Snowshoe Spam--a New Type of Junk Email--Starting to Clog Inboxes

Security experts are seeing an increase in "snowshoe spam." Snowshoe spammers spread their messages over many different IP addresses, each used in low volume.

Snowshoe spam

Technology vendors over the years have aggressively tackled and partly solved the problem of unsolicited bulk email, which is typically referred to as "spam." A new variation, known as "snowshoe spam," is increasing and causing more unsolicited bulk email to land in user inboxes.

The most basic form of spam—a high volume of unsolicited bulk email that is sent from a single IP address—is easily detected and blocked by anti-spam technology today. Snowshoe spam is a new variation on this theme.

Think of a real snowshoe, which distributes a person's weight over a broader area than just a person's own feet, making it less likely to sink into the snow. With snowshoe spam, the same basic premise is in use, but instead of distributing weight across a broader area, spammers distribute their IP address footprint. Snowshoe spammers spread their message over many different IP addresses, each used in low volume, to send the message.

According to research from Cisco, snowshoe spam grew from 7 percent of the total volume of spam in November 2013 to 15 percent in April 2014.

Snowshoe spam is increasing for a number of reasons.

The anti-spam industry has been increasingly successful at driving a wedge between legitimate senders of email and spammers, Jaeson Schultz, threat research engineer with Cisco's Threat Research Analysis and Communications Team (TRAC), told eWEEK. Legitimate mailers are doing more to clean up their list subscription practices and are also increasingly sending from stable, long-term and well-known IP addresses. In contrast, spam senders have been forced to pursue all manner of activities to get their messages out, Schultz said.

"We believe the increase in snowshoe spam is directly related to the economics of sending spam," Schultz said. "The increase in snowshoe spam is the spammers' attempt to keep their inbox delivery rates high."

Satnam Narang, security response manager at Symantec told eWEEK that his firm also refers to snowshoe spam as "hit-and-run spam," but the terms are interchangeable.

"While we do not have definitive data on volumes of this type of attack, we have seen an overall increase in snowshoe-style attacks," Narang said.

Security vendor McAfee is also seeing snowshoe spam growth. Adam Wosotowsky, messaging architect at McAfee, told eWEEK that snowshoe spam has started to pick up on content usually associated with botnet spam including messages about drugs, erection medications and Russian brides.

From a detection perspective, Cisco's Schultz noted that there are no specific domains or IP address ranges that are typically associated with snowshoe spam campaigns.

"Snowshoe senders tend to cycle through different business entities, domains and Internet infrastructure as a part of sending their email campaigns," Schultz said. "Certainly, the cost of domain registration is a factor when choosing things like a TLD [Top Level Domain]; however, these spammers also tend to not want to cluster their domains under any single domain registrar or TLD, so they register their domains at a variety of TLDs."

The distributed nature of snowshoe spam and the low volume of email and complaints per IP address pose challenges.

"IP and domain reputation are most effective when domains and IP addresses are reused to some degree," Schultz said. "By cycling through new corporate entities and sending low-volume campaigns using recently registered domains and fresh IP addresses, the snowshoe spammers force us to rely on other layers of anti-spam defenses to catch this type of spam."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.