BLOG

Spamhaus rolls out anti-snowshoe filters

Spamhaus announced today that they are rolling out a new system to detect snowshoe spammers.

What is a snowshoe spammer?

Snowshoe spammers send spam not from compromised servers or botnets, but from large numbers of IP addresses that they are using legitimately. They try to stay below the radar of spam filters, and so get their unwanted email through to the inbox, by looking like a lot of little senders of email rather than one big volume of email.

While a legitimate user of lots of IP addresses might ask for a /23 (500 adjacent IP addresses) from their ISP, and put their real name on the network registration, a snowshoe spammer might instead have 50 blocks of 8 or 16 IP addresses scattered all across their ISP. And they won’t have their real names on the network registrations – instead there’ll be no records at all, or fake but plausible looking company names.

Like a legitimate sender a snowshoe spammer uses real domain names in the mail they send – but unlike the legitimate sender instead of using one real domain name they’ll typically use hundreds of different ones. They’ll sometimes be created completely randomly, such as dreamingdisposal.com or acrosticvienna.com, sometimes they’ll be created so as to sound vaguely like plausible businesses. The contact information on the domain registration is falsified, usually by using one of the commercial domain registration anonymization services such as DomainsByProxy.

And, just like botnet spam, the snowshoe spammer will send low volumes of email from each IP address, to stay below the threshold where someone might look closely at a particular source. This spreading their activity out, so there’s not too much noticable pressure at any one point, is where the term snowshoe spammers comes from.

What are Spamhaus doing?

Spamhaus CSS is a list of IP addresses that Spamhaus think are being used by a snowshoe spammer. It isn’t being published as a separate blacklist, rather it’s being published as part of the Spamhaus SBL, so it’ll be used automatically by everyone using the SBL or Zen lists from Spamhaus. This will help Spamhaus react much more quickly to block snowshoe spammer infestations.

Does this affect me?

If you’re a legitimate sender, this should be yet another reason for you to make sure that you’re being transparent about who you are and what you do.

If you don’t want to risk being mistaken for a snowshoe spammer make sure you’re using one or two real domains with a web presence rather than dozens or hundreds of opaque domain names. Use mail1.yourcompany.com – mail25.yourcompany.com rather than yc1.com – yc25.com.

And make sure you have real contact information in all your domain and network registration information, not false or out of date information and definitely not an anonymisation service.

3 comments

  1. Anton Panaitesco says

    Great post!
    Very interesting, I permalinked it.

    Keep it up!

  2. Why do you need so many IP addresses (part 2)? at Word to the Wise says

    [...] 750 IP addresses from a new ESP customer. They assumed that there was no possible reason other than snowshoe spam for an email related customer to need that many IP addresses. While I suspect they may have been [...]

  3. Define “spam” – Word to the Wise says

    [...] presumably bulk mail. Thus that IP gets listed. They also have other lists that monitor snowshoe behaviour as well as listing domains. Spamhaus, and other blocklists believe that if a mailer is sending one [...]

Comment:

Your email address will not be published. Required fields are marked *

  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


  • Fixing discussion lists to work with new Yahoo policy

    Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy. One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you're not having to rewrite things that don't need to be rewritten, but it will also mean you won't be caught flat footed if (when?) other free mail providers start publishing p=reject.No Comments


Archives