The low cost provider that ISPs love for its clear pricing policy has upgraded image scanning to fight the latest in spammer tactics.

by Alex Goldman ISP-Planet Managing Editor [March 6, 2007]

Mountain View, Calif.-based Barracuda Networks has announced an upgrade to its filter that fights image-based spam in the Barracuda Spam Firewall. This is the third generation of Barracuda Networks' Optical Character Recognition (OCR)-based filter, first released in July of 2006.

"It's an escalation," says Stephen Pao, vice president of product management at Barracuda Networks. "The techniques of spammers keep getting more and more sophisticated. The reason is that image spam is being used for penny stock scams. It's no longer luxury watches or ED drugs or fake degrees. Now there's real money to be made."

So is the mob behind it? "It's not clear who the instigators are," says Pao. "We do know that botnet gangs are in use, so some underworld element is likely."

But Pao is clear about one thing: since image spam gets through so many spam engines (not Barracuda Networks', he says), it's increasing "Today image spam is about one-third of all spam e-mail.".

The latest in image obfuscation
The spammers' newest techniques involve confusing image scanners by:

1. Bit switching, so no two spam images are alike
2. Dots or shading that confuse the OCR engine

and many similar methods.

Barracuda Networks' response is to pre-process each image by removing the obfuscation. Once a spam image is identified, its hash is sent to other Barracuda Spam Firewalls around the world through hourly Barracuda Energize Updates, a feature the company calls "automatic fingerprint generation."

This supplements previous generations of enhancements. One old spammer strategy, Pao says, involves animated GIFs. He says that the GIF data is a compressed format that contains the initial image, but subsequent images are merely the changes to the initial image. Spammers have been setting the animated GIF to end up as a blank image, defeating more primitive engines that reconstruct the image and scan only the final result.

Scanning an animated GIF is quite complex, Pao emphasizes. He says that it required an upgrade to the spam filter's fuzzy logic engine, because an animated GIF can morph into and then out of a spam message.

Use all tools
Of course, Barracuda Networks uses all of the other anti-spam tools prevalent in the industry, such as reputation tracking, reverse DNS lookup, dictionary attack prevention, and so on. It even maintains Barracuda Central, a technology center for responding to threats similar to what every anti-virus outfit has. As spam is increasingly delivered by infected machines that are part of botnets, spammers and virus makers work together, and the techniques of anti-spam and anti-virus solutions converge.

For ISPs, the good news in all of this is that in spite of consolidation in the security industry, with many anti-virus vendors buying out one or more anti-spam companies, competition still exists and Barracuda Networks, which has always had very good and clear prices, delivers all the features you'd expect in a more expensive solution (and some solutions are much, much more expensive).

Pricing and availability
So how much does the update cost? "Subscribers with an up to date subscription get our anti-virus, anti-spam, and firmware updates," confirms Pao.

Asked about the future of the anti-spam engine, he explains, "it's like wartime and the defense industry. You can talk about a missile after you've won a war with it, but until then, it needs to be confidential."

—End