Security expert: snowshoe spam an unsung problem

A relatively unknown and barely legal form of spam is receiving some much-needed attention this week. Snowshoe spam may not measure up to the extreme malice of its brethren, but that's not stopping one security expert from trying to make it a household name.

ADVERTISEMENT

Brett Cove, an anti-spam specialist at Sophos Labs, spread the word on snowshoe spam in an address at this year's Virus Bulletin in Barcelona. Calling on lawmakers and ISPs to work together to close a loophole in the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003 (.pdf) that actually allows for certain types of legal spam, Cove detailed the numerous issues (.pdf) snowshoe spam presents to innocent Internet users.

Chester Wisniewski, senior security adviser for Sophos, explained the meaning behind the odd name at the company's Naked Security blog.

"The name was chosen because snowshoes are used to distribute your weight across a larger surface to prevent sinking," he said, adding that the method circumvents traditional detection tools by sending out spam mail to countless IP addresses.

ADVERTISEMENT

The Spamhaus Project, a Switzerland-based non-profit organization that monitors global spam, describes snowshoe spamming in greater detail:

Snowshoers use many fictitious business names (DBA - Doing Business As), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs. Snowshoers often use anonymized or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

According to a 2009 analysis by Portland State University's Department of Criminology and Criminal Justice, the CAN-SPAM act ironically didn't do much:

Analyses revealed that the CAN-SPAM Act had no observable impact on the amount of spam sent. The Act was found to have no effect on spammer compliance with two out of three spam laws in the CAN-SPAM Act. The one law out of the three where there was a noticeable effect resulted in a decrease in compliance following the Act’s passing. Lastly, the Act had no impact on the number of spam emails with IP addresses assumed to be within the United States. Implications of these findings and suggestions for policy are discussed.

In August, Microsoft claimed the opposite - that it had reduced the total amount of Internet spam by 15 percent since 2008.

ADVERTISEMENT

If there's sound evidence a law isn't living up to its potential in safeguarding Internet users, hopefully Cove's words won't fall on deaf ears. Maybe soon snowshoe spammers will finally get stuck. (via Naked Security)

No posts to display