Tag Archives: snowshoe spamming

Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012 SpamRankings.net

Previously unseen Brinkster’s AS 33055 BCC-65-182-96-0-PHX took first place. AS 10439 CARINET leapt from #8 last month to #4 for March for the U.S., and was up to second place at the end of the month. Six ASNs joined the U.S. top 10: were they all due to snowshoe spam, too? Brinkster was so bad it made #8 on the world top 10!

Last month’s winner AS 21788 NOC finally cleaned up its act a bit, dropping from #1 to #5. Six ASNs dropped out of the top 10. Four of them (Webhost-ASN-1, LIMESTONENETWORKS, PEER1, and ATMLINK) popped to the top 10 last month due to snowshoe spam. The other two (NTT and Charter’s ASNs) didn’t even have to spam less to drop out, because this month’s top 10 had so much more spam.

But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!




Did snowshoe spamming cause the big February spam surge?

It turns out the source of the big spam surge that rocketed eight ASNs

1 (9) AS 21788 NOC
2 (-) AS 27229 WEBHOST-ASN1
4 (-) AS 33055 BCC-65-182-96-0-PHX
6 (5) AS 15149 EZZI-101-BGP
7 (-) AS 13768 PEER1
8 (-) AS 10439 CARINET
9 (-) AS 7796 ATMLINK
to the top of the U.S. February 2012 SpamRankings.net was not a botnet: it was apparently snowshoe spamming. Here are the most-affected eight U.S. ASNs again, with their rankings for February, listed in the table on the right.

So, Ogee is not a botnet; it is a collection of IP addresses apparently involved in snowshoe spam. It’s also not new. Ogee is just a specific set of snowshoe addresses. But what is snowshoe spam?

Paul Roberts wrote for ThreatPost 6 October 2011, Expert: Eight Years Later, ‘Snowshoe Spam’ Suggests CAN SPAM Not Working,

Brett Cove, a researcher for anti malware firm Sophos, told attendees at the annual Virus Bulletin Conference on Thursday that so-called “snowshoe spam” is becoming a bigger problem, even as spam e-mail volumes associated with botnets are receding. Snowshoe spam is responsible for the bulk of spam messages that make it past anti spam filters at U.S. firms, even as bulk senders avoid prosecution by adhering to the letter of the U.S. CAN SPAM anti-spamming law.

Snowshoe spam isn’t a new problem. In fact, within anti spam circles, researchers have been talking about the phenomenon for years. The term “snowshoe” spam comes from the tactic of spreading the load of spam runs across a wide range of IP addresses as a way to avoid detection by anti spam filters, in the same way that snowshoes spread the weight of their wearer across a wide area to avoid breaking through snow and ice.

Anti spam filters are typically programmed to allow only a small volume of identical e-mail messages from the same IP address range, Cove told Threatpost. Snowshoe spam is able to avoid—or postpone—the filters by sending mail from a range of addresses, often leased by the bulk mail senders, he said.

That may sound a lot like low-and-slow botnet spamming, but there are five key differences:

Continue reading