“It is like banning backpacks in London just in case they may contain explosives.”

if 75% or more of the backpacks did carry explosives because that is probably the spam to legit ratio of pics coming in.

I think you would agree that if 75% of the people wondering around london with backpacks on had explosives in them, you would be pretty keen on a ban then.

If you block things with multiple images, or even block images completely, then they’ll start using stuff like http://www.omgili.com/captcha.php (but more advanced/efficient) along with some creative js/css to write hard to decipher things without images at all.

What about people that use gif’s of their business card as their email signature.

I said in the original article…

There’s then companies who, for corporate image reasons, send out a copy of their company logo with every email (you may think that’s clueless, but their marketing department begs to differ!) However, once again, there’s only a relatively small number of these logos AND THEY DON’T MORPH INTO NEW SHAPES ON EVERY EMAIL, so it is possible to envisage building a database of their cryptographic hash values and letting them through.

… and that remains my view. It’s a database populating problem, and you either believe that’s tractable or you don’t.

Chris & Tom’s comments (”but you can build a spam emal out of multiple images”) has some merit — and I had not considered this idea — but you do need a lot of these images and that’s going to be a pretty clear distinguisher for emails you don’t want.

In this case the spammer’s answer to only allowing whitelisted GIFs is to use the whitelisted GIFs to spell out words, in a similar way to the technique Chris Lawrence describes in comment number 12. Spam fighting can then come back again, using the probability of such arrangements of GIFs and text occurring in non-spam messages, but we’d have saddled ourselves with a huge job of maintaining a list of every reasonable image or decoration and would have obtained only the usual brief respite.

Also, many people are already fairly satisfied with the efficiency of existing tools for dealing with image spam. Very few unsolicited mails (from new correspondants) will legitimately contain an image attachment at all and proper use of spamassassin means that my usual spammers never score less than six points with an image spam. Personally I would not find a hash whitelist useful, indeed I don’t even bother with the costly image-analysis any more. I can make a very strong presumption that an unsolicited small image is spam and if the image is a GIF the presumption is always correct.

Chris

I forget the statute (if any) underpinning this, but it seems to be pretty much taken as read these days that, for most purposes, typing one’s name at the end of an email counts as a signature.

Incidentally the USPTO started recognising a thing called an S-signature a few years ago (for online applications). It consists of typing ones name, bracketed by forward slashes, hitting enter, then typing it again. For example:

/Fred Bloggs/
Fred Blogs

… I do agree that if everyone scans their signature and appends it to their email then we’re looking at very long lists. From my experience, I don’t think that sort of behaviour is very common at the moment, and a default approach of “block all images” (which looks pretty attractive this month) is going to provide a certain level of disincentive to having that change.