SpamStinks DBL Blog

Back to Blog Index

Snowshoe Spam: What It Is, and How Not to Look Like You Send It

Posted on 6th Apr 2014

The History of Snowshoe

Five years ago, at the postmaster desk of a major mailbox provider, my team and I were charged with analyzing the spam making it through our automated filters and making necessary adjustments. It was a 24x7 job, digging through live data on IPs and domains in an effort to ensure that our systems were capable of processing the most current threats. We were quite an effective team. A spammer would come along and try something new, and we were there — nope, not today, not in my house.

But in 2009, a disturbing trend had started to develop — snowshoe spam. Within minutes of blocking a domain or IP, it seemed like five more were put in use. This type of spam got its name because "Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to dilute reputation metrics and evade filters," (Spamhaus).

Why Snowshoe is a Problem

Traditional spam filters struggle with snowshoe spam because they don't see enough volume from a single IP or domain to trigger the filter. Snowshoe spam can stay under the radar of volume-based filters. To complicate matters, it's difficult to block snowshoe without significant false positives. The snowshoe spammers would grab 50 IPs in a /24 (256 IPs) so we couldn't block the entire /24. The content resembled that of legitimate mail as well, so we couldn't identify the bad stuff without hitting the good stuff. The spammers were always a step ahead.

And we weren't the only ones struggling with snowshoe. During 2009, the anti-spam industry as a whole was reacting to this trend. In the fall of 2009, Spamhaus launched the CSS (Composite Snow-Shoe) list. Major spam filters were updated to look for snowshoe spam. Everyone was looking for a solution.

Snowshoe spam is annoying, but is it illegal? In many cases, snowshoe spammers do not violate the CAN-SPAM Act in the U.S. because they include a P.O. Box to meet the postal address requirement and use their own domains and static IPs. If a jurisdiction requires opt-in for email, snowshoe would be considered illegal, assuming these emails are unsolicited.

How to Avoid Snowshoe Filters

As an email marketer, how can you avoid being mistaken as a snowshoe spammer?

  • Send from the minimum number of IPs and domains possible for your program
  • Use subdomains instead of multiple domains
  • Do not add IPs and domains to overcome filtering or rate-limiting challenges.

It's really as simple as that. If you aren't being blocked or filtered, chances are you're doing fine. If you find yourself on the Spamhaus CSS or told by a mailbox provider or spam filter that you look like a snowshoe spammer, then it might be time to send from fewer IPs and domains.

By Christine Borgia, Sr. Director, Email Intelligence Group at Return Path