Shifting Images In Spam Email

Have you ever noticed that the junk mail containing embedded images seems to keep getting past your filters? A trick that is being used by spammers and junk mail dorks is Spam Image Shifting. The concept is very simple, yet fairly effective.

The embedded image is a large block of code in the raw email message. The raw code contains the information to instruct your email browsers how to display the pixels. Filters don’t look at the image, since they obviously don’t have human eyes. Filters interpret the code and look for patterns. This is a version of IDS (Intrusion Detection System), but devoted to email filtering. Your spam and junk filter may be looking for trends in the message code, which it sees as the raw block of code and characters.

Bypassing the junk and spam filters is not difficult, if the filter is looking for a pattern in the raw code. By shifting the image content around inside the “image area,” the raw code is altered. The text and objects in the image can also be shifted, thus altering the raw code even more. The programmer who designs such a system for junk image emails would define parameters for allowable shift areas and boundaries, ranges of allowable colors, and other rendering definitions such as fonts and sizes.

There is not a human dork creating the images in this situation. There is a computer rendering random variations of the same information and similarly generating fake FROM email addresses. Your email filter is therefore impacted with a list of emails all from different email addresses, different IP Addresses, with different subjects and to addresses, and finally… different raw image code. Unles your email filter is dynamic enough to see trends across numerous emails through time, you will likely see this junk and spam email show up in your browser. Needless to say, NEVER click on any of these emails, never allow your browser to load images globally, and never ever click the UNSUBSCRIBE links at the bottom… they all lead to increased mail into your inbox.

Leave a Reply