You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bill Cole <sa...@billmail.scconsult.com> on 2016/06/10 01:14:48 UTC

What "Snowshoe spam" is (was Re: RCVD_IN_SBL_CSS and "deep headers")

On 8 Jun 2016, at 9:10, RW wrote:

> On Wed, 8 Jun 2016 13:48:13 +0200
> Reindl Harald wrote:

[...]
>> but that don't mean when my machine is hacked, sending snowshoe spam
>> and it *has* a dynamic IP that it don't get listed at
>> css.spamhaus.org for that reason
>>
>> one hour later you or anybody else could end in get the very same IP
>
> No, because they aren't addresses from dynamic pools.

The initial announcement of the CSS 
(https://www.spamhaus.org/news/article/646) was explicit about that: CSS 
lists statically assigned addresses. CSS lists single addresses because 
it is not always clear where the boundaries of a snowshoe range are and 
in some cases snowshoers have scattered their systems amongst legitimate 
mail systems, apparently with ISP or hosting reseller complicity.

There also seems to be some misunderstanding about what constitutes 
"snowshoe spam". To the best of my knowledge, Steve Linford of Spamhaus 
coined the term (circa 2003) so the Spamhaus explanations of it get 
seniority. One from before the CSS existed is at 
https://www.spamhaus.org/news/article/641

Important from that article is this distinction:

    Where botnet spammers hide behind illegally obtained Trojan horse 
proxies,
    snowshoers pay ISPs for many diverse IP ranges for their spam 
spigots.

Snowshoe spam isn't defined by its content, although the snowshoe 
strategy is a good fit for spam that is plausibly legitimate: a cut 
above what comes out of botnets. Snowshoers tend not to do phishing and 
malware distribution, but rather mostly send what can be called 
"superficially CAN-SPAM-compliant spam" in reference to the very loose 
US federal law regulating spam. Snowshoe spam has been responsible for 
beclowning some true believers in anti-spam magic bullets (e.g. SPF) 
because snowshoers spend real money and make a real effort to evade easy 
filtering and seem to recipients like it might be somewhat legitimate. A 
compromised machine on a dynamically-assigned address might be a conduit 
for superficially similar spam with similar content but that does not 
make it "snowshoe spam." Snowshoe is a technical strategy, not a flavor 
of spam.

The main Spamhaus CSS description page *is* a bit vague and I suspect 
that's partly to avoid telling snowshoers how to avoid CSS detection and 
partly because CSS is not perfectly 100% snowshoe spammers. CSS does 
automated detection using a composite of criteria that are designed to 
identify snowshoers and it catches a small number of chronically abused 
insecure web servers as a side effect because they share some 
characteristics, such as being on static IPs in cheap sloppy hosting 
networks. It is also helpful to understand the nuance of "compromised 
host" in the CSS description. The word "host" implies a machine that 
isn't a personal computer, is rarely shut down or rebooted, isn't 
getting a different address from DHCP every time it boots, and has 
symmetric A and PTR records in DNS that are not derived from its IP.