|Tweet Follow @spamhaus||
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Network under attack? You might be surprised where that's coming from!
Older News Articles:
Spamhaus News INDEX
|On the two-month anniversary of our announcement of the Spamhaus CSS, we thought it's time to take a look at its effect against this type of spamming. As we had mentioned, while filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers had evolved, and their spam was evading many filters. It became time to target the next great spam problem, "snowshoe" spam.
Results seen so far
Our testing has shown the new CSS zone has more than doubled the effectiveness of the Spamhaus SBL in blocking/filtering spam. In addition to blocking/filtering the spam sent by snowshoers, many of the ISPs hosting them have noticed their IP addresses listed, have terminated contracts with these spammers and booted them off of their hosting service. This will be driving up the time, effort & monies spammers must expend to continue their abusive and in many cases illegal businesses. The new snowshoe detection also allows Spamhaus volunteers to discover other, unseen, areas run by spammers and to blocklist them as well.
The Problem of Snowshoe SpamLike many of you, we at The Spamhaus Project have seen a burgeoning flood of spam emails, not from compromised IP addresses or botnet ranges, but from static IP address ranges. The IP addresses that send this spam properly identify their host names when connecting to a mailserver. At first glance, the emails that they send look like legitimate bulk emails, except that they were sent to spamtraps or to our own email addresses, which we know did not ask for that email. Most of them send modest volumes of email that do not trigger automated spam blocking filters or reputation metrics. It is this technique, spreading the load out over a larger area, that gives snowshoe spam its name.
However, the resemblance to legitimate bulk emailers ends with surface details. Unlike IP addresses ("IPs") used by legitimate bulk emailers, the IPs used by snowshoe spammers are usually either unallocated/un-SWIP'd, or allocated/SWIP'd to small companies that neither we nor anybody else has ever heard of before. Unlike the mail servers and URI domains used in legitimate bulk email, the mail servers and URI domains are either registered with a Whois cloaking service, or, again, to small companies that neither we nor anybody else has ever heard of before.
This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months.
Working Toward a Solution
As with botnet spam, an actual solution to snowshoe spam will require many organizations and many people using a variety of approaches. Our role (and that of any blocklist) is to tell email recipients where the spam is coming from so that they can block, filter or tag it (using our DNS-based blocklist), identify the spammers, and take further action. Recently we decided that we needed a better, quicker way to do this with IPs sending snowshoe spam than manually listing those IPs in the Spamhaus Block List (SBL).
As a first step, we are making the new Spamhaus CSS (Composite Snow-Shoe) list available to detect and respond more quickly to IPs that are emitting snowshoe spam. As the new CSS web page explains, this is an automatically-generated list of IPs that have been detected sending snowshoe spam. The CSS contains only single IPs (a/k/a "/32s"), not larger CIDR IP address ranges. CSS listings are automatically removed a few days after the last time a listed IP or one of its near neighboring IPs stops sending snowshoe spam. A delisting request email address is also provided for ISPs to report any IP that is detected and listed in error.
Identifying the Snowshoe Spammers
As the CSS data is built it will also be flagged to the attention of the SBL team, who will continue to create manual listings for active snowshoe ranges, identify the spammers behind snowshoe operations, associate those listings with Register Of Known Spam Operations (ROKSO) records or create new records where appropriate. Spamhaus will also continue our efforts to bring the problem of snowshoe spam to the attention of the world's lawmakers via our direct contacts and our informational postings on the subject.
How to Use the New CSS Data
The CSS will be included in
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
Two month "snowshoe" trek results
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.