Following the tracks: understanding snowshoe spam

Brett Cove Sophos

  download slides (PDF)

The decline in volume of botnet-generated spam has dominated the spam news recently, but the growing problem of 'snowshoe' spam has received very little attention. These bulk senders make a considerable effort to appear legitimate to fly below the radar, employing techniques such as carefully spreading their message sources across a large number of IPs under their control, 'list-washing', and abiding by the CAN-SPAM Act. For some organizations, this type of spam makes up the vast majority of junk mail missed by their filters.

To raise awareness of this problem, this paper will cover a number of key differences between snowshoe spam and botnet spam. We will show where these messages originate and the techniques employed in an attempt to stay ahead of spam filters. Details will include how these spammers gain connectivity and maintain it despite abuse reports to their providers. Differences in the message content and especially the services advertised will highlight what separates snowshoe spam from current criminal spam. Following the money trail will help explain the motivation behind this spam. Finally, we'll try to answer the common question, 'What happens when you click the "unsubscribe" button in these messages?'

Exploring these details will much needed attention to this growing spam problem.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.