Tag Archives: IIAR Project

Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012 SpamRankings.net

Previously unseen Brinkster’s AS 33055 BCC-65-182-96-0-PHX took first place. AS 10439 CARINET leapt from #8 last month to #4 for March for the U.S., and was up to second place at the end of the month. Six ASNs joined the U.S. top 10: were they all due to snowshoe spam, too? Brinkster was so bad it made #8 on the world top 10!

Last month’s winner AS 21788 NOC finally cleaned up its act a bit, dropping from #1 to #5. Six ASNs dropped out of the top 10. Four of them (Webhost-ASN-1, LIMESTONENETWORKS, PEER1, and ATMLINK) popped to the top 10 last month due to snowshoe spam. The other two (NTT and Charter’s ASNs) didn’t even have to spam less to drop out, because this month’s top 10 had so much more spam.

But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!




Did snowshoe spamming cause the big February spam surge?

It turns out the source of the big spam surge that rocketed eight ASNs

1 (9) AS 21788 NOC
2 (-) AS 27229 WEBHOST-ASN1
4 (-) AS 33055 BCC-65-182-96-0-PHX
6 (5) AS 15149 EZZI-101-BGP
7 (-) AS 13768 PEER1
8 (-) AS 10439 CARINET
9 (-) AS 7796 ATMLINK
to the top of the U.S. February 2012 SpamRankings.net was not a botnet: it was apparently snowshoe spamming. Here are the most-affected eight U.S. ASNs again, with their rankings for February, listed in the table on the right.

So, Ogee is not a botnet; it is a collection of IP addresses apparently involved in snowshoe spam. It’s also not new. Ogee is just a specific set of snowshoe addresses. But what is snowshoe spam?

Paul Roberts wrote for ThreatPost 6 October 2011, Expert: Eight Years Later, ‘Snowshoe Spam’ Suggests CAN SPAM Not Working,

Brett Cove, a researcher for anti malware firm Sophos, told attendees at the annual Virus Bulletin Conference on Thursday that so-called “snowshoe spam” is becoming a bigger problem, even as spam e-mail volumes associated with botnets are receding. Snowshoe spam is responsible for the bulk of spam messages that make it past anti spam filters at U.S. firms, even as bulk senders avoid prosecution by adhering to the letter of the U.S. CAN SPAM anti-spamming law.

Snowshoe spam isn’t a new problem. In fact, within anti spam circles, researchers have been talking about the phenomenon for years. The term “snowshoe” spam comes from the tactic of spreading the load of spam runs across a wide range of IP addresses as a way to avoid detection by anti spam filters, in the same way that snowshoes spread the weight of their wearer across a wide area to avoid breaking through snow and ice.

Anti spam filters are typically programmed to allow only a small volume of identical e-mail messages from the same IP address range, Cove told Threatpost. Snowshoe spam is able to avoid—or postpone—the filters by sending mail from a range of addresses, often leased by the bulk mail senders, he said.

That may sound a lot like low-and-slow botnet spamming, but there are five key differences:

Continue reading

Outbound Spam Ranking Experiments

Should Uganda Telecom be counted as a Belgian ISP for outbound spam rankings?

Which matters most: history, topology, business headquarters location, or some other criterion?

These are some questions that come up in designing experiments in rolling out a reputation system for outbound spam. More on this in the RIPE Labs article (8 Nov 2010), Internet Reputation Experiments for Better Security.

Such experiments can draw on fifty years of social science research and literature, first crystalized as Social Comparison Theory by Leon Festinger in 1954, that indicate that making personal reputation transparent changes personal behavior. More recent research indicates that the same applies to organizations. Using anti-spam blocklist data, it is possible to make E-Mail Service Provider (ESP) behavior (banks, stores, universities, etc., not just ISPs) in preventing or stopping outbound spam transparent, and this paper is about experiments to see how the resulting reputation actually changes ESP behavior.


Organizing the Cloud Against Spam

In RIPE Labs, here’s a paper on Internet Cloud Layers for Economic Incentives for Internet Security by the IIAR Project (I’m the lead author). Anti-spam blocklists and law enforcement are some Internet organizational layers attempting to deal with the plague of spam, so far reaching a standoff where most users don’t see most spam, yet service providers spend large amounts of computing and people resources blocking it.
The root of the ecrime problem is not technology: it is money.
Continue reading