MessageLabs recently reported an image spam déjà vu with image spam reaching a new peak in May 2009, and warned that users with outdated spam filters might be the victim of this new wave. Image spam is where spammers place their spam message in an embedded image within the email, therefore bypassing filtering solutions based on Bayesian filtering and heuristic filtering because the email does not contain any text to scan. Image spam first appeared in 2006 and enjoyed considerable success. Anti-spam vendors quickly created new techniques to block this kind of spam, including optical character recognition (OCR) scanning of the text in the image. The effectiveness of this was short-lived since spammers started to obfuscate their images by adding background noise and blurred text, therefore rendering OCR scanning useless. Spammers also easily defeated anti-spam solutions that relied on a database of known spam images by slightly adjusting the image in each spam mail. According to the MessageLabs report, we are now seeing a new type of image spam where the image is not embedded within the image but contains a link to a remote image on a website. It further warns that ‘it is notoriously difficult for traditional anti-spam techniques to safeguard against this type of image spam’.

Should we be worried by this new image spam? The answer is: no, not at all. That is, if you are using a spam filter that uses greylisting.  You will not even have to continually upgrade your system to ward off the latest spammer invention; greylisting will continue to happily block tried and tested spam methods as well as new, nifty spamming ways.  Instead of trying to analyze each different type of spam message and heavily interpret images using resource-intensive OCR methods, anti-spam filters must deploy more universal methods that deal with any type of spam, whether that is ‘normal’ spam, image spam, pdf spam or Excel attachment spam. Greylisting is a universal approach that can block any type of spam (and even viruses), and is very difficult for spammers to circumvent. 

So what is greylisting? Greylisting blocks spam and viruses by temporarily rejecting initial emails from new (non white-listed) senders for one minute. Legitimate emails will still get through, but spam messages will not. This is because unlike spam engines and zombie machines, regular mail servers resend their messages upon initial rejection. Spammers simply cannot afford to resend their messages. If they would do this, it would take much longer to send out their spam. The longer it takes to send out spam, the higher the chance is that their domain is added to a blacklist, effectively blocking all their spam from that point onwards. This is also why it is highly unlikely  that spammers will start resending their mails to bypass greylisting ; There simply is not enough time to resend emails before the spammer is blacklisted.

Granted, greylisting does have its disadvantages; emails from new senders are slightly delayed (usually not more than a couple of minutes, but it does depend on how long your greylisting system waits until it accepts a resend), and in rare instances the initial rejection can trigger a delayed message to the recipient, making the recipient think that the message was not delivered. The recipient will then usually resend the message, with the result that you might receive two identical messages. Since this only happens very occasionally it really does seem to be a small price to pay for a clean inbox. For more information on greylisting: http://www.greylisting.org/.