A Study on E-mail Image Spam Filtering
Thakur Ranjit Banshpal
TYPES OF IMAGE SPAM
TYPES OF SPAM CONTENT
LIFE CYCLE OF SPAM
• The action of sending unrequested commercial messages in bulk quantity
with obtaining explicit permission of the recipients is defined as
• Examples Include
– email spam,
– instant messaging spam ,
– Usenet newsgroup spam, etc.
Email spam refers to sending irrelevant, inappropriate and
unrequested email messages to numerous people.
The purpose of email spam is advertising, promotion, and
spreading backdoors or malicious programs.
There are two basic forms of email spam
1. Text-based spam mails
2. Image-based spam mails
Spammers put their spam content into the images.
They embed text such as advertisement text in the images and
attach these images to emails.
Anti-spam filters that analyze content of email cannot detect
spam text in images
Anti Spam Techniques
Stopping spam exists at several levels, it can be
(i) Before spam is sent
(ii) After spam is sent
(iii) After spam is in mailbox and
(iv) Legal solutions.
Before spam is sent
Techniques like Blacklists and Whitelists can be used to avoid
In the online world, a blacklist refers to those people who are
responsible for generating spam in a very big way. The
blacklisting can be by IP address, person, company or domain.
A whitelist is a predefined list of IP addresses that are allowed to
send email to and receive email from each other.
To send email to a whitelist, the sender must be approved and
verified by the owner of the whitelist.
After Spam is Sent
Use a spam database, which involves gathering feedback from the
user community, who reports a mail as spam when they receive it.
A triggering algorithm identifies a mail as spam, when the
number of reports for a particular message exceeds a given
Spam firewall, firewall is a system designed to prevent
unauthorized access to or from a private network.
The Challenge Response Spam Filtering technique, each email
address must be authorized before delivering an email to the
receiver. The receiver can either authorize these email addresses
manually, or can challenge the sender to identify themselves.
After Spam is in Mailbox
A spam filter - Examine the incoming email and match it against a
set of pre-defined rules.
Heuristic filtering - Each rule assigns a numerical score to the
probability of the message being spam. The spam score is then
measured against the user’s desired level of spam sensitivity (low,
medium or high sensitivity).
Bayesian filtering - Bayesian spam filters can take one group of
legitimate email and another group of spam and compare the
values and data of each. Bayesian filters look for obvious repeating
patterns to form an “opinion” on something. In spam filter terms
that “opinion” becomes a rule which identifies spam.
Federal Regulations (CAN-SPAM act of 2003)
Controlling the Assault of Non-Solicited Pornography And
Marketing (CAN-SPAM) Act of 2003 – signed on 12/16/2003
Ciphersend, which combines encryption schemes with emails to
prevent mailbox from being spammed. The Ciphersend uses
2048-bit encryption, which is much more than online banking
services, which uses a 128-bit encryption or 256-bit at best.
1. General Spam Characteristics
2. Email Transmission Protocol
3. Local Changes in Transmission
4. Language- Based Filters
5. Non-Content Features
6. Content Based Classification
7. Hybrid Filters
General Spam Characteristics
More than 99% of spam falls into one or more of the categories given below
(i) To advertise some goods, services, or ideas
(ii) To cheat users out of their private information and to deliver malicious
(iii) To cause a temporary crash of a mail server.
Characteristics of spam traffic are different from those of legitimate mail traffic in
particular legitimate mail is concentrated on diurnal periods, while spam arrival
rate is stable over time. This behavior of spam mail was reported by Gomes,
Cazita, Almeida, J.M. Virgı, and Meira.
Pu and Webb analyze the evolution of spamming techniques. They showed that
spam constructing methods become extinct if filters are effective to cope with them
or if other successful efforts are taken against them.
Email Transmission Protocol
The Simple Mail Transfer Protocol (SMTP) is the mechanism for delivery of email.
In the context of the JavaMail API,
The JavaMail-based program will communicate with the company or Internet
Service Provider's (ISP's) SMTP server.
That SMTP server will relay the message on to the SMTP server of the recipient(s)
to eventually be acquired by the user(s) through POP or IMAP.
This does not require the SMTP server to be an open relay, as authentication is
supported, but it should be ensured that the SMTP server is configured properly.
POP stands for Post Office Protocol. POP is the mechanism most
people on the Internet use to get their mail. It defines support for a
single mailbox for each user The Post Office Protocol defines how
the email client should talk to the POP server.
POP can perform the following functions:
Retrieve mail from an ISP and delete it on the server.
Retrieve mail from an ISP but not delete it on the server.
Ask whether new mail has arrived but not retrieve it.
Peek at a few lines of a message to see whether it is worth
IMAP is a more advanced protocol for receiving messages. IMAP
stands for Internet Message Access Protocol. It permits a "client"
email program to access remote message stores as if they were
Key features of IMAP include:
It is fully compatible with Internet messaging standards, e.g. MIME.
It allows message access and management from more than one computer.
It allows access without reliance on less efficient file access protocols.
It provides support for "online", "offline", and "disconnected" access modes.
It supports concurrent access to shared mailboxes
Client software needs no knowledge about the server's file store format.
The main drawback of the commonly used Simple Mail Transfer
Protocol (SMTP) is that it provides no reliable mechanism of
checking the identity of the message source.
Overcoming this disadvantage, namely providing better ways of
Designated Mailers Protocol (DMP)
Trusted Email Open Standard (TEOS), and
Local Changes In Transmission
Some solutions do not require global protocol changes but
propose to manage email in a different way locally.
Li and Saito, propose slowing down the operations with messages
that are likely to be spam. Where use the past behavior of senders
for fast prediction of message category. The spam mails are then
maintained in a lower priority queue, while the ham mails in a
higher priority queue.
Language- Based Filters
Filters based on email body language
Can be used to filter out spam written in foreign languages
Examples of such models include dynamic Markov compression and prediction
by partial matching. They were successfully used with the data extracted from
both bodies and headers of the messages.
Smoothed N-gram language models, proposed by Medlock, used smoothed
higher order N-gram models. N-gram language models are based on the
assumption that the existence of a certain word at a certain position in a
sequence depends only of the previous N-1 words.
ISCF - 2006
∏ −+−= )...|()...( 111 iniin wwwPwwP
Language Model Approach
Looks for repeated patterns
Each word depends probabilistically on the n-1 preceding
Calculating and Comparing the N-Gram profiles.
The methods based on structured analysis of the header and of meta-level
features, such as number of attachments, use specific technical aspects of email
and so they are specific to spam filtering.
Leiba proposed a method called analyzing SMTP path to detect spam. This
method was based on analyzing IP addresses in the reverse-path and ascribing
reputation to them according to amount of spam and legitimate mail delivered
through them. Both this and the subsequent method can be viewed as
development of the idea of blacklisting and whitelisting.
Behavior-based filtering rests on extracting knowledge about the behavior
behind a given message or group of messages from their non-content features.
Later detect spam by comparing it to the predefined or extracted knowledge
about the typical behaviors of malicious and normal users.
Content Based Classification
One popular practice when creating spam pages is “Keyword
Stuffing", where the keywords within a web page is analyzed to
detect spam mails. Excessive appearance of keywords in the title
of a page is a clear indication of spam.
The content and the header of the incoming email are
mostly analyzed by the available anti-spam techniques. They try
to infer something about the kind of the material contained in the
message by looking for specific pattern typical of a spam
message. For these reasons, these filters are known as “content
The hybrid technique can be implemented by using various
models, considering available resources with the server. Proposed
a framework which combines white/black listing and challenge-
response methods. Bhuleskar , after identifying the advantages
and disadvantages of various filters, combines the advantages of
the various filtering techniques and proposes a hybrid filter.
Hybrid solutions need to be carefully designed as the combination
might increase time complexity while increasing security and
We have seen various type of image spam and there content
along with that , We have discussed various solution provided for
image spam problem. As spammers have innumerable techniques
for creating a spam image, the research for a perfect spam filter is
always fertile. Several works have been proposed and almost all
of these methods have the common objectives of high
processing speed and high accuracy, to make it applicable in time
critical environment like the Internet. Future work includes
analysis and comparison of these some techniques reviewed in
terms of computation and time complexity along with accuracy.
Delany, S.J., Cunningham, P., Tsymbal, A. and Coyle, L., “A
case-based technique for tracking concept drift in spam filtering,”
Knowledge-based systems, pp. 187–195, 2004.
Drake, C., Oliver, J. and Koontz, E., “Anatomy of a phishing
email,” Proceedings of the First Conference on Email and Anti-
Spam, CEAS’2004, 2004
Fawcett, T., “in vivo” spam filtering: a challenge problem
for data mining,” KDD Explorations, vol. 5, no.2, pp.140–148,
Gomes, L.H., Cazita, C., Almeida, J.M. Virgı, A. and Meira, W.,
“Characterizing a spam traffic,” IMC ’04: Proceedings of the 4th
ACM SIGCOMM conference on Internet measurement, pages
356–369, New York, NY, USA, ACM Press. ISBN 1-58113-821-