Buy Today!
Book Cover
The Music Video
You've got to see it to believe it: Check out the "Mister Spam Man" video at YouTube.
Search Dispatches
Archives
May 2019
March 2019
August 2018
July 2018
June 2018
May 2018
April 2018
December 2017
November 2017
September 2017
August 2017
July 2017
February 2017
March 2016
January 2016
November 2015
May 2015
April 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
April 2013
February 2013
January 2013
December 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
Dispatches RSS Feed
Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Loan/419 Hybrid | Main | Idiot Italian Spammer »

March 23, 2006

Images in Email Messages

Spam Wars, and just about every article on the subject, recommends turning off the display of images in your email client and in Web-based email preference settings. This choice prevents automatic retrieval of an image from possibly confirming your email address to the spammer (if the image download is coded with what are often called "web bugs"). Even if you're set up to avoid image downloading, you may be wondering how an image sometimes appears in a spam message, and what kind of risk such an image offers.

Depending on how you view your email, you may not even know that such an image is embedded in the message—it arrives as a portion of the data comprising the entire message. My Microsoft Entourage (Macintosh) email client indicates in the list of incoming messages that such messages have one or more attachments. Over at Comcast Web-based email, however, awaiting message lists do not signify attachments of any kind until you open the message—and then only if you've set your Display preferences to "List HTML as an attachment only," a choice that probably confuses lots of non-techy users.

Although it takes a little more work for themselves, it appears that an increasing number of spammers like embedding graphics in their messages. The graphics are typically of text—text that cannot be searched and filtered for spammy words and phrases. Because the graphically-represented text isn't searchable or scannable, spammers are free to use the real spelling of "Viagra," pump-and-dump stock scam phrases, and the true names of human body parts. Moreover, if the recipient retrieves the message on a laptop computer and disconnects from the Internet, the message will display the images with the computer off the grid.

The following screen shot shows a pirate software spam message that has both self-embedded images and links to downloaded images from amazon.com. Because I have automatic image retrieval turned off, the amazon.com images are shown only as placeholders:

Email message with embedded images

(If you are interested in how images ride along in the source code of an email message, Spam Wars offers a gentle introduction to the subject of email content types and multi-part messages. This knowledge helps demystify the gobbledygook you'd see if you inspect the source code of such a message.)

Spammers who use this technique and appreciate the need for speed at least try to compress the images to be as small as possible. The smaller the total size of the message, the more messages can be sent per second (through zombie PCs around the world). Note, for example, that the four embedded images of the message shown above occupy less than 11 kilobytes. The entire header, message content (including some meaningless text-only content offered to help bypass content filters), and attached images come to less than 17,000 bytes. Contrast that with a jumbo message from a different—and absolutely clueless—source that contained six images ranging in size from 140KB to 482KB—a message total of nearly 1,500,000 bytes. (Ironically, this tubby message from Hong Kong was selling accessories for GSM mobile phones, which, if used to receive the message might blow up in the recipient's hand.)

The question remains: How safe are these kinds of embedded images?

If the data is genuinely that of an image, the act of rendering the image should not be giving away any identifying information about you. With respect to malware, before late December 2005, I would have said such embedding would be harmless. But 'round about that time, the Windows Metafile vulnerability reared its ugly head. Without getting too technical about it, this vulnerability could potentially allow the rendering of an attached image (of a particular type) to grant external access and control of your PC to a Bad Guy. Microsoft came forward with a patch, but the discovery of this flaw (as well as others on more than just the Windows platform) makes me uneasy. It reinforces the fact that even things that seem safe may contain as-yet undiscovered vulnerabilities that could put users at risk if Bad Guys find the holes and instantly spam the world (a "zero-day" exploit) with "harmless" messages that ultimately take over your machine.

The problem with succumbing to that level of paranoia is that it makes email nearly impossible to use. Not all spam or viral email is easily identifiable from just a Subject line. If you use Web mail, you may not have the ability to scan the source code of the message without first viewing the message. Despite the comparative difficulty that popular email clients often present to view the source code, it is still the safest way to examine a message for spam potential, allowing you to delete it without exposing you or your computer to any harm. It is my standard practice with any unexpected or manifestly unidentifiable incoming email message.

Spammers and malware authors like to take advantage of defaults and convenient operating behaviors that open doors for their tricks. Knowing this, I don't mind the little extra effort I expend to handle all suspicious (i.e., unknown) email. Unfortunately, most users aren't even aware of the potential dangers arriving daily in their inboxes.

Posted on March 23, 2006 at 05:02 PM