While reviewing an email recently, I came across an evasion technique I had not seen in a while: rendering a URI as an image rather than a text anchor, then linking to that image, on the theory that spam filters scrutinizing text-based links would miss it. The sender apparently believed this was clever. It is not, and the reasons why are instructive.
The image-as-content evasion approach is not new. In 2006, spammers began embedding their entire message body in an image to defeat content filters that operated on text. The industry response was to build Optical Character Recognition into filter solutions. SpamAssassin acquired plugins for exactly this purpose. Cisco’s email security platform, Barracuda, and others incorporated image analysis as a standard filter capability. OCR-based detection has been table stakes in commercial filtering for nearly two decades.
Rendering a URI as an image runs directly into this infrastructure. The filter reads the image, extracts the text, and evaluates the URI exactly as it would have evaluated a text anchor. The evasion accomplishes nothing except adding an image load to the message.
The deeper problem is what the technique signals. Filters do not evaluate individual elements in isolation. They build a picture of the message as a whole, and one thing they look for is the use of spam-associated techniques. Using an image to obscure a link is a technique associated with spam. A legitimate sender, by deploying it, tells the filter something about the message before the content is even evaluated.
The right approach to URI handling in email is the same as the right approach to everything else in email: send mail that looks like mail from a legitimate sender, because that is what you are. Obfuscating links does not make a message look more legitimate. It makes it look like the sender has something to hide, which is exactly the signal you do not want to send to a filter that is in the business of finding senders with something to hide.
If your URIs are triggering filters, the problem is the URIs, not the format in which they are displayed. Fix the underlying reputation issue. Using image tricks to get around the symptom makes the underlying problem harder to diagnose and the filter relationship harder to recover.
About the Author
Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.
