What is a Snowshoe Spam Attack and How to Prevent it?
Although they are annoying as hell, one thing has to be said about spammers. They are inventive in finding new ways to avoid spam filters. One such “inventive” way to avoid spam blacklists is the snowshoe spam attack.
What is the Snowshoe Spam Email?
The first instances of snowshoe spam email date back to 2009, but the technique started to gain momentum in 2014. At least it seems that cybersecurity professionals started to pay more attention to it at that time.
So what exactly is snowshoe spam then?
This is a spamming technique where the spammer uses a wide array of IP addresses and domains to spread out his spam. What this does is that it allows spammers to often trick and evade spam filters and allow some of their unsolicited emails to reach user’s inboxes.
Imagine spam filters as being a thin layer of snow and ice. Normally, if you tried to step on some ice in your regular shoes, the ice beneath you would crack from your weight and you would fall into the freezing water. Brrr.
In comes the genius invention known as the “snowshoe”. This stylish shoe spreads your weight to a much larger area than a regular shoe. Thanks to that, you don’t end up swimming in ice-cold water.
Snowshoe email works on the same principle. Spread the spam through multiple IPs and avoid spam filters.
How to Prevent a Snowshoe Spam Attack?
Unfortunately, as many victims of a snowshoe spam attack can tell you, this spamming technique can be very effective.
Snowshoe spam often looks like a legitimate bulk email. Remember that this is a technique from 2009. Bulk email was still a legitimate and widespread email marketing technique. Today that’s no longer the case for the most part and even completely legitimate bulk email might lead to getting your email flagged as spam.
There is an important distinction between legitimate bulk emailers and snowshoe spammers.
The IPs used by the first have allocated SWIP’d and they normally come from legitimate companies.
Spamshoers will either use unallocated SWIP’d (Shared Whois Project) or, if they do use allocated ones, it’s going to be to very small companies that no one has heard about so far.
Another problem with detecting snowshoe spam email, particularly in the United States, is that snowshoe spammers often don’t violate the CAN-SPAM Act. They will use their own domains and include a P.O. Box, thus meeting the requirement to have a postal address.
Furthermore, snowshoe spam techniques work much better where opt-out is required, (the US), rather than opt-in (the EU). This is because even though you will often find an unsubscribe option in a snowshoe spam email (again, talk about craftily “adhering” to the regulations), snowshoe spammers will either ignore your unsubscribe request or, if they remove you from an email list, they will just add you to another.
Fortunately, organizations have started working toward a solution to stop snowshoe spam almost as soon as snowshoe spamming first reared its ugly head.
In 2009, the Spamhaus Project announced the Spamhaus CSS, or the Spamhaus Composite Snowshoe list “available to detect and respond more quickly to IPs that are emitting snowshoe spam.”.
The good news is that snowshoe spamming is not that easy to set up. Spammers usually need access to a wide array of IP addresses and domains to better spread their load.
This is often their (spammers) undergoing. Legitimate businesses, you see, don’t normally use a wide range of IP addresses when sending emails. For them, it’s very important to show who owns the originating domain and that’s how they show their integrity.
Snowshoe spammers, on the other hand, don’t do that and instead want to avoid detection and make it harder to track down the domain owner.
However, depending on the domain registrar and the TLD, it is often easy to buy multiple domains for cheap. This does aid customers, but also helps spammers.
Of course, the problem is also that you might be flagged and end up on a snowshoe spam blacklist even if you are not guilty for it. That might happen if you are trying to beat filters and rate limiters or use multiple domains.
To avoid your legitimate email being mistaken for a snowshoe spam email, it’s best to use as few IP addresses and domains as you can and if you need, use subdomains and not multiple domains. That way spam filters won’t mistakenly recognize your email as snowshoe spam.
Snowshoe spammers often hide behind anonymous email services to avoid tracking and detection. This makes it more difficult to report abuse against them.
It’s sad that so many anonymous email services turn a blind eye to spam and do little to nothing to prevent their service from being used for it. Here at CTemplar, we have a very strong anti-spam and anti-phishing stance.
If you happen to find our email service being used for abuse like snowshoe spam for instance, please forward us the abusive message to firstname.lastname@example.org. We will take the necessary steps to investigate and take appropriate action.
Ready to take back your privacy with a legitimate secure email provider? Sign up for CTemplar: Armored Email!