Spammers' use of AI only just begun

Though security industry experts were openly referring to the death of spam several years ago, the arrival of image-based attacks has resulted in a stunning renaissance in the volumes of unwanted e-mail reaching end-users' inboxes.

And while filtering technologies have improved significantly and can thwart the ability of most image spam to force its way onto corporate networks today, some experts believe that the fight against the use of such AI (artificial intelligence) tactics on the part of spammers is only just getting underway.

In a new report published on May 30, analysts at Cambridge, Mass.-based Forrester Research extrapolate on their theory that image spam is merely the tip of the iceberg when it comes to spammers' use of AI.

The only way to prevent a repeat of the image spam surge as new models using AI come to light, Forrester analysts said, will be for technology vendors and enterprise customers to abandon their current approach of trying to filter out every type of campaign that the mass-mailers conceive and instead battle the roots of the problem.

Just as Web sites and anti-spam providers have utilized techniques such a CAPTCHA -- the challenge response tests found in many different online applications that ask users to input characters planted into obfuscated image files -- to beat back unwanted bot-driven activity, so too will spammers utilize AI to create seemingly endless variations on their message campaigns to circumvent the latest filtering tools, the experts said in their report.

CAPTCHA is an acronym for "completely automated public Turing test to tell computers and humans apart," a concept named after Alan Turing, the English mathematician referred to by some as the father of modern computer science.

"The notion with CAPTCHA is that computer bots and other programs can't efficiently process the image, that they can't deduce the words in the image, and that's the same thing that spammers are doing today to defeat traditional filters," said Dr. Chenxi Wang, one of the analysts who authored the research.

"People have devised new filters that use technologies such as optical character recognition that has curtailed the spread of image spam," said Wang. "Unfortunately image spam is only one type of AI problem, and spammers have many they will use in the future; this only the beginning of an arms race."

Just as CAPTCHA has largely foiled the ability of scammers to game online registration and transactional systems, spammers will be able to use a nearly endless variety of techniques to avoid the latest and greatest message filtering tools, the analyst said.

Without a major breakthrough in AI research, Wang said, there is "no way we can bridge the gap" with the number of methods that spammers will be able to use to keep their schemes humming along.

Among the types of methods that spammers are already employing to beat existing image-filtering tools are spam campaigns that use distorted and obfuscated text images, graphic pictures, and audio and video files.

To fight spammers over each type of content will be a losing battle, Wang said, recommending that customers and technology providers instead focus on monitoring messages for fundamental properties exhibited by each flavor, such as the links to malware sites that most of the e-mails carry.