Home / Blogs

Snowshoe Spam: What It Is, and How Not to Look Like You Send It

Christine Borgia

Have you ever found yourself blocked by a snowshoe spam filter or listed on a snowshoe blacklist? Or perhaps you've been told that one of your mailing practices makes you look like a snowshoe spammer? If so, you're probably wondering what snowshoe spam is, what you're doing to earn this reputation and what you should be doing differently. Here's a brief overview of the history of snowshoe and some suggestions on how to avoid being mistaken for a snowshoe spammer.

The History of Snowshoe

Five years ago, at the postmaster desk of a major mailbox provider, my team and I were charged with analyzing the spam making it through our automated filters and making necessary adjustments. It was a 24x7 job, digging through live data on IPs and domains in an effort to ensure that our systems were capable of processing the most current threats. We were quite an effective team. A spammer would come along and try something new, and we were there — nope, not today, not in my house.

But in 2009, a disturbing trend had started to develop — snowshoe spam. Within minutes of blocking a domain or IP, it seemed like five more were put in use. This type of spam got its name because "Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to dilute reputation metrics and evade filters," (Spamhaus).

Why Snowshoe is a Problem

Traditional spam filters struggle with snowshoe spam because they don't see enough volume from a single IP or domain to trigger the filter. Snowshoe spam can stay under the radar of volume-based filters. To complicate matters, it's difficult to block snowshoe without significant false positives. The snowshoe spammers would grab 50 IPs in a /24 (256 IPs) so we couldn't block the entire /24. The content resembled that of legitimate mail as well, so we couldn't identify the bad stuff without hitting the good stuff. The spammers were always a step ahead.

And we weren't the only ones struggling with snowshoe. During 2009, the anti-spam industry as a whole was reacting to this trend. In the fall of 2009, Spamhaus launched the CSS (Composite Snow-Shoe) list. Major spam filters were updated to look for snowshoe spam. Everyone was looking for a solution.

Snowshoe spam is annoying, but is it illegal? In many cases, snowshoe spammers do not violate the CAN-SPAM Act in the U.S. because they include a P.O. Box to meet the postal address requirement and use their own domains and static IPs. If a jurisdiction requires opt-in for email, snowshoe would be considered illegal, assuming these emails are unsolicited.

How to Avoid Snowshoe Filters

As an email marketer, how can you avoid being mistaken as a snowshoe spammer?

  • Send from the minimum number of IPs and domains possible for your program
  • Use subdomains instead of multiple domains
  • Do not add IPs and domains to overcome filtering or rate-limiting challenges.

It's really as simple as that. If you aren't being blocked or filtered, chances are you're doing fine. If you find yourself on the Spamhaus CSS or told by a mailbox provider or spam filter that you look like a snowshoe spammer, then it might be time to send from fewer IPs and domains.

By Christine Borgia, Sr. Director, Email Intelligence Group at Return Path
Follow CircleID on
Related topics: Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Why can't you block the /24? Todd Knarr  –  Apr 04, 2014 7:55 PM PDT

I keep seeing this, and wonder why you can't just block the entire netblock? I know it causes outrage when non-spammers get caught up in the net because their hosting company hosts spammers in the same netblocks as legitimate customers, but it also seems to be highly effective in getting those hosting companies to either stop hosting spammers or move them to their own netblocks. I wouldn't do this as a first line of defense, but after about the fifth or sixth iteration it seems justified.

I figure it this way: as a receipient (or the admin of a receiving system), I'm not the source hosting company's customer. The spammer's paying them, and I can't do anything to negatively impact them so why should they give up the money? But the people who buy hosting from the, they are the hosting company's customers. If they're upset, the hosting company has to balance the money the spammers are paying them against the money they'll lose if other customers leave because of the problems caused by the spammers and decide whether it's worth it to keep the spammers' business. I've noticed that once this happens, the hosting companies start to move really quickly to deal with the problem.

It's a trade-off The Famous Brett Watson  –  Apr 04, 2014 10:49 PM PDT

Indeed, Todd.

The root problem in this case is a negligent ISP turning a blind eye to abuse emanating from their network. Pain must be applied to the ISP in order to get them to recognise the problem. Blacklisting the ISP (or otherwise tightening the screws on their email) is the solution of last resort, but it follows directly after the first resort, which is to contact the ISP and notify them of their spammer infestation. Generally, the shops which enforce anti-abuse policies do so proactively, so if you need to contact an ISP at all, it's likely that you'll also need to blacklist them. Proactive enforcement is a must: an ISP that only boots spammers reactively is (from an outside perspective) barely distinguishable from one that has no anti-spam policy at all.

The only reason you can't block an entire /24 in one go is if you aren't willing to suffer some of the inconvenience yourself, or inflict it on your users. The collateral damage of blocking legitimate mail is what gets the negligent ISP's attention, but the blocking of legitimate mail causes roughly symmetrical inconvenience — except for the fact that the ISP in question will be blocked by multiple sources, thus amplifying the effect on them, and you gain the benefit of reduced spam. You have to make a decision as to whether a temporary loss of legitimate mail is an acceptable cost, given the quantity of spam relative to it, your service agreements with your users, and other such factors.

Perhaps this is something that legitimate bulk-mail senders should bear in mind: as a bulk-mailer, it's in your interests to use an ISP (or ESP) that has a strict and ruthlessly enforced anti-spam policy. Your first reaction may be to resist this, because it raises the bar on the amount of effort you must put in to keeping your lists clean and your email recipients happy. The benefit of such high discipline (and associated extra cost) is that you're unlikely to be sharing a network with a spammer, and therefore less likely to suffer deliverability issues caused by third party misbehaviour.

Blocking /24 Michael Peters  –  May 27, 2015 10:18 PM PDT

I've read CircleID for some time, and though this article is over a year old, it is what convinced me to finally sign up.

I went for months intentionally without a spam filter, studying spam on my own. The problem I was having, spam and malware attachments were becoming too numerous, occasionally crashing my mail server when I ran SpamAssassin and ClamAV on every message.

IP Blacklists were the solution after much thought. They radically reduced the amount of mail, giving SpamAssassin and ClamAV a reasonable chance.

I do block /24 but carefully. First I use a personally maintained white list so business partners don't end up blacklisted - even my registrar is on some blacklists. Then I use dnswl.org as a white list (only low, med, high rep though). With those two, false positives are greatly reduced. Then I do my normal grouping of DNS blacklists, and finally my own DNS blacklist.

Spam that gets through, if and only if it shows up as listed at mxtoolbox I add it to my list. If 3 or more on same /24 are on my list, I block the whole /24. With my list they are removed after 15 days. Snowshoe spammers often use many IPs in the same /24 but do not seem to re-use the same /24 until some time has passed, so removing the block after 15 days seems prudent.

I figure once 3 or more IPs have slipped past the other blacklists I use, if there are legitimate e-mailers on those subnets, they should move to another subnet or try to get listed at dnswl.org - that group is friendly, if you are not a spammer it is easy to get on their white list and avoid being a victim of false positives.

I'd rather not use blacklists at but I don't have the budget for the processing power not to use blacklists, and blocking the whole /24 for subnets with lots of spammers has reduced spam even more than single IP blacklists.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias