For spammers, a picture is better than 1,000 words

Spam is again on the rise, led by a flood of junk images that spammers have crafted over the past few months to trick e-mail filters, according to security vendors.

Called "image-based" spam, these junk images typically do not contain any text, making it harder for filters that look for known URLs or suspicious words to block them.

Instead of a typed message, users will see only an embedded .gif or .jpeg image file urging them to buy pharmaceuticals or invest in penny stocks.

Antispam vendor Cloudmark says that half of the incoming spam is now image-based on the "honeypot" systems it puts out on the Internet to lure spammers.

"About a year-and-a-half ago we started seeing a little bit of it, but it wasn't until the past six months that it became a serious issue for many antispam companies," said Adam O'Donnell, a senior research scientist with the company.

Image-based spam has jumped from about 1 percent of all spam messages in June 2005 to around 12 percent today, according to Craig Sprosts, senior product manager with IronPort Systems.

Its growth is helping to fuel a global resurgence in spamming, Sprosts said.

The total number of spam messages sent daily is up 40 percent since April, Sprosts said. Much of this new spam is coming from a "relatively small group of spammers with control over very large zombie networks," of hijacked computers, he said.

Spammers now generate an estimated 55 billion messages per day, according to IronPort. A year ago that number was 30 billion e-mail messages per day.

The combination of greater volume and better techniques has meant more complaints for network administrators.

Administrators at Avnet have started stripping certain embedded image files out of all messages, after seeing an uptick in image-based spam two months ago, said Rob Kudray, manager of messaging services with the computer distributor.

One other tactic that is helping keep in-boxes full is the spammers' practice of constantly registering new domains. Of the 35 million domains registered in April, 32 million were never paid for and expired after five days, Sprosts said. He believes that many of those domains were used by spammers to send out their unsolicited e-mail during that five-day grace period.

This technique makes it very difficult to blacklist e-mail based on the URLs it contains. "Traditional blacklists and whitelist approaches just can't keep up with how fast they're registering new domains and changing the URLs in the e-mail," Sprosts said.