The Problem of Snowshoe Spam

Like many of you, we at The Spamhaus Project have seen a burgeoning flood of spam emails, not from compromised IP addresses or botnet ranges, but from static IP address ranges. The IP addresses that send this spam properly identify their host names when connecting to a mailserver. At first glance, the emails that they send look like legitimate bulk emails, except that they were sent to spamtraps or to our own email addresses, which we know did not ask for that email. Most of them send modest volumes of email that do not trigger automated spam blocking filters or reputation metrics. It is this technique, spreading the load out over a larger area, that gives snowshoe spam its name.

However, the resemblance to legitimate bulk emailers ends with surface details. Unlike IP addresses ("IPs") used by legitimate bulk emailers, the IPs used by snowshoe spammers are usually either unallocated/un-SWIP'd, or allocated/SWIP'd to small companies that neither we nor anybody else has ever heard of before. Unlike the mail servers and URI domains used in legitimate bulk email, the mail servers and URI domains are either registered with a Whois cloaking service, or, again, to small companies that neither we nor anybody else has ever heard of before.

This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months.

Working Toward a Solution

As with botnet spam, an actual solution to snowshoe spam will require many organizations and many people using a variety of approaches. Our role (and that of any blocklist) is to tell email recipients where the spam is coming from so that they can block, filter or tag it (using our DNS-based blocklist), identify the spammers, and take further action. Recently we decided that we needed a better, quicker way to do this with IPs sending snowshoe spam than manually listing those IPs in the Spamhaus Block List (SBL).

As a first step, we are making the new Spamhaus CSS (Composite Snow-Shoe) list available to detect and respond more quickly to IPs that are emitting snowshoe spam. As the new CSS web page explains, this is an automatically-generated list of IPs that have been detected sending snowshoe spam. The CSS contains only single IPs (a/k/a "/32s"), not larger CIDR IP address ranges. CSS listings are automatically removed a few days after the last time a listed IP or one of its near neighboring IPs stops sending snowshoe spam. A delisting request email address is also provided for ISPs to report any IP that is detected and listed in error.

Identifying the Snowshoe Spammers

As the CSS data is built it will also be flagged to the attention of the SBL team, who will continue to create manual listings for active snowshoe ranges, identify the spammers behind snowshoe operations, associate those listings with Register Of Known Spam Operations (ROKSO) records or create new records where appropriate. Spamhaus will also continue our efforts to bring the problem of snowshoe spam to the attention of the world's lawmakers via our direct contacts and our informational postings on the subject.

How to Use the New CSS Data

The CSS will be included in sbl.spamhaus.org zone, and in the combined blocklist zones at sbl-xbl.spamhaus.org and zen.spamhaus.org as well. It will return a unique result code, 127.0.0.3, rather than the SBL result code of 127.0.0.2, however, allowing any spam filters or local configurations to treat CSS hits differently than the regular SBL hits if they wish.

For more information about the CSS, please see the CSS web page.

3 December 2009 Blog: Two month "snowshoe" trek results