Websense.com / Security Labs / Blogs / Spammers Switching Tactics: "Table Painting" Spam

Archived Blog

Spammers Switching Tactics: "Table Painting" Spam

07.21.2008 - 11:32 AM

Spammers' efforts to reach their prospective customers continue today with increased creativity and complexity in constructing and generating different arts, styles, images, and other elements trying to bypass anti-spam filters. We have been monitoring recent spammer tactics that use cleverly arranged tables in HTML for spamming purposes. It is interesting to observe how spammers improve their tactics every time by switching, combining, and tweaking or enhancing these tactics to send out mass mailings. The entire strategy can be seen as a continuous cycle where every stage is an emerging trend or an execution phase inherited from the previous cycle(s).

In the past, we have seen spam techniques that used standard ASCII characters to draw out a text message. This technique, known as 'ASCII Art', consisted of pictures pieced together from the printable characters defined by ASCII standards. Another technique used in past involved characters scattered into table cells and carefully aligned using colspan and rowspan together to display words on an HTML page. Hence there are no straightforward readable words, but many bits and pieces of text characters in the HTML code.

Websense has observed recent attacks where these two techniques have been combined to create HTML tables with colored rows and columns to "paint" the text messages.

Screenshot 1: Spam samples:

Screenshot 2: Spam source code:

The sequence of colored rows and columns displaces the need for obvious spam textual content within the body of the email, bypassing some content filtering layers. However, creating such a large volume of HTML code to display relatively little content causes the spam message to have a physical size of over 100 KB, and can easily be learned by anti-spam solutions due to the limited variations in creating these tables.

While some of the spammers are busy harvesting email addresses to be used or sold later on, others are coming up with creative and artistic elements and content for spamming. For spammers, it is not only a marketing business online to occupy the network traffic but also improve their mass-mailing business to reach customers. Therefore, it is able to continue to provide a high level of detection, even with spam of this nature, providing enhanced protection to Websense customers.

Security Researchers: Elson Lai, Sumeet Prasad

 

Bookmark This Post: