Spammers have been including images in their email to evade
anti-spammers.
Anti-spammers have been using OCR to identify spammy words
in images.
Spammers have recently come up with tricks to work around
OCRs,
by doing steganography with animated GIF images.
One approach they're taking is to build the real image
progressively,
first drawing a background, then drawing parts of the image
(one spammer uses transparent pixels to do parts of it,
showing dark parts
of background),
then waiting a long time and drawing a blank page in case
anything's
checking the final image.
ht
tp://www.networkworld.com/community/?q=node/8977
Spammers dodging OCR with .gif 'cut-and-paste'
By Paul McNamara on Fri, 10/20/2006 - 2:11pm
Spammers have begun slipping their junk past optical
character recognition
(OCR) software through a variety of animated .gif
"cut-and-paste"
techniques, says John Graham-Cumming, an anti-spam activist
who maintains
The Spammers' Compendium and also founded Electric Cloud.
On blog posts this week -- here and here
http://www.jgc.org/blog/2006/10/why-ocring
-spam-images-is-useless.html
http://www.jgc.org/blog/2006/10/spam-image-
that-slowly-builds-to.html
-- Graham-Cumming explains two of the OCR-evading methods
that were brought
to his attention by Nick FitzGerald, a New Zealand anti-spam
consultant and
regular contributor to The Spammers' Compendium. (It being 3
a.m. in New
Zealand, I'm relying on Graham-Cumming's account here.) ...
(Update:
FitzGerald explains his advantage.)
"I don't know how widespread it is,"
Graham-Cumming told me this afternoon.
"(The second spam message) was targeted for this
Wednesday, so I think it's
probably pretty new."
The second of the two techniques takes animated .gif spam
"to a new level,"
he said on his blog.
From the blog post: "The first image is the .gifs
background and is
displayed for 10ms then the second image is layered on top
with a
transparent background so that the two images merge together
and the image
the spammer wants you to see appears. That image remains on
screen for
100,000 ms (or 1 minute 40 seconds). After that the image is
completely
blanked out by the third frame.
"My favorite touch is that it's not the entire image
that's transparent,
not even the white background, but just those pixels
necessary to make the
black pixels underneath show through. If you look carefully
above you can
see that some of the pixels appear yellow (which is the
background color of
this site) indicating where the transparency is."
In our interview, Graham-Cumming belied more than begrudging
admiration for
what this spammer has achieved.
"What's really neat about what this guy has done is
that he takes a piece
of text and he randomly kills pixels in it so that each
frame of this thing
is unreadable," he told me. "But when you merge
them together, you get a
readable piece of text. It is immensely clever. He's used
animation with
transparency in .gif so what happens is that although this
is actually
animated you don't see the animation because the two frames
which have got
the pixels killed on them are animated together so fast …
that it looks
like a static image."
Despite the fact that Graham-Cumming headlined his blog item
"Why OCRing
spam images is useless," he tempered that assessment in
our talk.
"Saying OCR is useless is an overstatement, of
course," he said. "There
will be some value in OCRing because the history of spam
shows that there
are bleeding-edge spammers who fight to get through every
filter and
there's a large pool of spammers who use out of date
software, essentially,
so it's always worth going with techniques that worked a few
months ago. …
The problem with OCR is that it's very expensive to do in
terms of CPU and
so that's why it hasn't been rolled out widely. It's pretty
clear that
spammers are thinking about this. That (animated .gif)
technique and the
previous one I showed in the previous blog entry both make
OCRing difficult."
Coincidentally, the two anti-spammers involved here had
recently been
discussing the possibility of such techniques emerging.
"What's amazing about this one is that (FitzGerald) and
I had gone back and
forth in a conversation about -- 'You know what spammers
could do, is
something like this.' We had anticipated that something like
this was going
to happen; the particular technique is very close to what we
had been
discussing and (FitzGerald) actually sent me an e-mail today
saying, 'Look
at this one, maybe they're reading our mail.' "
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo metzdowd.com
|