Fighting "Snowshoe" Spam

Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."

I represent that!

As a Canadian I figured I'd better look that up.

http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233

Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming uses many frequently-changing IP addresses, domains and aliases to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Snowshoers use many fictitious business names (DBAs), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build their brand reputation based on a real business address, a known domain and a small permanent range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.

Re:How is this different

from the typical spambot? Any big enough botnet dedicated to send spam could have millons of nodes.

Of course, most of those nodes are located in residential IP ranges, not meant to have mail servers usually. There are blacklists for that since a lot ago. That combined with greylisting (some spambots can handle greylistings, some not), and content filtering could reduce a lot the impact of that kind of spam.

It's completely different. Snowshoe spam does not come from infected PCs (proxies or bots), it comes from *static* IP addresses *bought* by the spammers from ISPs. The spammers have been buying IP ranges, class Cs, directly from ISPs and filling these ranges with 'nonsense' domains, each one sending 'a bit' of spam is order to spread the load across the whole class C to lessen complaints.

Re:I have a fine idea

[X0563511]

I think a better idea...

Stop filtering spam at all. For a whole week.

Let the spammers break the system.

Re:Snowshoe?

[ozmanjusri]

Blame Evolution.

Evolution?

More likely Outlook and the colander-like OS it runs on.