News

A few months ago, York University's e-mail boxes began filling up with unwanted messages touting can't-miss stocks and cheap medicine.

Like other institutions and businesses, York's information technology department has many ways of fighting spam. But a new flavour — image-based spam — had slipped past their well-laid traps. Some unlucky people received dozens of these annoying e-mails each day, according to Ramon Kagan, a manager in the university's computing and network services department.

Welcome to the latest chapter in the spam wars. Spammers are increasingly hiding messages in image files to escape detection and hit their intended target: your e-mail box.

“We've had our rash of image-based spam,” Mr. Kagan said in an interview. “In the last three months, it's really started to escalate.”

While the Internet has become a critical communications tool for businesses, it has also created headaches. At least 50 per cent of all e-mail is spam, in some cases as much as 80 per cent, said Jonathan Zittrain, a professor of Internet governance and regulation at Oxford University. About 200 spammers are responsible for this havoc, sending out much of their uninvited messages by hijacking computers and turning them into zombies.

Many institutions and businesses are struggling with this nuisance, experts say. The prevalence of image-based spam has soared in recent months, according to reports from e-mail security firms. However, this cyberspace pest didn't exactly appear out of nowhere.

Image-based spam has existed for a number of years, but has become more popular recently for a good reason; it has proven trickier for security systems to stop than messages that deliberately misspell words to elude text-based filters, experts say.

“It's probably the best technique that spammers have today for getting past the filters,” said Richard Reiner, chief scientist of information security at Telus Corp.

Spammers try to stay one step ahead of filters by constantly adjusting their techniques. Image-based spam is no different. That makes it difficult for security systems to “fingerprint” the e-mail and compare it with identified spam. Experts stress, however, it's just part of the usual game.

“There's a real war going on,” Prof. Zittrain said. “I wouldn't call image spam a nuclear weapon in it. It's an innovation, but it's not paradigm-shifting.”

Many unwanted messages are weeded out before landing in a person's inbox. But there is no watertight solution, especially when it comes to image-based spam, which can cause a number of problems for businesses.

First off, employees spend a lot of time wading through inboxes stuffed with bogus e-mails, and that can reduce their productivity.

It can also strain a company's Internet capacity, by clogging the system with useless messages. Image-based spam, in particular, eats up more bandwidth than regular images. Businesses may need to invest in more bandwidth to make sure legitimate messages can get through.

“It's costing them money because of all the extra performance wasted trying to route these services,” said Natalie Lambert, a security analyst at Forrester Research Inc.

To make matters worse, the more spam that makes its way into an inbox, the more storage required in a company's e-mail archive.

York University's central e-mail system, for example, was forced to increase its storage space by 38 per cent in the space of five months, with half of that absorbed by image-based spam, Mr. Kagan said.

“In all cases, there's tremendous cost savings by eliminating as much spam before it hits your real e-mail infrastructure as you possibly can,” said Tom Moss, vice-president of technology at Bell Security Solutions, a Bell Canada business that provides network security for companies.

Experts recommend businesses deploy a range of tactics. A number of these methods challenge image-based spam, but some will likely still get through.

Some anti-spam services, for example, assess e-mail based on the sender's reputation. Another method — Bayesian filtering — looks for out-of-the-ordinary content. Heuristic filters find spam patterns and check each e-mail to see whether it fits the criteria. The latter, for example, would search for typical spam signs such as misspelling Viagra with a 1 in front of the i, Mr. Reiner said.

York University recently added another weapon to its anti-spam war chest. It started using a technique called greylisting, which blocks a dodgy e-mail the first time it is sent, forcing the user to send it again. Spammers typically don't bother.

Its filters used to catch more than 90 per cent of spam. That figure dropped to the low 80s with the emergence of image-based spam, but greylisting has brought it back to the previous level.

“That's done a lot for getting rid of a lot of the spam,” Mr. Kagan said.

Royal Bank of Canada has also noticed an increase in image-based spam, but its “sophisticated” fraud detection systems are blocking it, according to spokeswoman Beja Rodeck. She wouldn't provide details on the bank's spam filters.

No matter how well armed they may be against the current spam threat, businesses can't afford to let their guard down.

“The Internet e-mail infrastructure was built to be wide open,” Mr. Reiner said. “It means everyone can send and receive e-mails to everyone, including the spammers to you and me.”