Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

What snoeshow spam looks like

What snoeshow spam looks like

Rate This
  • Comments 1

While at the VB conference in Barcelona last month, I also had the chance to attend a presentation on Snowshoe Spamming, presented by Brett Cove of Sophos.

What is snowshoe spamming?  Well, it’s a different type of problem than the traditional spam problem.  Whereas botnet spam has declined over the past 12 months, snowshoe spam has increased. 

Snowshoe spam gets its name because the spammers distribute its email over a wider area of IP addresses in order to avoid  detection (not to mention IP blacklisting).  It does this in order to maintain a light footprint.  Just like real life snowshoes distribute your weight over a wide area to avoid sinking into the snow, snowshoe spam distributes its weight over a wide area to avoid filters.

Snowshoe spammers use dedicated IP addresses that are purchased by the spammer, and more often than not, the IPs are hosted in the United States.  The spammers make their money from affiliate programs and are not necessarily black hat spammers.  I use the term gray hat spammer, and those hats frequently have varying shades of gray.

The problem is that the 2003 CAN SPAM Act is an opt-out law; it is easy to spam and still remain compliant.  Whereas other countries explicitly require email marketers to obtain the users’ consent to receive the mails, the CAN SPAM Act only requires you to provide the user a way of opting out.  Thus, you can honor every opt out but still sign people up to receive more mail without technically violating the US law.

Snowshoe spam differs from criminal spam (sent by black hat spammers and botnets) in some key ways:

  • Criminal spam is sent from forged addresses whereas snowshoe spam is not.

  • Criminal spam does not contain unsubscribes whereas snowshoe spam does.

  • Criminal spam will send any type of content – gambling, x-rated spam, pharmaceuticals, etc, and none of it looks legitimate.  Snowshoe spam content does look legitimate, it somewhat “markety” and questionable.

  • Criminal spam has no regard for recipients and sends to everyone.  Snowshoe spam is more targeted and sends to a smaller number of recipients.

Snowshoe spam also differs from solicited bulk mail, which is legitimate bulk mail (I’d bet that everyone reading this email receives some solicited bulk mail; I certainly do).  But while solicited bulk mail is legitimate, snowshoe spam contains very shady tactics:

  • Both types of email have similar visible content, but snowshoe spam is constantly adjust the content in order to avoid filters.

  • The domains in solicited bulk mail are fairly constant, but snowshoe spam constantly rotates through the domains.

  • Solicited bulk mail sends from a stable group of sending IP addresses, but snowshoe spam is constantly rotating through them in order to evade detection (the key characteristic of snowshoe spam).

Why is snowshoe spam a problem?

  • The volume of mail for snowshoe spam varies wildly.  For some people, they barely get anything at all and don’t notice it.  But for others, it’s a huge problem.  It’s one of the biggest complaints that we get today – people who get lots of it hate this type of spam/mail.

  • The unsubscribe links are dubious for three reasons.  (1) They may not work.  (2) Snowshoe spammers honor the unsubscribe but figure out the email address is active and then just opt people into another mailing list.  (3) Exactly because of (2), people don’t trust unsubscribes to work (even when they do) and don’t click them – they don’t unsubscribe from the legitimate ones and keep getting the same amount of spam in their inbox when they want less… and don’t take action when they could because they don’t know how to tell the different between the legitimate ones and the bad ones.

  • Filters have a difficult time telling the difference between legitimate bulk mailers, light gray snowshoe spammers and dark gray snowshoe spammers.  Because snowshoe spammers try so hard to stay under the radar (in itself a questionable behavior), they can successfully evade a lot of filters and annoy a lot of users.

What can be done to combat snowshoe spam?  Are we forever doomed to live with dark gray mailers who stay under the radar?

  • Stronger legislation is required.  Canada has an antispam law that requires opt-in.  If the United States had that, it would be much more difficult for mailers to send snowshoe spam yet still comply with the law.

  • ISPs need to take action when complaints are made.  I’m not in a position to comment either way on this, but it makes sense.

  • There must be more coordinated monitoring of snowshoe spam.  The industry today is very good when it comes to sharing data on botnets, but there isn’t as much good data on snowshoers.

  • Finally, the antispam community needs to draw more attention to the problem.  We all hate spammers, but we don’t consider snowshoe spam at the same level of criminal spammers.  More spotlight on this type of spam would dedicate more resources to defeating it.

That’s all I took in for this presentation.  It wasn’t completely new to me, but I did learn a lot.

Leave a Comment
  • Please add 7 and 2 and type the answer here:
  • Post
  • Did you spell SnowShoe that way in the title on purpose?  Great article, many thanks for explaining the concept.

Page 1 of 1 (1 items)