Spamhaus announced today that they are rolling out a new system to detect snowshoe spammers.
What is a snowshoe spammer?
Snowshoe spammers send spam not from compromised servers or botnets, but from large numbers of IP addresses that they are using legitimately. They try to stay below the radar of spam filters, and so get their unwanted email through to the inbox, by looking like a lot of little senders of email rather than one big volume of email.
While a legitimate user of lots of IP addresses might ask for a /23 (500 adjacent IP addresses) from their ISP, and put their real name on the network registration, a snowshoe spammer might instead have 50 blocks of 8 or 16 IP addresses scattered all across their ISP. And they won’t have their real names on the network registrations – instead there’ll be no records at all, or fake but plausible looking company names.
Like a legitimate sender a snowshoe spammer uses real domain names in the mail they send – but unlike the legitimate sender instead of using one real domain name they’ll typically use hundreds of different ones. They’ll sometimes be created completely randomly, such as dreamingdisposal.com or acrosticvienna.com, sometimes they’ll be created so as to sound vaguely like plausible businesses. The contact information on the domain registration is falsified, usually by using one of the commercial domain registration anonymization services such as DomainsByProxy.
And, just like botnet spam, the snowshoe spammer will send low volumes of email from each IP address, to stay below the threshold where someone might look closely at a particular source. This spreading their activity out, so there’s not too much noticable pressure at any one point, is where the term snowshoe spammers comes from.
What are Spamhaus doing?
Spamhaus CSS is a list of IP addresses that Spamhaus think are being used by a snowshoe spammer. It isn’t being published as a separate blacklist, rather it’s being published as part of the Spamhaus SBL, so it’ll be used automatically by everyone using the SBL or Zen lists from Spamhaus. This will help Spamhaus react much more quickly to block snowshoe spammer infestations.
Does this affect me?
If you’re a legitimate sender, this should be yet another reason for you to make sure that you’re being transparent about who you are and what you do.
If you don’t want to risk being mistaken for a snowshoe spammer make sure you’re using one or two real domains with a web presence rather than dozens or hundreds of opaque domain names. Use mail1.yourcompany.com – mail25.yourcompany.com rather than yc1.com – yc25.com.
And make sure you have real contact information in all your domain and network registration information, not false or out of date information and definitely not an anonymisation service.
Spamhaus rolls out anti-snowshoe filters
S
Great post!
Very interesting, I permalinked it.
Keep it up!
[…] 750 IP addresses from a new ESP customer. They assumed that there was no possible reason other than snowshoe spam for an email related customer to need that many IP addresses. While I suspect they may have been […]
[…] presumably bulk mail. Thus that IP gets listed. They also have other lists that monitor snowshoe behaviour as well as listing domains. Spamhaus, and other blocklists believe that if a mailer is sending one […]
[…] will help you understand more about Snowshoe: https://www.spamhaus.org/faq/section/Glossary https://wordtothewise.com/2009/10/spamhaus-vs-snowshoe-spammers/ […]