Snowshoe Spamming

Snowshoe spamming is a spamming technique in which the spammer uses a wide array of IP addresses in order to spread out the spam load. The large spread of IP addresses makes it difficult to identify and trap the spam, allowing at least some of it to reach email inboxes. For companies which specialize in trapping spam, snowshoe spamming is particularly noxious because it is difficult to trap it with traditional spam filters.

The snowshoe is actually an excellent analogy to describe this spamming technique. Snowshoes are designed to spread a large weight across a wide area so that the wearer does not break through crusts of snow and ice, and snowshoe spamming distributes a broad load of spam across a varied array of IP addresses in much the same way. Like all spammers, snowshoe spammers anticipate that some of their unwanted emails will be trapped by spam filters. Snowshoe spamming gives more email a chance at getting through to an inbox, where it can reach a computer user.

Setting up a snowshoe spamming operation requires some resources and knowledge, as the spammer must have access to an array of IP addresses. Snowshoe spammers typically use an assortment of domains, which may be linked to different servers and providers to further spread the spam load. In a sampling of emails sent by a snowshoe spammer, repeating IP addresses are fairly rare, which means that filters must focus on the content, rather than the sender, to trap spam.

Legitimate providers of email services use a very narrow range of IP addresses for sending email. This is generally viewed as a mark of integrity, as is the use of clear disclosure about who owns the originating domain. By contrast, snowshoe spamming often involves domains which are hidden behind layers of anonymity, making it difficult to track down the owner and report abuse. Especially in nations with anti-spam legislation, tracking down the parties responsible for spam, spyware, and other malicious activities can be extremely difficult, because perpetrators are good at covering their tracks.

Several anti-spam attempts have focused on targeting specific domain registrars and hosts. Certain registrars are infamous for harboring spammers, and by identifying large numbers of spam sites in their client lists, anti-spam advocates hope to take down those sites or humiliate the registrar into tightening its terms of service. Snowshoe spamming sometimes exposes a systemic problem with a particular host, as anti-spam advocates realize that large amounts of spam originates from domains managed by the same company.

above source origin:

Snowshoe Spamming: SpamHaus Definition

Snowshoe spamming is a sending technique which evolved in an attempt to avoid email filters.

  • Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used to spread spam output across many IPs and domains in order to dilute reputation metrics and evade filters.
  • Domains which act in a manner indistinguishable from snowshoers will unavoidably be treated like snowshoers.

Some of the things snowshoe spammers do:

  • They may use many fictitious business names (DBA – Doing Business As), fake names and identities;
  • They may use frequently changing postal dropboxes and voicemail drops
  • Snowshoers often use anonymized or unidentifiable Whois records;
  • Use nonsense domains or hostnames in quantity;
  • Some showshoers use tunneled connections from their back-end mail engine to the outgoing, internet-facing IP. This causes the originating IP to be hidden.
    • ISPs are in a position to detect those back-end mail engines by checking where traffic flows are coming from. The tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information!

Legitimate senders work hard to build brand reputation based on a genuine business address, a known domain and a small, permanent, well-identified range of sending IPs.


Leave a Reply

Your email address will not be published. Required fields are marked *