Olivier van der Toorn

Snowshoe Spam

We started the TIDE project with Snowshoe Spam domain detection. But what is Snowshoe Spam? In Snowshoe Spam the spammer tries to spread the sending load over numerous hosts, and thus reducing the amount of spam each hosts sends. This makes each host separate hard to detect. It means that the spammer is less likely to end up on spam reputation lists (blacklists) and is therefore able to continue spamming for longer.

How do we detect Snowshoe Spam?

Spammers often make use of email best practices like Sender Policy Framework (SPF). SPF requires the spammer to register a domain name and configure a record for each host the spammer allows to send mail for that domain.

The OpenINTEL platform performs active DNS measurements to more than 60% of registered domain names. This data forms the source of our measurements.

By analyzing the configuration of domains which where on blacklists we could infer what other domains should appear on blacklists. Domains of which we think are likely to be related to snowshoe spam are added to our blacklist. These entries we compared to other blacklists everyday to establish if our detentions were earlier or not. In the above animation you can see the development of this time advantage. Every frame of the animation is a day from 2017-05-24 till now.

We have submitted this work to NOMS 2018. The notification date is in December. This work builds on preliminary results published in SIGCOMM.

Development over time

In the animation above you can see the detection development over time. Each frame displays a day of measurements. At the time of writing the maximum advance detection is at a 140 days. However, this animation is updated daily and we expect this number to go up as the measurement continues.