Snowshoe Spam is a growing problem.

Continued growth of snowshoe spam has prompted Spamhaus, a leader in the war on junk email, to craft a specific response to it. Earlier this month, the spamfighters rolled out a CSS component of the organization’s Spamhaus Block List.

The SBL is a database of IP addresses from which the organization recommends blocking email. Mail systems throughout the Internet can query the database in real time. It allows email administrators to identify, tag or block incoming messages from IP addresses blacklisted by the group as being connected to sending, hosting or originating unsolicited bulk email, better known as spam.

According to Spamhaus, CSS is an integral part of the SBL. It’s distinguished, however, by a different return code, 127.0.0.3. Users of the SBL need not do anything to activate the new CSS, other than to make sure that their existing spam filters can handle the additional return code.

Snowshoe Spam gets its name from the way it fans out its malicious behavior over the Web. Just as snowshoes spread the weight of a step on snow to minimize sinking and facilitate travel, snowshoe spammers spread their abhorrent activities across a multitude of IP addresses. By doing that, they can reduce their visibility on the Web and raise havoc with reputation metrics and evade detection by spam filters. The spammers know a percentage of their clutter will be diverted by anti-spam systems deployed by their targets, but by broadening the swath of their efforts, they can increase that percentage.

Launching a snowshoe operation takes some sophistication. That’s because an operator needs to use an assortment of IP addresses, as well as servers and providers to fan out his payload. Analysis of snowshoe spam shows that IP addresses are rarely repeated. That makes isolating the spam more challenging because spamfighters can’t turn off the spigot from a particular IP address. They must analyze the content of each message to capture the junk, a more processor intensive process than just blocking an IP address.

As is typical of byte bandits everywhere, snowshoe spammers hide behind fictitious businesses and phoney names and identities. They frequently change postal dropboxes and voicemail drops. They’re masters of creating fake Whois records, records used to trace the owners of domain names.

One technique used by the spammers to perpetuate their subterfuge is to use tunneled connections between their spam cannons and the IP they use to spread their junk. That way, the IP address of the back-end cannon doesn’t appear in the headers of the spam messages. When a range of “spigot” domains are blocked, the spammers just redirect their cannons to another set of domains and keep pumping out their crud. The tactic makes the spam difficult, but not impossible, to trace.

According to Spamhaus, snowshoe spamming has been around for some time, but last year a few U.S. junk emailers refined the process by adopting scrubbing techniques like listwashing and waterfalling to recycle mailing lists. The practice has become so popular that snowshoe spam accounts for 20 to 30 percent of all connections at a typical generic top level domain server. It is the second largest segment of the mailstream next to botnet spam from compromised machines in the dynamic IP space. Snowshoe spam works in the static IP space.

Some White Hats believe that Spamhaus’s latest move will decrease spam traffic.

“The new list will likely result in a lot of spam being blocked, which is a good thing,” Steven Champeon wrote in the Enemieslist blog.

“[S]o-called snowshoe spam has been an increasingly large component of the spam we see here and in the trap feeds we monitor,” he continued. “In one sense, [snowshoe spam] is a return to old-school statically-hosted spamming, the sort that Spamhaus SBL was created to solve–but representing an evolution in tactics and new levels of obfuscation.”

He added that Spamhaus’s snoweshoe efforts represents an opportunity for Email Service Providers who are solid Netizens. He cited a number of legitimate companies who have been suckered by snowshoe spammers. They include Sears, Brinks, LG, Kraft, Gerber, Dish Network and the AARP. The Spamhaus initiative will encourage legitimate clients of spammers to move to ESPs, he argued. “[I]n the long run,” he reasoned, “[that's] a good thing, because ESPs with transparency and a reputation to protect will educate their new clients.”