The Spamhaus Project

news

A Snowshoe Winter: Our Discontent with CAN-SPAM

by The Spamhaus TeamFebruary 25, 20094 minutes reading time

Snowshoe spamming has been around for many years but during 2008 a few USA spammers honed the technique to a fine edge. It has grown rapidly for the past year and there is no indication that it will cease in the foreseeable future. As of February 2009, snowshoe spamming accounts for 20-30% of all connections at typical gTLD mail servers. It is the second largest segment of the overall mailstream next to botnet spam from compromised machines in dynamic IP space. Snowshoeing represents a resurgence of static IP spam by persons in jurisdictions where law enforcement might just be able to reach them.

These latest static IP spammers show a sophistication of listwashing, waterfalling and snowshoeing that improves their chances to evade detection and thereby makes it difficult to stop their spam from reaching end-users. Some ISPs where snowshoers are hosted say they have difficulty collecting evidence of the abuse, possibly because snowshoers have washed most spam reporting addresses. But responsible ISPs seem perfectly capable of preventing, detecting and removing snowshoers from their network. Our ISP FAQ can help ISPs collect evidence, if they try.

Unlike snowshoe spam, botnet spam in dynamic IP space is highly distributed and persists due to the difficulty of dealing with it by the ISP. ISPs lose money due to botnet spam because of theft of services, and therefore do not want bots on their networks. Snowshoe spam, on the other hand, comes from static IP addresses in dedicated and relatively narrow IP ranges. The ISPs responsible for those ranges have accepted the spammer's payment and, in some cases, are reluctant to enforce their AUPs against spam and remove their spamming customers. Also, snowshoers often use the "customer of a customer" excuse, encouraging the ISP to not nuke far enough up the reseller chain.

Snowshoers have learned an important lesson from botnet spammers: the IP that delivers the spam does not need to be the same IP that runs the actual spam-cannon server. Where botnet spammers hide behind illegally obtained Trojan horse proxies, snowshoers pay ISPs for many diverse IP ranges for their spam spigots. Meanwhile, the actual back-end servers operate with impunity, undetected on some other network. The connection is tunneled from the spam cannon to the spigot IPs, and if a spew range is blocked it's a simple and very fast configuration change to re-aim the cannon to unlisted sending IPs. Any ISP which accidentally hosts a snowshoer can assist Spamhaus by checking where the tunneled packets arrive from and letting us know, before they turn down the sending IPs.

Statements by the snowshoers themselves say such things as:

...your company's network can travel the world while being safe, secure and protected in its own hive.

And:

$70,875/month gets you 9 class C's spread across at least 5 providers with bandwidth for 8 Millions HTML emails per day per class C. Network blocks (class C's) will be replaced after at least 60 days if they are blocked. Network Blocks may be replaced solely in the event such Network Block has been blacklisted by SpamHaus [sic].

Just as snowshoe spammers rotate through many domains and IPs, they also use evasive techniques in the content of their messages. Some messages are image-only, pulled by HTTP. Sometimes the required CAN-SPAM address is included only as an image, to avoid a 'hook' for content filters. Even when it is in text, they frequently change the mailbox drop and even the corporation name. (USA corporations are cheap and easily obtainable with pseudonymous information.) All of that makes enforcement of any applicable laws quite difficult, as Spamhaus suggested in 2003, just before CAN-SPAM was enacted:

At best, CAN-SPAM will convert small amounts of illegal spammers over to spamming legally until they can see how ineffective enforcement is, CAN-SPAM will invite thousands of new spammers to swell the ranks of existing spammers all "spamming legally" utilizing the obvious loopholes, CAN-SPAM will substantially increase spam volumes in 2004 and will ultimately unquestionably have to be countered by a new U.S. Federal law to finally and properly ban spam.

Snowshoeing provides another niche in the Spammer Agora. Very much like bulletproof hosters secure web services from spam-tolerant ISPs, there are companies which specialize in providing spam outlet IP ranges for those tunneled snowshoe connections. And like bulletproof web and DNS hosts, snowshoers cater to a clientele not served by legitimate ISPs. Ordinary solicited bulk e-mail can be delivered just fine from ordinary ISP and ESP IP addresses. There's no reason for snowshoeing except to send unsolicited bulk e-mail.

3 October 2009 Blog: Announcing the Spamhaus CSS

3 December 2009 Blog: Two month "snowshoe" trek results