Did snowshoe spamming cause the big February spam surge?

It turns out the source of the big spam surge that rocketed eight ASNs

1 (9) AS 21788 NOC
2 (-) AS 27229 WEBHOST-ASN1
4 (-) AS 33055 BCC-65-182-96-0-PHX
6 (5) AS 15149 EZZI-101-BGP
7 (-) AS 13768 PEER1
8 (-) AS 10439 CARINET
9 (-) AS 7796 ATMLINK
to the top of the U.S. February 2012 SpamRankings.net was not a botnet: it was apparently snowshoe spamming. Here are the most-affected eight U.S. ASNs again, with their rankings for February, listed in the table on the right.

So, Ogee is not a botnet; it is a collection of IP addresses apparently involved in snowshoe spam. It’s also not new. Ogee is just a specific set of snowshoe addresses. But what is snowshoe spam?

Paul Roberts wrote for ThreatPost 6 October 2011, Expert: Eight Years Later, ‘Snowshoe Spam’ Suggests CAN SPAM Not Working,

Brett Cove, a researcher for anti malware firm Sophos, told attendees at the annual Virus Bulletin Conference on Thursday that so-called “snowshoe spam” is becoming a bigger problem, even as spam e-mail volumes associated with botnets are receding. Snowshoe spam is responsible for the bulk of spam messages that make it past anti spam filters at U.S. firms, even as bulk senders avoid prosecution by adhering to the letter of the U.S. CAN SPAM anti-spamming law.

Snowshoe spam isn’t a new problem. In fact, within anti spam circles, researchers have been talking about the phenomenon for years. The term “snowshoe” spam comes from the tactic of spreading the load of spam runs across a wide range of IP addresses as a way to avoid detection by anti spam filters, in the same way that snowshoes spread the weight of their wearer across a wide area to avoid breaking through snow and ice.

Anti spam filters are typically programmed to allow only a small volume of identical e-mail messages from the same IP address range, Cove told Threatpost. Snowshoe spam is able to avoid—or postpone—the filters by sending mail from a range of addresses, often leased by the bulk mail senders, he said.

That may sound a lot like low-and-slow botnet spamming, but there are five key differences:

  1. Snowshoe spammers don’t break into computers. They or somebody they rent from actually own the spamming computers and Internet connections.
    Rather than originating from computers around the world that had been conscripted into malicious botnets, snowshoe spam often originates from within the U.S. from systems that have been properly leased by the bulk mail senders from ISPs specifically for the purpose of sending the mail messages, Cove said.
  2. Snowshoe spam addresses are usually static, not dynamic.
    The IP address blocks might comprise thousands of static addresses and act as “spigots” for high volume spam engines operated by the bulk email distributors. That’s a different setup from illegal spam operations, which use dynamic IP addresses culled from a population of bot-compromised hosts.
  3. Snowshoe spam is technically legal.
    But the end result is the same, while the spam runs, themselves, are perfectly legal and within the the bounds set down by the CAN SPAM Act, he said.
    Well, sort of.
    Snowshoe spammers are careful to comply with the letter of the CAN SPAM Act, providing an opt-out e-mail address or unsubscribe buttons at the bottom of each e-mail message they send out. Of course, Cove said the address is rarely more than an email drop box—a kind of dead letter office, and often isn’t a valid address at all. The campaigns are still spam—high volume, unsolicited email solicitations—Cove argues.
    As I argued back when CAN-SPAM was being debated, it does more to legalize spam than it does to prevent it. That happened because spammers posed as just downtrodden marketeers and Congress members, mostly not knowing an IP address from a street address, bought their act.

  4. Because snowshoe spamming is technically legal, snowshoe spam addresses can send very large amounts of spam, often in short bursts. So large a few snowshoe spamming addresses can push an entire country to the top of the rankings for a week.

  5. And, finally, because snowshoe spammers don’t break in, snowshoe spam is not as direct evidence of poor infosec as botnets are. They also don’t tend to spam as much malware:
    Cove said that Snowshoe spam runs tend to be different in character than their illegal cousins, with fewer instances of malware tinged mail and promotions for illegal online pharmacies.
    However, initial tentative investigations seem to indicate that an ASN that tolerates snowshoe spamming tends to have botnet infestations as well. Stay tuned for more on that.

And, more obviously, would you want to buy hosting from a company that knowingly spams the world, even if the way it does it is technically legal?

It’s a matter of reputation. And when reputation starts to affect customer retention, it’s a matter of economics. Economics that affects the bottom line of host companies. Who knows? That could change their behavior.