My Latest Anti-Spam Solution
Sunday, 14 March 2021
In the nine years that I've been running FotoForensics, I've seen lots of different kinds of service violations. People using the public site for private commercial purposes (no commercial use on the public site), fake IDs for human trafficking (no IDs on the public site), fake ATM receipts for widespread fraud in Indonesia (no bank information on the public site), someone in China who wanted to upload hundreds of carpet patterns (no bulk uploading), Google trying to upload every picture from Imgur (no bulk and no automated uploading), etc. Each has required different solutions to stop these abuses. (I interpret an "abuse" as anything that is directly prohibited by the terms of service.)
There's one kind of problem that I really expected to see years ago, but just turned up last week: spam. When someone sends a spam email, they include content promoting a fake offer or troll for customers using unsolicited contact methods. Many spam filters look for common spam methods, such as:
Back in 2015, a french company tried to use FotoForensics for hosting their ads. This was likely done for bandwidth theft -- it's cheaper for them to use my bandwidth than their own. (I ended up swapping the pictures for them with a 'Prohibited' message.) In 2017, there was a 'forensics' app that just wrapped my online service with their program so that they could generate ad revenue. (I swapped out their images, too.)
And now? FotoForensics was just hotlinked by a spammer. He uploaded his pictures of text to FotoForensics, then sent out a spam messages linking to the pictures.
At FotoForensics, I have multiple trend detectors. One of them looks for pictures that are suddenly being accessed by a wide range of people. In this case, I had a handful of pictures that were uploaded by one person. Later, they were accessed by thousands of people -- triggering an alert. With these pictures, there were a lot of commonalities:
(The IP addresses, timestamps, and browser information should be enough for a service provider to identify the individual behind the spam. Assuming someone wanted to take that route.)
When I first saw how these pictures were being used, I banned the pictures. A 'banned' picture just shows a stick figure behind bars and the words "Content Prohibited". I did this because I didn't have a solution readily available. By this point, about 2,000 people saw the pictures embedded in spam emails. (That's a really low turnaround for spam.) After the ban, about 500 people saw my banned image icon.
I got to work and implemented the hotlink filter. This returns nothing (broken image link) for anyone who opens the spam email. Since deploying this filter, another few hundred people have seen the broken image icon.
I'm not too surprised that this spam came from someone in Morocco. I have a small list of problematic countries, where a majority of uploads violate the terms of service at FotoForensics: Russia, Ukraine, Indonesia, and Morocco. I recently banned all of Russia from using FotoForensics. If the spammer in Morocco keeps it up, he'll get his entire country banned, too.
There's one kind of problem that I really expected to see years ago, but just turned up last week: spam. When someone sends a spam email, they include content promoting a fake offer or troll for customers using unsolicited contact methods. Many spam filters look for common spam methods, such as:
- Word lists. Words commonly associated with spam are flagged. Words and phrases like "viagra", "act now", "apply online", "free", and "opt-out" immediately make an email look suspicious. If your email contains too many suspicious words, then it will probably go into the spam bucket.
- Misspellings. To get around the word filters, spammers often use bad spelling or similar-shaped letter substitutions. Instead of writing "viagra" or "free", then might write "viiagra" and "freе". (The word "free" may look normal, but the first "e" uses unicode "e" and the second one is a Cyrillic letter "е". If the text parser looks for the letters "f-r-e-e", then it won't see it.) Many spam filters look for spelling errors and common character substitutions.
- Pictures. Rather than having text, which is easy for a spam filter to search, some spam messages include a picture of text. Text-based spam filters will skip over the picture. With spamassassin and other anti-spam filters, an email that only includes pictures -- with no text -- is flagged as suspicious. In addition, anti-virus systems may remove attachments (including pictures) as a security precaution.
- Links to pictures. Rather than including pictures as attachments, the spammers might upload their picture-of-text to an image hosting service, and then send spam that uses HTML to link to the picture. There's little or no text for a text-based filter to search, no attachments to remove, and nearly all modern mail systems support HTML as the body of the message. However, the spammer needs a web site that can host their picture for the duration of their email campaign.
Back in 2015, a french company tried to use FotoForensics for hosting their ads. This was likely done for bandwidth theft -- it's cheaper for them to use my bandwidth than their own. (I ended up swapping the pictures for them with a 'Prohibited' message.) In 2017, there was a 'forensics' app that just wrapped my online service with their program so that they could generate ad revenue. (I swapped out their images, too.)
And now? FotoForensics was just hotlinked by a spammer. He uploaded his pictures of text to FotoForensics, then sent out a spam messages linking to the pictures.
Identifying the Use Case
I don't have a copy of the spam email; I was never sent a copy. (Or if I was sent a copy, it never got past my mail server's initial connection. It never reached the spam filter.) What I do have are the pictures of text and scam ads that were used in the email.At FotoForensics, I have multiple trend detectors. One of them looks for pictures that are suddenly being accessed by a wide range of people. In this case, I had a handful of pictures that were uploaded by one person. Later, they were accessed by thousands of people -- triggering an alert. With these pictures, there were a lot of commonalities:
- None of the people were going to the analysis page. Instead, they were only accessing the source image. They were not interested in any analysis.
- Every time you click on a web page's link and go to another web page, or load a resource for the current page (e.g., images), your browser generates an "HTTP Referer" [sic] header. This field identifies the referring web page. For these specific suddenly-trending pictures, most of the referrers were unset. That usually happens if you type a URL in the address bar or select a URL from your bookmark list. However, it also happens with email. Email readers usually do not include referrers.
- A few of the HTTP requests did include 'referer' URLs. Every single one of them pointed to web-based email readers.
- While some user-agent strings identified web browsers, many identified email readers.
- Apply for our credit card. A picture-of-text ad offering a credit card. It was uploaded to FotoForensics on 2021-03-04 17:46:39 GMT by someone at 160.176.240.213 (in/near Tangier, Morocco) using Firefox 86.0 on Windows 8.1. According the the web logs, he uploaded the picture, grabbed the URL to the source image, and tested it from a different system within a few minutes. However, the picture was not used for spam until 2021-03-13.
- Terms and Conditions. A picture of text describing the visa card terms and conditions for a bank in Missouri. It was uploaded on 2021-03-04 17:48:17 GMT by the same person in Morocco.
- Bitcoin. Some kind of ad for bitcoin; it's in Swedish. Uploaded on 2021-03-04 17:59:50 GMT by a different IP address in/near Tangier, Morocco (160.177.222.131) using Chrome 88.0.4324.192 browser on a Mac 10.15. According to the web logs, the spam went out at 18:23:54 (about 25 minutes later) but didn't hit the popularity trigger until 2021-03-08. This suggests that the mass emailing was being caught by most spam filters.
- Lending for Bad Credit. Another spam ad. Again, uploaded on 2021-03-04 18:09:16 GMT by the person in Morocco (160.176.240.213).
- Ad information. A picture of tiny text from the spammer claims to be associated with a company in Kansas. Uploaded on 2021-03-04 18:09:43 GMT by the same person in Morocco.
- Ad with vegetables. This spammer uses a wide range of topics. Uploaded on 2021-03-11 18:01:41 GMT by a different network address in/near Tangier, Morocco (41.140.88.193).
- Win money from Willy's. Swedish spam ad for a contest. Uploaded 2021-03-11 18:15:23 GMT by the same person in Morocco (41.140.88.193).
(The IP addresses, timestamps, and browser information should be enough for a service provider to identify the individual behind the spam. Assuming someone wanted to take that route.)
Stopping Spam
As a service provider, I want people to upload pictures and share links for analysis. However, I don't want my service to be exploited by spammers. I decided to implement a simple set of rules to stop the spam:- For these specific pictures, I no longer permit hotlinking. If the browser's referrer does not specify my server, then you cannot see the picture. However, if you visit the analysis page then the picture will display properly. This should stop the immediate spam problem.
As an aside, this rule should be fun for the spammer since his browser has cached the URL's contents. As a result, he'll see the picture on his browser for any test spam messages he sends (making him think it's working). However, nobody else will see the pictures. - I've added a trend detector to alert me when a picture is being distributed over email. If too many people access the email in a short period of time, then it's automatically blocked from hotlinking. This will make any kind of email mass distribution ineffective.
When I first saw how these pictures were being used, I banned the pictures. A 'banned' picture just shows a stick figure behind bars and the words "Content Prohibited". I did this because I didn't have a solution readily available. By this point, about 2,000 people saw the pictures embedded in spam emails. (That's a really low turnaround for spam.) After the ban, about 500 people saw my banned image icon.
I got to work and implemented the hotlink filter. This returns nothing (broken image link) for anyone who opens the spam email. Since deploying this filter, another few hundred people have seen the broken image icon.
I'm not too surprised that this spam came from someone in Morocco. I have a small list of problematic countries, where a majority of uploads violate the terms of service at FotoForensics: Russia, Ukraine, Indonesia, and Morocco. I recently banned all of Russia from using FotoForensics. If the spammer in Morocco keeps it up, he'll get his entire country banned, too.
Well sometimes most of them just abuse without thinking. I'm truly sorry 🙏