Slashdot Mirror
Fighting "Snowshoe" Spam
Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."
Whoever keeps naming things with these slightly-plausible analogies, please stop.
As a Canadian I figured I'd better look that up.
http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233
Okay okay! I heard you all the last time I brought it up. But the results are simply awesome. And greylisting is perfect against these snowshoe distribution methods. The downside might be the database filling up.
from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.
Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.
That's going to be annoying. I will never in a million years find myself in the market for snowshoes.
Let's fine spammers. Not the masterminds organizing the whole thing, as we will never find them. I mean fine the people operating the compromised computers. By having vulnerabilities on their computers, they are allowing spammers to send email from those computers. They are basically letting the spammers use their computers. It should be a crime to set up such services for spammers. If we fine them $0.01 per message and force their ISP to cut of their Internet until it is fixed, the spam will be cut significantly. Countries that implement these fines will have all their mail whitelisted, and countries that don't will be shunned and will have their mail sent through a more rigorous filter.
Why is this being presented as if it were something new?
As early back is 2001, as an admin for an ISP, I would see what I called a "spam attack" - a large number of emails sent over a 24 hour period or so, adding up to (typically) around a million attempted emails to random addresses at the domain name(s) for which I administered.
We used greylisting to stop these attacks, but it was *very* taxing - in a typical attack, I logged well over 10,000 source IP addresses.
These so-called "snow-shoe" spam attacks are pretty much exactly what I saw some 8 years ago.
Everything old is new again...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
IP reputation and RBL will always be vulnerable because the attackers just hide within the population, like guerrillas or terrorists. If you block legitimate ranges or addresses because you saw a spam come from there, it's like bombing a village because someone shot at you from one of the houses. You may kill the bad guy but you make the population REALLY mad. This is consistent with recent findings that >50% of spam actually originates from "trusted domains."
I'm looking over the wall, and they're looking at me!
You would think that ESP's would know their clients better.
Greylisting won't help against any competent snowshoe spam operation.
Greylisting is useful against ad-hoc connections from botnet hosts that are unlikely to try to resend a message within in an appropriate interval. Managing resending in the botnet environment is challenging.
Snowshoe spamming is, in some small part, probably a response to the decreasing likelihood that random, compromised, home machines will be able to deliver much spam -- a decrease that is probably partially attributable to greylisting. The snowshoe approach is very different from the malware/botnet approach. The spammer buys bulk hosting from a colo facility and set up real honest-to-god email servers on dozens to hundreds of IP addresses. Then the spammer dribbles messages in relatively low volume from these large number of IP addresses. If one of the spam servers encounters a host with greylisting, it requeues the messages to retry later just like a normal email server will because it's a normal email server. The spammer merely maintains and manages a large number of these servers on commercially hosted connections, and distributes his spam payload across them. Distributing the spam load across these many servers reduces the likelihood that any particular server will be quickly blacklisted, and if it if is blacklisted it may go dormant until automatically delisted, then start spamming again.
Many of the bulk "bandwidth providers" don't seem to give a fuck if this kind of thing is taking place on their networks, although in the end it will pollute and devalue or render useless large swaths of IP space at these providers. I'd name names, but am not in any mood to get sued.
Greylisting is useless for most snowshoe spam. Take it from someone who has been watching these tactics for the last couple months.
I actually browsed the article... it refers to static IP's in ranges that have no "history" on the Internet. I.e. it's not zombie'd home PC's on ADSL or Cable from dynamic IP address ranges.
I'm not sure I understand it, though, wouldn't those be easy to track down to real people?
As expected, spammers keep becoming smarter.
The way to stop spam is to eliminate its value, not its source. Spammers send this crap to make money. So who pays them?
If it's a business, then that business is doing a pretty poor job of analyzing its marketing success rates. Just because you can "reach" the whole world, doesn't mean it's worth the money: everyone will delete your "flyer" and make a mental note to hate your brand for eternity (and tell their friends). So, one step is to convince businesses that spam not only won't win any customers, but it will most definitely lose some.
The other likely payer is the receiver, when receiving scam spam. Scammers aren't paying anyone to send spam, they're expecting a payoff when some idiot gives them what they "legitimately" asked for. Again, the solution is education, but a different kind: people need to be informed about how to recognize E-mail scams (apparently some people really can't). Even if one guy in a million sends his life savings, it justifies the effort of spammers.
Maybe novice computer users need a license to drive their mail client, as if it were a car, and I'm only half kidding. They can harm at least themselves if they don't know what they're doing. This education would solve other problems as well.
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
I don't think you realize just how protected you are from fraud and similar crimes by the fact that they are crimes. You can knock our justice system for being imperfect, but you can't knock it for being ineffective. ('cepting the "war on drugs", of course)
The truth is that we have a first-rate police force and criminal investigation system that is quite effective at enforcing laws of commerce - protections that provide you with a refund if the item purchased didn't work out, etc - that you use so casually, you hardly know they are there.
And that leaves a population terribly unprepared for the wild wooly Internet, where those protections so painstakingly put into place mean almost nothing. You can talk all you want about education and eliminating the source of the problem, but it's never worked before and all of social commerce is set up to work the other way.
So, good luck with that.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Snowshoe is a new problem, not the old spamming from infected proxies or bots problem. Snowshoe involves spammers spamming from large static CIDR netblocks, netbocks which have been leased by the spammers from ISPs using fake shell companies.
An announcement by Spamhaus was posted yesterday to Usenet:
http://groups.google.com/group/news.admin.net-abuse.email/msg/f2823245c06ed441?hl=en
Over the course of the last three years Spamhaus has seen an explosion
of snowshoe spamming. From a marginal increase in 2006, snowshoe
spamming became a significant problem in 2008 and has grown furiously
in 2009, such that much of our SBL team's time has been taken up with
listings of showshoe IP ranges and terminations of showshoe spammers.
Spamhaus released a news article on snowshoe spamming last year ("A
Snowshoe Winter" http://www.spamhaus.org/news.lasso?article=641 )
and has made over 1,300 SBL listings of snowshoe IP ranges -large
CIDRs assigned to snowshoe spammers- in the last two years alone, each
one requiring team work with ISPs to terminate.
To combat this problem faster, a special snowshoe team comprised of
SBL and CBL staff has now built an automated snowshoe detector as a
new SBL component called the "CSS". The CSS is being released later
today. Note that CSS is a component of the SBL and not a separate
DNSBL (there is no CSS zone).
As CSS data is part of the SBL, networks that use the SBL or ZEN will
automatically see an increase in spam blocking.
Full information on the CSS is here:
http://www.spamhaus.org/css/
Spamhaus has released a news article, "Announcing the Spamhaus CSS",
available here:
--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org
The spammers are in cahoots with those who want to balkanize the internet.
We have to come up with new e-mail standards that avoid balkanization before they can push their next attempt.
One thing is to refrain from requiring all e-mail traffic to use whatever tech we invent to ID the sender effectively.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I've seen a huge increase of phishing emails to my users to get their credentials, then use those credentials to send out spam through our email server.
It's a real pain, and we send out repeated notices to our 50,000 users that we'll never ask them for their password, but inevitably there's always a few that respond anyway.
And since our system can handle 400 errors just fine, it gets past greylisting -- but sites that greylist actually help us out because I can look at the outgoing mail queue and catch many stuck waiting and then work backwards to figure out the compromised account and whack it.
The Spamhaus article really describes one of the most frequently encountered behaviors we see by looking at our spamd logs. Each machine does not necessarily send a large number of messages (although some do, hanging on for weeks on end in extreme cases), but once a machine has tried to deliver mail to one of our published trap addresses (see the list at http://www.bsdly.net/~peter/traplist.shtml ), we keep them occupied and publicly shamed (see http://www.bsdly.net/~peter/nameandshame.html as well as the exported blacklist) for 24 hours, or longer if they keep coming. I wrote about these things in some blog posts earlier that were /.ed, and of course the generated lists are free to use, see the URLs and the blog posts.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
But hardly anybody seems to use it. Especially not to actually block mail.
See here and here.
Hmm something seemed to change a few years ago. Spam used to be overwhelming.
Since we use the free Msf spam plug in for exchange, and I can't even rememember the last time I got genuine spam.
Same with my gmail account.
Are the filters just that effective, or are the spammers giving up?
46137
Here is a rehash of my subject to beat the lameness filter.
Absolute statements are never true
You probably resemble that. You might even resent that. But I doubt you represent that.
The vast majority of the spam that makes it into my normal mailboxes is not this snowshoe spam. In fact, it's been quite a long time since I saw spam from one of those xhkjauts.com domains (which I believe is one of the examples of this snowshoe spam).
My biggest problem, by probably close to 10x, is the Nigerian scams, usually coming from Yahoo, Hotmail, and gmail, in order of descending frequency.
I've been thinking of forcing addresses from these domains which are not in our whitelist to bounce with a "release" URL in it. I already have the bounce+release URL implemented, so I guess I just need to turn it on for these domains, with an appropriate message. The biggest problem I've run into is that I bounce at SMTP time, not after receipt, and most users don't seem to read any part of those messages. I think that the less technical senders see it as just being computer-generated BS, and don't even try. Because I bounce at SMTP time, my message is usually buried under a lot of boilerplate generated by the remote system.
Sean