Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fighting "Snowshoe" Spam

Posted by Soulskill on from the involves-neither-scissors-nor-hungry-wolves dept.

Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."

8 of 85 comments (clear)

  1. Snowshoe? by Brian+Gordon · · Score: 2, Insightful

    Whoever keeps naming things with these slightly-plausible analogies, please stop.

    1. Re:Snowshoe? by martin-boundary · · Score: 3, Insightful

      wish all the PCs that have bots running on them would just blowup.. or like the good ole day viruses; just wipe out the drives.. .eeh..

      Blame Evolution. A virus that messes too much with the host PC has a low survival rate. The most successful viruses don't do too much damage, as that keeps them a low priority with AV software, and don't cripple the infection vectors, as that helps them spread, and aren't too OS specific, as that allows them to tolerate service packs and software upgrades.

    2. Re:Snowshoe? by religious+freak · · Score: 2, Insightful

      I like to complain about stupid Internet names as much as the next person, but I actually like the name. It's descriptive without being cutesy and isn't nearly as stupid as something like "twitpocalypse" or even "cookie"

      --
      If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
  2. Greylisting! by erroneus · · Score: 3, Insightful

    Okay okay! I heard you all the last time I brought it up. But the results are simply awesome. And greylisting is perfect against these snowshoe distribution methods. The downside might be the database filling up.

    1. Re:Greylisting! by aztracker1 · · Score: 3, Insightful

      Then the senders' mail servers are broken, and don't deserve to have their mail read. Greylisting is perfectly acceptable, however it is slightly less than effective as more and more bots will actually retry.

      --
      Michael J. Ryan - tracker1.info
    2. Re:Greylisting! by Dragonslicer · · Score: 2, Insightful

      If the email in question is about a multi-million dollar business deal, then I guarantee you they have a right to have their email read. Suggesting otherwise is a good way to torpedo your company's future.

      Assuming that both sides are legitimate businesses (e.g. not selling millions of dollars worth of cocaine), I'm pretty sure they would both spend the extra few dollars on a reliable email provider or a competent IT person to run an SMTP server. Email delivery can fail on the first attempt for many different reasons, so giving up after one failure is never reasonable.

  3. Re:I have a fine idea by rhook · · Score: 2, Insightful

    Sounds like a good idea until one of your systems gets compromised and you receive the bill for the millions of emails that were sent through it. Perhaps you should go to prison if someone uses your car without permission and kills someone too?

  4. This is the next escalation in the spam war by Dutchmang · · Score: 2, Insightful

    IP reputation and RBL will always be vulnerable because the attackers just hide within the population, like guerrillas or terrorists. If you block legitimate ranges or addresses because you saw a spam come from there, it's like bombing a village because someone shot at you from one of the houses. You may kill the bad guy but you make the population REALLY mad. This is consistent with recent findings that >50% of spam actually originates from "trusted domains."

    --
    I'm looking over the wall, and they're looking at me!