Snowshoe Spam--a New Type of Junk Email--Starting to Clog Inboxes

By Sean Michael Kerner  |  Posted 2014-06-03
Snowshoe spam

Snowshoe Spam--a New Type of Junk Email--Starting to Clog Inboxes

Technology vendors over the years have aggressively tackled and partly solved the problem of unsolicited bulk email, which is typically referred to as "spam." A new variation, known as "snowshoe spam," is increasing and causing more unsolicited bulk email to land in user inboxes.

The most basic form of spam—a high volume of unsolicited bulk email that is sent from a single IP address—is easily detected and blocked by anti-spam technology today. Snowshoe spam is a new variation on this theme.

Think of a real snowshoe, which distributes a person's weight over a broader area than just a person's own feet, making it less likely to sink into the snow. With snowshoe spam, the same basic premise is in use, but instead of distributing weight across a broader area, spammers distribute their IP address footprint. Snowshoe spammers spread their message over many different IP addresses, each used in low volume, to send the message.

According to research from Cisco, snowshoe spam grew from 7 percent of the total volume of spam in November 2013 to 15 percent in April 2014. 

Snowshoe spam is increasing for a number of reasons.

The anti-spam industry has been increasingly successful at driving a wedge between legitimate senders of email and spammers, Jaeson Schultz, threat research engineer with Cisco's Threat Research Analysis and Communications Team (TRAC), told eWEEK. Legitimate mailers are doing more to clean up their list subscription practices and are also increasingly sending from stable, long-term and well-known IP addresses. In contrast, spam senders have been forced to pursue all manner of activities to get their messages out, Schultz said.

"We believe the increase in snowshoe spam is directly related to the economics of sending spam," Schultz said. "The increase in snowshoe spam is the spammers' attempt to keep their inbox delivery rates high."

Satnam Narang, security response manager at Symantec told eWEEK that his firm also refers to snowshoe spam as "hit-and-run spam," but the terms are interchangeable. 

"While we do not have definitive data on volumes of this type of attack, we have seen an overall increase in snowshoe-style attacks," Narang said.

Security vendor McAfee is also seeing snowshoe spam growth. Adam Wosotowsky, messaging architect at McAfee, told eWEEK that snowshoe spam has started to pick up on content usually associated with botnet spam including messages about drugs, erection medications and Russian brides.

From a detection perspective, Cisco's Schultz noted that there are no specific domains or IP address ranges that are typically associated with snowshoe spam campaigns.

"Snowshoe senders tend to cycle through different business entities, domains and Internet infrastructure as a part of sending their email campaigns," Schultz said. "Certainly, the cost of domain registration is a factor when choosing things like a TLD [Top Level Domain]; however, these spammers also tend to not want to cluster their domains under any single domain registrar or TLD, so they register their domains at a variety of TLDs."

The distributed nature of snowshoe spam and the low volume of email and complaints per IP address pose challenges.

"IP and domain reputation are most effective when domains and IP addresses are reused to some degree," Schultz said. "By cycling through new corporate entities and sending low-volume campaigns using recently registered domains and fresh IP addresses, the snowshoe spammers force us to rely on other layers of anti-spam defenses to catch this type of spam."

Snowshoe Spam--a New Type of Junk Email--Starting to Clog Inboxes

One way security vendors can identify unsolicited email is through the use of what is known as "spam traps," which are fake email addresses and sites used to lure spammers. The better snowshoe spam outfits do "list washing," meaning they actively try to scrub complainants (including spamtraps) from their email databases, Schultz said. 

Cisco is able to identify the snowshoe spam via a full-spectrum approach, Schultz said. "We not only look at the volume and the relative number of complaints coming in from our sensor network, but we also analyze relationships between the various domain registrants, domains and IP addresses used in the snowshoe spam attacks," he said.

McAfee's technology also leverages multiple factors and inputs to help identify snowshoe spam, Wosotowsky said. "McAfee has automated classifiers in GTI [global threat intelligence] as well as sophisticated domain identification rules to react quickly to outbreaks," Wosotowsky said. "We also have manual research tasks to look for missed snowshoe campaigns and are working on more and more aggressive rules."

Modern anti-spam technologies can be effective at catching most forms of spam, though Symantec's Narang noted that fundamentally, it's a numbers game. "To the end-user, the effectiveness of an anti-spam solution is determined by the number of spam messages the end-user gets in their inbox," he said. "With anti-spam products at 98 percent effectiveness, the end-user receives 1 out of 50 spam messages sent."

If anti-spam effectiveness goes up to 99 percent, the spammer would simply respond by sending more spam, Narang said.  If the end user receives one spam message out of 100 sent, there has been no difference for this particular user, despite the improvements made in the anti-spam solution. 

Though technologies continue to improve, the battle against spam is still not over, the researchers said.

"When one miss has the potential to do a lot of damage, we cannot keep our guard down just because we filter 99.9 percent," Narang said.

For Wosotowsky, the battle against spam is still far from over because of the simple fact that there is still money to be made by the spammers.

"Bypassing filters is a big money-making effort for snowshoe advertisers, and as long as you’re facing off against intelligent adversaries who have a financial incentive to keep trying until they get through, they will keep coming up with advances in spam warfare techniques," Wosotowsky said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Rocket Fuel