Animated GIFs in spam

In the last week or so I started receiving animated GIFs in spam messages, with the first frame of the GIF being mostly blank and only subsequent frames having the spam message. I guess this means at least some anti-spam products use OCR to decode the image into text, in order to catch image-based spam in emails, and that the spam writers are trying to bypass this restriction by using animated GIFs.

Seems a bit silly from the spam writers perspective, though. Doing OCR to images is a real big step – decoding animated GIFs is trivial in comparison. I think the R&D director of the spam writers (are you reading my blog?) should concentrate the development efforts in other directions, not by trivially improving filtering evading techniques. By the way, if you’re doing R&D for the spam companies and decide to take my advice, take this advice too: try BASE jumping without a parachute. It’s great.

In any event, my bogofilter catches all of those spam messages, without exception. In fact, I get very little spam in my inbox these days (maybe one or two per day out of hundreds of mails that are filtered on my mail client, and this is after about 50% of the spam caught and deleted by our mail server).

The main way to achieve this was by changing my strategy. Previously, I was trying to get zero false positives (real mail dumped into my spam folder). Whatever happens, I though, I can’t risk having real mail go to my spam folder. Now, I decided my goal should be to get to the lowest possible false positive and false negative rates. This means there are a few spam mails in my inbox every day, and a few (usually 1 or 2) real mail messages in my spam folder.

True, I need to go over hundreds of spam messages per day to see if there are ‘real’ messages there, but I can do it on my own schedule (i.e. once a day) rather than constantly fighting incoming spam. It’s also much faster and easier to go over hundreds of emails just once a day, than it is to go over dozens of emails every hour or so.

I think that the main change that caused me to be forgiving about false negatives was that in this day and age mail servers bounce mail without warning, spam filtering software throw away messages without sending back notifications and people generally hit the ‘delete’ button more quickly than they used to. Telling someone you didn’t get their email is not like telling them you did not get their Fedex package (though I still remember the time when it used to!). But the bottom line is that spam doesn’t seem to be a problem for me anymore; I even put back the incoming mail notification since email in my inbox is now almost always actual email.

Share
  • Fight!

    Antimated?!

    You mean Animated? AntiMated :)

  • http://www.BeyondSecurity.com Aviram

    I guess I was trying to get into Juha-Matti’s next report about mispellings in google’s index

    Thanks for catching the typo ;-)

  • foQ

    I’ve seen a couple of those, too. I figured the same thing you did and wondered if the spammers animated the gif files with the content in the middle image because of the way the OCR software in spam filters reads them. For example, I know in some applications, only the first or last frame of the animated gif is displayed, because the software author didn’t anticipate animated gif files.

    I recently read a blog post about a spammer using an animated gif that had single frames inserted for subliminal messages. Pretty funny, but it seems like it might be a good technique to use on a singles website….

  • http://www.serki.com inşaat

    i use animated captcha in my website form and spam bots can not send any spam with my page

  • http://www.garantikoza.com.tr inşaat garanti koza

    Expression was very nice thank you;)

  • http://www.sahibimolurmusun.com sahibinden

    respect for labor ;)

  • http://www.kozaevleri.com/ bahçesehir

    I guess I was trying to get into Juha-Matti’s next report about