Proceedings of the 2013 Internation

Proceedings of the 2013 International Conference on
Pattern Recognition, Informatics and Mobile Engineering (PRIME) February 21-22
978-1-4673-5845-3/13/$31.00©2013 IEEE
A Study on E-mail Image Spam Filtering Techniques
S. Dhanaraj
Department of MCA
Sree Saraswathi Thyagaraja College
Pollachi, India
sdhanaraj@yahoo.co.in
Dr. V. Karthikeyani
Department of Computer Science
Thiruvalluvar Government Arts College
Rasipuram, India
drvkarthikeyani@gmail.com
Abstract—Spam filters are the most used software tool used by
businesses and individual to block spam mails entering into their
mail boxes. Until recently, majority of research effort was
expended on controlling text-based spam emails. However, the
past few years have envisaged a novel approach, where the
spammers embed the text message into an image. Thus, the antispam
filtering research is forced to move from text-based
techniques to image-based techniques. Spam and the spam
blockers designed to combat it have spawned an upsurge in
creativity and innovation. Many software developers are
developing new and every more effective spam filtering software.
All the methods have a common dream that is to eliminate 100%
of the spam, which is still not a reality. To reduce the gap
between this reality and dream, researchers have proposed many
different types of spam filters and this paper provides a review of
them.
Keywords- Spam Filter; Anti-Spam; Image Spam; spam filtering;
Anti-Spam Techniques
I. INTRODUCTION
More than 500 million people in the world have Internet
access and the popularity of email technology has grown
rapidly in recent years. Initially, introduced as a simple
electronic communication tool, e-mail has outgrown its origin
and become an irreplaceable tool in the today’s
communication. According to [37], 94% of US Internet users
have gone online and sent or read email till May, 2010. The
same source suggests that 62% do this as part of daily
activities. Another report [51] reports that there are 2.9 billion
email accounts in 2010 and is expected to rise to over 3.8
billion by 2014.
Along with the growth in email usage, as an unwanted side
effect, viruses, worms and spam (unsolicited mail) have also
increased over time. Spam and fraudulent e-mail messages are
major issues for Internet users and businesses of all sizes.
Companies are being forced to commit significant resources to
protect their messaging infrastructure and their brand from
these abuses. Spam was once just an annoyance, but it has now
become the tactic of choice for online deception, fraud, and
abuse. The freedom of communication is being misused and
has become a threat to e-mail communication society.
According to Brightmail [6], the percentage of email that
is spam is growing consistently and considerably. Similar
findings are also reported by another famous antivirus vendor,
McCafe, in McAfee Threats Report: Third Quarter 2009.
According to this report, spam emails have risen by more than
10 per cent during 2009 when compared to 2008 and spam as a
percent of total email volume is more than 92 percent during
the same year. This statistics is expected to grow in
forthcoming years, which stresses the fact that threats to email
communication are increasing at a massive and unchecked
pace.
As a solution to the spam problem, several filters were
developed to detect or prevent text-based spam mails and are
reported to be quite successful in their implementation. Now-adays,
to bypass text based anti-spam filters, some spammers
put their spam content into images (i.e. spammers embed text
such as advertisement text in the images) and attach these
images to emails. The anti-spam filters that analyze content of
email cannot detect spam in images [13]. The spam mails
embedded with images are termed as “image spam”. Image
spam is an obfuscating method in which the text of the
message is stored as a GIF, JPEG, BMP or PNG image and
displayed in the email. This prevents text-based spam filters
from detecting and blocking spam messages. Moreover, the
recent image spam mails contain animated GIF, which again
proves to be a challenge to the existing spam solutions.
Image spam is a phenomenon that appeared during 2005
and by the end of 2006, over 50% of total spam received was
image spam. Image spam forms around 12.87% of total email
spam which forms around 87.56% of all email [26]. A great
deal of on-going research is trying to resolve the image spam
problems. This paper reviews and discusses some of the
research works done in the field of image anti-spam filters,
which detect and prevent image spam into entering the inbox.
The remaining sections of the paper are organized as follows.
Section 2 gives a brief overview to the concept behind image
spam. Section 3 discusses the various proposed image spam
filtering techniques. Section 4 presents the various performance
parameters used to analyze spam filters. Section 5 consolidates
the work with future research directions.
II. IMAGE SPAM – AN OVERVIEW
The action of sending unsolicited commercial messages in
bulk quantity with obtaining explicit permission or desire of
the recipients is defined as ‘Spamming’. The type of spam
depends on the medium of communication it is applied on.
Examples include email spam, instant messaging spam (spim),
Usenet newsgroup spam, web search engines spam, web log
spam and mobile phone messaging spam. There are two basic
2013 International Conference on Pattern Recognition, Informatics and Mobile Engineering (PRIME) 50
forms of email spam, Text-based spam mails and Image-based
spam mails. Text-based spam mails are emails, consisting of
text only message to convey the sender’s information. Imagebased
spam are mails where the spammer’s message is sent in
the form of a graphic or an image and will be in human
readable format. In this paper, “spam” refers to “image spam”
and “ham” refers to “legitimate mail”. Ham mail can be
defined as every email not considered as spam.
Image spam is a technique that spammers use to avoid
anti-spam algorithms. All image spam mails follow a common
pattern and have a content-free characteristic. It is estimated
that maximum of the image spam emails are used to advertise
products or services [27], cheat users (either stealing private
information or deliver malicious software) or cause
temporarily crash of mail servers. An image spam email is
formatted in HTML, which usually has only non-suspicious
text with an embedded image (sent either as an attachment or
via the use of self referencing HTML with image data in its
payload). The embedded image carries the target message and
most email clients display the message in their entirety. Since,
many ham emails also have similar properties (using HTML,
carrying embedded images, with normal text) as image-based
emails, existing spam filters find it difficult to distinguish
between image spam and image ham.
A. Types of Image Spam
The Spammer’s Compendium provides a compilation of
spammer techniques collected and classified by a community
of volunteers. According eight classes were identified,
namely, text-only images, sliced images, randomized images,
color modified images, gray images, wild background images,
multi-frame animated images and stock splits [10]. Text-only
images appear like a normal text email but in reality, is an
image. Sliced images use multiple images combined like a
jigsaw puzzle [3]. A spammer usually alters individual pixels
in the image that is difficult to distinguish from the original
image. Due to the randomization of the pixels, each an
iteration of the image will appear completely different to many
image spam filters and are termed as randomized images. Due
to the unlimited flexibility in the number of colors and fonts,
image spammers change the properties of their images
resulting in new pixel locations and identifiers and these
images are called color modified images.
Gray email is a spam image that could reasonably
considered either spam or ham. Handling gray emails is very
important issue because they resemble natural gray scale
images and should be addressed in spam filtering systems. In
wild background images, spammers use high colored and
patterned backgrounds, uneven letters, and randomly inserted
pixels around the border, which makes it unique and hard to
read by any software attempting to use Optical Character
Recognition (OCR). Spammers send multiple frames
containing an animated GIF image with their message. The
frames rotate at a faster rate so that a human eye cannot detect
the animation but only watch the final result and are called
multi-frame animated images. Stock splits are a new type of
image introduced by spammers during 2006, where the
original image is split into multiple images, which are
reassembled only when the message is opened. This makes it
difficult for the filters and image scanning software to detect
them.
B. Types of Spam Content
According to [41], there are eleven categories of spam,
namely, products advertisement, financial, adult, Internet,
health, scams, leisure, fraud, political and spiritual.
Email attacks offering or advertising general goods and
services are termed as product advertisement spam. Email
attacks that contain references or offers related to money, the
stock market or other financial opportunities are called
financial spam. Adult spam are emails that contain or refer to
products or services intended for persons above the age 18,
often offensive or inappropriate. Internet spam are mail that
specifically offering or advertising Internet or computer
related goods and services. Another type of spam attack is the
health spam, which offer or advertise health related products
and services. Email attacks recognized as fraudulent,
intentionally misguiding or known to result in fraudulent
activity on the part of the sender are termed as Scams. Email
attacks offering or advertising prizes, awards or discounted
leisure activities are Leisure spams.
Email attacks that appear t