Covering the global threat landscape

Bye bye OCR?

February 2007

The end of 2006 and beginning of 2007 brought a completely new development in stock spam.

The usual technique used in 'pump-and-dump' scams were, and still are, text-based emails with a lot of additional junk text to confuse statistic filters.

In November 2006 we saw the so-called 'spam art', with messages such as that shown below - random coloured shapes on a coloured background with text written in waves.

Apparently, this was not effective enough against the OCR (optical character recognition) engines included in anti-spam products - or maybe the images were too easily detected because of their large size. So the spammers came up with something simpler, but more effective: images containing text diagonally written text, where each character is a little twisted.

The images are between 10 and 17 KB in size, almost half of the size of the traditional 'spam art' images, and each with different dimensions (meaning that there is no opportunity to train a spam filter to detect the messages using the width and height of the images).

There are also other emails from the same spam category, which contain groups of coloured lines in the background:

This technique is used both to obfuscate the text even more and to make the creation of new, unique images very easy (considering that anti-spam tools are continually analysing size, histogram, pixels distribution and colour).

The complete set of stock spam is very well generated and it varies sometimes more than once a day. It is becoming increasingly interesting to monitor the levels of stock spam we see, as well as the proportion of total spam that is stock spam.

Sorin Mustaca, Avira