

In our interview, Graham-Cumming belied more than begrudging admiration for 
what this spammer has achieved.

"What's really neat about what this guy has done is that he takes a piece 
of text and he randomly kills pixels in it so that each frame of this thing 
is unreadable," he told me. "But when you merge them together, you get a 
readable piece of text. It is immensely clever. He's used animation with 
transparency in .gif so what happens is that although this is actually 
animated you don't see the animation because the two frames which have got 
the pixels killed on them are animated together so fast 
 that it looks 
like a static image."

Despite the fact that Graham-Cumming headlined his blog item "Why OCRing 
spam images is useless," he tempered that assessment in our talk.

"Saying OCR is useless is an overstatement, of course," he said. "There 
will be some value in OCRing because the history of spam shows that there 
are bleeding-edge spammers who fight to get through every filter and 
there's a large pool of spammers who use out of date software, essentially, 
so it's always worth going with techniques that worked a few months ago. 
 
The problem with OCR is that it's very expensive to do in terms of CPU and 
so that's why it hasn't been rolled out widely. It's pretty clear that 
spammers are thinking about this. That (animated .gif) technique and the 
previous one I showed in the previous blog entry both make OCRing difficult."

Coincidentally, the two anti-spammers involved here had recently been 
discussing the possibility of such techniques emerging.

"What's amazing about this one is that (FitzGerald) and I had gone back and 
forth in a conversation about -- 'You know what spammers could do, is 
something like this.' We had anticipated that something like this was going 
to happen; the particular technique is very close to what we had been 
discussing and (FitzGerald) actually sent me an e-mail today saying, 'Look 
at this one, maybe they're reading our mail.' "




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list