Following the tracks: understanding snowshoe spam

Brett Cove at VB2011Brett Cove from SophosLabs in Vancouver presented his talk, “Following the tracks: understanding snowshoe spam”, at the Virus Bulletin 2011 conference in Barcelona this morning.

While there has been a lot of press about botnets being shutdown resulting in lower volumes of spam reaching our gateways, there has been very little discussion about tackling “snowshoe” spammers.

What is snowshoe spam? The name was chosen because snowshoes are used to distribute your weight across a larger surface to prevent sinking.

Snowshoe spammers distribute their spamming across a high number of IP addresses to distribute their reputation widely. This often defeats volume based detection schemes used by large email hosts like Gmail and Yahoo!.

Snowshoes slide from VB2011Brett explained how the passing of the US CANSPAM Act created the correct loopholes for “legal” spamming. Most snowshoe spam skirts the edges of this legislation in a pseudo-legal manner (at least in the US).

After explaining the problem and differentiating snowshoe spam from more typically criminal botnet spam, Brett discussed what should be done to reduce the effectiveness of this technique.

He suggests it will likely require a combination of better laws, cooperation from ISPs and better recognition of the problem itself.

Thanks to Virus Bulletin for permission to share Brett’s slides.