Fighting "Snowshoe" Spam

Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."

I represent that!

As a Canadian I figured I'd better look that up.

http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233

Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming uses many frequently-changing IP addresses, domains and aliases to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Snowshoers use many fictitious business names (DBAs), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build their brand reputation based on a real business address, a known domain and a small permanent range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.

Re:Greylisting!

[XanC]

The "try again" message goes to the sender's mail server. Greylisting is performed between servers. The only perceptible result of greylisting for people is that the first time they email somebody, it might take longer than normal for the recipient to get it.

Re:Greylisting!

[jackbird]

it is important to note that "longer than normal" can mean 24 or more hours for a surprisingly large number of mail servers. Forum registrations and the like are particularly frustrating.

Re:How is this different

from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.

Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.

It's completely different. Snowshoe spam does not come from infected PCs (proxies or bots), it comes from *static* IP addresses *bought* by the spammers from ISPs. The spammers have been buying IP ranges, class Cs, directly from ISPs and filling these ranges with 'nonsense' domains, each one sending 'a bit' of spam is order to spread the load across the whole class C to lessen complaints.

No, greylisting won't help

Greylisting won't help against any competent snowshoe spam operation.

Greylisting is useful against ad-hoc connections from botnet hosts that are unlikely to try to resend a message within in an appropriate interval. Managing resending in the botnet environment is challenging.

Snowshoe spamming is, in some small part, probably a response to the decreasing likelihood that random, compromised, home machines will be able to deliver much spam -- a decrease that is probably partially attributable to greylisting. The snowshoe approach is very different from the malware/botnet approach. The spammer buys bulk hosting from a colo facility and set up real honest-to-god email servers on dozens to hundreds of IP addresses. Then the spammer dribbles messages in relatively low volume from these large number of IP addresses. If one of the spam servers encounters a host with greylisting, it requeues the messages to retry later just like a normal email server will because it's a normal email server. The spammer merely maintains and manages a large number of these servers on commercially hosted connections, and distributes his spam payload across them. Distributing the spam load across these many servers reduces the likelihood that any particular server will be quickly blacklisted, and if it if is blacklisted it may go dormant until automatically delisted, then start spamming again.

Many of the bulk "bandwidth providers" don't seem to give a fuck if this kind of thing is taking place on their networks, although in the end it will pollute and devalue or render useless large swaths of IP space at these providers. I'd name names, but am not in any mood to get sued.

Greylisting is useless for most snowshoe spam. Take it from someone who has been watching these tactics for the last couple months.

We catch a lot of this via greytrapping

[badger.foo]

The Spamhaus article really describes one of the most frequently encountered behaviors we see by looking at our spamd logs. Each machine does not necessarily send a large number of messages (although some do, hanging on for weeks on end in extreme cases), but once a machine has tried to deliver mail to one of our published trap addresses (see the list at http://www.bsdly.net/~peter/traplist.shtml ), we keep them occupied and publicly shamed (see http://www.bsdly.net/~peter/nameandshame.html as well as the exported blacklist) for 24 hours, or longer if they keep coming. I wrote about these things in some blog posts earlier that were /.ed, and of course the generated lists are free to use, see the URLs and the blog posts.

Re:Greylisting!

[TheRaven64]

SPF is not a form of whitelisting, it is a way of validating whitelists. It lets you whitelist domains, rather than IPs. If example.com sends you emails and you use greylisting then the first email will be delayed. If they have multiple outgoing mail servers (not unusual in a large organisation, especially one with lots of different sites) then the next email from example.com may also be delayed by greylisting if it came from a different outgoing mail server. SPF lets your greylisting software automatically whitelist all of example.com's outgoing mail servers if one of them passes greylisting. The only reason SPF 'failed' is that people started assuming that 'has valid SPF record' and 'is not a spammer' meant the same thing, which is clearly nonsense.

Re:What's the problem

[ErikZ]

I'm getting 1000+ spam messages a day going to my Gmail spam folder.

Spammers are not giving up.

Re:Snowshoe?

[jonadab]

> unsolicited email distributed across many IPs and domains
> in order to avoid triggering volume-based filters.

I hereby propose we just call it "spam" and have done.

I mean, seriously, is anybody really still worried about the old-fashioned kind of spam that was sent back in the early nineties, going out from one mail server with one IP for months on end, using an actual valid return email address from an actual valid domain owned by the senders? Have you *received* any of that lately?

I haven't. Near as I can tell, *all* modern spam is sent by a collection of nodes distributed across many IPs on many subnets and randomly generates a new forged sender address for each message. We don't need a special name specifically for spam that's sent like that. If you just say "spam", that communicates the whole idea. Everybody who has been paying attention knows that it's sent in the described fashion these days.

Re:Greylisting!

[jonadab]

> When an e-mail is rejected with a "please try again later"
> response, it makes the recipient's company look bad at an
> organizational level.

Only if the delay gets noticed.

> What's worse, senders may ignore these "try again" messages,
> or never see them at all.

Under anything vaguely resembling normal conditions, the sending user never sees the "try again" message and never knows that there's greylisting involved. The mail server takes care of all that. All the major MTAs since the beginning of time have supported queue-and-resend, because when the internet was young mail got delayed all the time due to unreliable infrastructure.

The problem with greylisting isn't that mail would ever completely fail to get through, but rather than mail from new senders would be *delayed*, at least for several minutes, possibly for several *hours*. Given the way email was originally designed to work, this should theoretically be no big deal, but in practice a lot of organizations won't tolerate that kind of delay in incoming mail.

For personal email, though, it can be an attractive option. Bear in mind, recognized whitelisted senders get through right away; only mail from unknown senders gets delayed.