Some security experts believe that spammers will increasingly use artificial intelligence tactics to get their junk delivered to email users.
A Forrester Research report published this week theorises that the booming image spam pandemic is merely the tip of the iceberg when it comes to spammers' use of AI.
The only way to prevent a repeat of the image spam surge as new models using AI come to light, Forrester analysts said, will be for technology vendors and their customers to abandon the current filtering-heavy approach and instead battle the roots of the problem.
Just as websites and anti-spam providers have used techniques such CAPTCHAs - the tests found in many web applications that ask users to type characters planted in obfuscated images - to beat away bots, so too will spammers use AI to create seemingly endless variations on their message campaigns to circumvent the latest filtering tools, the experts said in their report.
CAPTCHA is an acronym for "completely automated public Turing test to tell computers and humans apart,". The Turing test is named after Alan Turing, the English mathematician referred to by some as the father of modern computer science.
"The notion with CAPTCHA is that computer bots and other programs can't efficiently process the image, that they can't deduce the words in the image, and that's the same thing that spammers are doing today to defeat traditional filters," said Dr. Chenxi Wang, a co-author of the research.
"People have devised new filters that use technologies such as optical character recognition that has curtailed the spread of image spam," said Wang. "Unfortunately image spam is only one type of AI problem, and spammers have many they will use in the future; this only the beginning of an arms race."
Just as CAPTCHA has largely foiled the ability of scammers to game online registration and transactional systems, spammers will be able to use a nearly endless variety of techniques to avoid the latest and greatest message filtering tools, the analyst said.
Without a major breakthrough in AI research, Wang said, there is "no way we can bridge the gap" with the number of methods that spammers will be able to use to keep their schemes humming along.
Among the types of methods that spammers are already employing to beat existing image-filtering tools are spam campaigns that use distorted and obfuscated text images, graphic pictures, and audio and video files.
To fight spammers over each type of content will be a losing battle, Wang said, recommending that customers and technology providers instead focus on monitoring messages for fundamental properties exhibited by each flavor, such as the links to malware sites that most of the emails carry.
"Vendors should look through brouhaha calling for them to defend against each type of image spam and build products that attempt to capture the fundamental properties of spam," said Wang. "They can use techniques such as intent analysis and URL reputation analysis; those factors won't change with each new type of campaign that's being invented."
While conceding that the fight against spammers isn't one that will ever likely draw to a close, companies such as ISPs that are working harder than ever to keep unwanted email from reaching their customers say that progress is being made.
Stephen Currie, director of product management for email at the ISP EarthLink said that his company has been able to reduce the amount of spam reaching its customers by 80 percent in the last 18 months.
Using filtering tools sourced from software maker Cloudmark and its internally developed Scamblocker.com anti-phishing resource, along with a heavy dose of input from its users, has allowed the firm to turn up the heat on image spam and other AI campaigns, he said.
"The message content fingerprinting technologies from San Francisco-based Cloudmark allow us to understand message contents without ever opening them up, and it doesn't require as much CPU power on our end as it would have even several years ago," Currie said. "But the real key has been to become very aggressive about using the feedback we get from end-users to stop spam that initially finds a way through."
Just as CAPTCHA relies on human interaction to defeat automated input, the approach of using customer feedback to identify and block spam sources is one that has trumped technological means, the executive said.
"Once we determine the root source of a campaign using these types of methods, we can block a lot of the IP addresses being used to stop it from sending additional mail to our servers," Currie said. "Although we're getting shipped more spam than ever, customers are telling us that they're now getting less than over the last several years, but we absolutely expect new things to come along and challenge us; it's the proverbial cat-and-mouse game."
In addition to using human and technological means to stop spam, EarthLink is also involved in the Messaging Anti-Abuse Working Group (MAAWG), a global ISP initiative aimed at improving the current state of electronic messaging.
In mid-May, the group released its latest Sender Best Communications Practices (BCP), a set of best practices for email technologies and subscription methods meant to improve deliverability rates for legitimate newsletter and marketing messages.
Officials with Postini - which claims to process more than 1 billion messages per day for more than 35,000 organizations - said that spam levels continue to set new records and that unwanted emails currently account for roughly 40 percent of all traffic it monitors.
In addition to high levels of image spam, the company is also tracking developments such as an increase in the volume of messages that appear to be meant to harvest email addresses for subsequent malware attacks, including botnet threats.
Other recent trends under investigation by the firm include spam that attempts to evade filtering tools by using strings of gibberish to confuse content scanning technologies.
The company maintains that its products can help customers catch up to 99 percent of all spam if they are willing to employ the most aggressive settings available, but Postini executives said that users' fear of missing legitimate messages forces most companies to seek a balance between warding off unwanted email and toning down the possibility for false positives.
"Because the overall volume of spam continues to increase, clients are seeing a few more messages per day sneaking in, and it does tend to be image spam, but progress is being made," said Adam Swidler, Postini's senior manager of solutions marketing. "It's probably naive to think that this fight will ever end as long as there is a monetary driver for the bad guys, but we do think that we can help get to a place where spam is only a minor nuisance."