The original image-based spam embedded images in email messages, however it’s even simpler, and easier to fool anti-spam engines, to embed references to images in the HTML code of a message. What this means is that the source code of the message will pull an image from a remote server, assuming the reader is connected to the Internet. So where do spammers store these images? Sometimes on their own sites, sometimes hidden in hacked legitimate sites, and sometimes even under legitimate users on legitimate image-storing sites like… you guessed it, Flickr. In some cases spammers take advantage of dormant Flickr sites and compromise them, or else they simply open up their own Flickr sites.
Here’s an example of one spammer’s Flickr account, with the images he has uploaded this month so far:
And here’s a sample of one of the images (most contained too many exposed body parts to display here…
Notice how the spammer has incorporated noise into the background of the image, and has several versions of the same image. These are all tricks to bypass anti-spam defenses when the images are embedded within the body of the email message, but these tricks are not necessary when the image is hosted on a web site.
The main deception used in the message to bypass email filtering engines is the use of Hotmail content in the source of the message, the same trick that I described back in January. In the sample written about a few weeks back, the images were hosted on a random site; the main difference in this new message is that the image is hosted on Flickr.
Incidentally, I reported this to Flickr yesterday using their “Spam-o-rama” support subject (I guess they are used to this ;), and they responded in under 24 hours:
“Thanks for bringing this to our attention. We see this sort of activity when naughty spammers run a dictionary attack against our upload by email addresses. The member in question is not a spammer. We’ll clean out the account and reset the upload by email password.”