Two month "snowshoe" trek results

On the two-month anniversary of our announcement of the Spamhaus CSS, we thought it's time to take a look at its effect against this type of spamming. As we had mentioned, while filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers had evolved, and their spam was evading many filters. It became time to target the next great spam problem, " snowshoe " spam.

Results seen so far

Our testing has shown the new CSS zone has more than doubled the effectiveness of the Spamhaus SBL in blocking/filtering spam. In addition to blocking/filtering the spam sent by snowshoers, many of the ISPs hosting them have noticed their IP addresses listed, have terminated contracts with these spammers and booted them off of their hosting service. This will be driving up the time, effort & monies spammers must expend to continue their abusive and in many cases illegal businesses. The new snowshoe detection also allows Spamhaus volunteers to discover other, unseen, areas run by spammers and to blocklist them as well.

As we continue to to modify the automated detection systems used by the CSS to detect snowshoe spam IP address ranges, its effectiveness should expand even further. We fully expect the spammers to try and adjust to avoid detection, but they have an obvious problem: If they want to continue to send spam to millions of internet users' mailboxes, our systems will see it - and they will end up in the CSS.

The Problem of Snowshoe Spam

Like many of you, we at The Spamhaus Project have seen a burgeoning flood of spam emails, not from compromised IP addresses or botnet ranges, but from static IP address ranges. The IP addresses that send this spam properly identify their host names when connecting to a mailserver. At first glance, the emails that they send look like legitimate bulk emails, except that they were sent to spamtraps or to our own email addresses, which we know did not ask for that email. Most of them send modest volumes of email that do not trigger automated spam blocking filters or reputation metrics. It is this technique, spreading the load out over a larger area, that gives snowshoe spam its name.

However, the resemblance to legitimate bulk emailers ends with surface details. Unlike IP addresses ("IPs") used by legitimate bulk emailers, the IPs used by snowshoe spammers are usually either unallocated/un-SWIP'd, or allocated/SWIP'd to small companies that neither we nor anybody else has ever heard of before. Unlike the mail servers and URI domains used in legitimate bulk email, the mail servers and URI domains are either registered with a Whois cloaking service, or, again, to small companies that neither we nor anybody else has ever heard of before.

This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months.

Working Toward a Solution

As with botnet spam, an actual solution to snowshoe spam will require many organizations and many people using a variety of approaches. Our role (and that of any blocklist) is to tell email recipients where the spam is coming from so that they can block, filter or tag it (using our DNS-based blocklist), identify the spammers, and take further action. Recently we decided that we needed a better, quicker way to do this with IPs sending snowshoe spam than manually listing those IPs in the Spamhaus Block List (SBL).

As a first step, we are making the new Spamhaus CSS (Composite Snow-Shoe) list available to detect and respond more quickly to IPs that are emitting snowshoe spam. As the new [CSS web page](http://www.spamhaus.org/redirect/ http://www.spamhaus.org/css/) explains, this is an automatically-generated list of IPs that have been detected sending snowshoe spam. The CSS contains only single IPs (a/k/a "/32s"), not larger CIDR IP address ranges. CSS listings are automatically removed a few days after the last time a listed IP or one of its near neighboring IPs stops sending snowshoe spam. A delisting request email address is also provided for ISPs to report any IP that is detected and listed in error.

Identifying the Snowshoe Spammers

As the CSS data is built it will also be flagged to the attention of the SBL team, who will continue to create manual listings for active snowshoe ranges, identify the spammers behind snowshoe operations, associate those listings with Register Of Known Spam Operations (ROKSO) records or create new records where appropriate. Spamhaus will also continue our efforts to bring the problem of snowshoe spam to the attention of the world's lawmakers via our direct contacts and our informational postings on the subject.

How to Use the New CSS Data

The CSS will be included in sbl.spamhaus.org zone, and in the combined blocklist zones at sbl-xbl.spamhaus.org and zen.spamhaus.org as well. It will return a unique result code, 127.0.0.3, rather than the SBL result code of 127.0.0.2, however, allowing any spam filters or local configurations to treat CSS hits differently than the regular SBL hits if they wish.

Related: ** [CSS web page: more information about the CSS.](http://www.spamhaus.org/redirect/ http://www.spamhaus.org/css/)* Slashdot mention and discussion of the Spamhaus CSS.* Original Oct-3-2009 CSS announcment.*