Spamhaus, a major DNS-based Blacklist (DNSBL) provider, published, earlier this month, an article outlining the problem of snowshoe spam.
Snowshoe spam appears to be a novel tactic used by spammers to avoid detection by traditional means. In detail, unsolicited e-mail messages are sent not massively from botnets or other compromised IP address ranges but in modest volumes from unallocated addresses. Spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly. As a result, these messages do not trigger automated spam blocking filters or reputation metrics. Nevertheless, spreading out the spam load over a larger area, ultimately adds up to be as effective as flooding.
The article goes on proposing a more reactive type of blacklist, titled “Spamhaus Composite Snow-Shoe (CSS)”. However, such cases point out the inherit weaknesses of list-based defences against spammers.
Earlier this year, in the USENIX Security Symposium 2009, a group of researchers from Georgia Tech collaborating with McAfee Inc., published a paper (pdf) presenting a spam-fighting technique which relied solely on network-level features of an e-mail message such as the distance in IP space to other email senders or the geographic distance between sender and receiver. Their method of operation employed behavioral characteristics of spam and one could argue that it would be more effective that the Spamhaus way.
