Spamhaus rolls out anti-snowshoe filters

Spamhaus announced today that they are rolling out a new system to detect snowshoe spammers.

What is a snowshoe spammer?

Snowshoe spammers send spam not from compromised servers or botnets, but from large numbers of IP addresses that they are using legitimately. They try to stay below the radar of spam filters, and so get their unwanted email through to the inbox, by looking like a lot of little senders of email rather than one big volume of email.

While a legitimate user of lots of IP addresses might ask for a /23 (500 adjacent IP addresses) from their ISP, and put their real name on the network registration, a snowshoe spammer might instead have 50 blocks of 8 or 16 IP addresses scattered all across their ISP. And they won’t have their real names on the network registrations – instead there’ll be no records at all, or fake but plausible looking company names.

Like a legitimate sender a snowshoe spammer uses real domain names in the mail they send – but unlike the legitimate sender instead of using one real domain name they’ll typically use hundreds of different ones. They’ll sometimes be created completely randomly, such as or, sometimes they’ll be created so as to sound vaguely like plausible businesses. The contact information on the domain registration is falsified, usually by using one of the commercial domain registration anonymization services such as DomainsByProxy.

And, just like botnet spam, the snowshoe spammer will send low volumes of email from each IP address, to stay below the threshold where someone might look closely at a particular source. This spreading their activity out, so there’s not too much noticable pressure at any one point, is where the term snowshoe spammers comes from.

What are Spamhaus doing?

Spamhaus CSS is a list of IP addresses that Spamhaus think are being used by a snowshoe spammer. It isn’t being published as a separate blacklist, rather it’s being published as part of the Spamhaus SBL, so it’ll be used automatically by everyone using the SBL or Zen lists from Spamhaus. This will help Spamhaus react much more quickly to block snowshoe spammer infestations.

Does this affect me?

If you’re a legitimate sender, this should be yet another reason for you to make sure that you’re being transparent about who you are and what you do.

If you don’t want to risk being mistaken for a snowshoe spammer make sure you’re using one or two real domains with a web presence rather than dozens or hundreds of opaque domain names. Use – rather than –

And make sure you have real contact information in all your domain and network registration information, not false or out of date information and definitely not an anonymisation service.


  1. Anton Panaitesco says

    Great post!
    Very interesting, I permalinked it.

    Keep it up!

  2. Why do you need so many IP addresses (part 2)? at Word to the Wise says

    […] 750 IP addresses from a new ESP customer. They assumed that there was no possible reason other than snowshoe spam for an email related customer to need that many IP addresses. While I suspect they may have been […]

  3. Define “spam” – Word to the Wise says

    […] presumably bulk mail. Thus that IP gets listed. They also have other lists that monitor snowshoe behaviour as well as listing domains. Spamhaus, and other blocklists believe that if a mailer is sending one […]


Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments