What is Snowshoe Spamming ?

Snowshoe spamming is a spamming procedure in which the spammer (mostly a Spambot) uses a wide range of IP addresses in order to spread out the prepared spam load. The large spread of IP addresses makes it difficult to identify and trap the spam from where its originating from, allowing at least some of it to reach email inboxes. For companies which specialize in trapping spam, Snowshoe Spamming is particularly harmful, because it is difficult to trap it with traditional spam filters.

Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to reduce reputation metrics and evade filters. Snowshoes are designed to spread a large weight across a wide area so that the wearer does not break through crusts of snow and ice, as snowshoe spam distributes a broad load of spam across a varied array of IP addresses in much the same way.

IP addresses in the United States were responsible for almost 27% of snowshoe campaigns

Like all spammers, snowshoe spammers anticipate that some of their unwanted emails will be trapped by spam filters. Snowshoe spamming gives more email a chance at getting through to an inbox, where it can reach a computer user.

Setting up a snowshoe spamming operation requires some resources and knowledge, as the spammer must have access to an array of IP addresses. Snowshoe spammers typically use an assortment of domains, which may be linked to different servers and providers to further spread the spam load. In a sampling of emails sent by a snowshoe spammer, repeating IP addresses are fairly rare, which means that filters must focus on the content, rather than the sender, to trap spam.

Legitimate providers of email services use a very narrow range of IP addresses for sending email. This is generally viewed as a mark of integrity, as is the use of clear disclosure about who owns the originating domain. By contrast, snowshoe spamming often involves domains which are hidden behind layers of anonymity, making it difficult to track down the owner and report abuse. Especially in nations with anti-spam legislation, tracking down the parties responsible for spam, spyware, and other malicious activities can be extremely difficult, because perpetrators are good at covering their tracks.

Several anti-spam attempts have focused on targeting specific domain registrars and hosts. Certain registrars are infamous for harboring spammers, and by identifying large numbers of spam sites in their client lists, anti-spam advocates hope to take down those sites or humiliate the registrar into tightening its terms of service. Snowshoe spamming sometimes exposes a systemic problem with a particular host, as anti-spam advocates realize that large amounts of spam originates from domains managed by the same company.

Snowshoe spam accounted for all but about 5% of spam from the U.S. top 10

Snowshoers use many fictitious business names (DBA - Doing Business As), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunneled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.

http://www.spamhaus.org/faq/section/Glossary#233