BARCELONA — If you thought the CAN SPAM Act of 2003 nailed the coffin closed on the legality of spamming in the U.S., you’d be wrong. In fact, CAN SPAM compliant spam e-mail – sometimes referred to as ‘Snowshoe Spam’ is a growing source of nuisance e-mail messages hitting inboxes in the U.S. and around the world, according to a researcher working for antivirus firm Sophos.
Brett Cove, a researcher for anti malware firm Sophos, told attendees at the annual Virus Bulletin Conference on Thursday that so-called “snowshoe spam” is becoming a bigger problem, even as spam e-mail volumes associated with botnets are receding. Snowshoe spam is responsible for the bulk of spam messages that make it past anti spam filters at U.S. firms, even as bulk senders avoid prosecution by adhering to the letter of the U.S. CAN SPAM anti-spamming law.
Snowshoe spam isn’t a new problem. In fact, within anti spam circles, researchers have been talking about the phenomenon for years. The term “snowshoe” spam comes from the tactic of spreading the load of spam runs across a wide range of IP addresses as a way to avoid detection by anti spam filters, in the same way that snowshoes spread the weight of their wearer across a wide area to avoid breaking through snow and ice.
Anti spam filters are typically programmed to allow only a small volume of identical e-mail messages from the same IP address range, Cove told Threatpost. Snowshoe spam is able to avoid – or postpone – the filters by sending mail from a range of addresses, often leased by the bulk mail senders, he said.
Rather than originating from computers around the world that had been conscripted into malicious botnets, snowshoe spam often originates from within the U.S. from systems that have been properly leased by the bulk mail senders from ISPs specifically for the purpose of sending the mail messages, Cove said.
The IP address blocks might comprise thousands of static addresses and act as “spigots” for high volume spam engines operated by the bulk email distributors. That’s a different setup from illegal spam operations, which use dynamic IP addresses culled from a population of bot-compromised hosts. But the end result is the same, while the spam runs, themselves, are perfectly legal and within the the bounds set down by the CAN SPAM Act, he said.
“The problem is in thinking that the CAN SPAM Act is an anti spamming law,” Cove told Threatpost. “It isn’t.”
Signed into law by President George W. Bush in 2003, the CAN SPAM Act – or the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 – outlawed certain practices, such as the use of open relays and the use of false headers or misleading information. It also required senders of bulk commercial email to provide a valid post office box and or e-mail address for recipients to opt-out of receiving future e-mail messages. However, the law also pre-empted tougher, state level anti spam laws that actually tried to curtail the sending of bulk, commercial e-mail.
The law, Cove and others have argued, is mainly concerned with giving consumers the ability to opt-out of nuisance spam campaigns, not with stopping the campaigns.
Snowshoe spammers are careful to comply with the letter of the CAN SPAM Act, providing an opt-out e-mail address or unsubscribe buttons at the bottom of each e-mail message they send out. Of course, Cove said the address is rarely more than an email drop box – a kind of dead letter office, and often isn’t a valid address at all. The campaigns are still spam – high volume, unsolicited email solicitations – Cove argues.
For recipients who do complain, Snowshoe spammers use strategies like “list washing” – removing complainants from massive lists of e-mail addresses they use to spam, Cove said. Organizations like Spamhaus have complained about Snowshoe spamming for years, noting that Internet Service Providers (ISPs) bear part of the blame for merely passing along user customer complaints about spam email to those running the campaigns, rather than using their own resources to determine whether the campaign in question is a spam run and stopping it.
Cove said that Snowshoe spam runs tend to be different in character than their illegal cousins, with fewer instances of malware tinged mail and promotions for illegal online pharmacies. However, like illegal spam, the activity is flourishing because its highly profitable. And, with only a handful of prosecutions under the law in eight years, snowshoe spammers would seem to have little to fear from Federal authorities.
Once an urgent problem that demanded headlines, spam e-mail, though endemic, has become a fact of life online. Coordinated takedowns of botnets responsible for much of the illegal spam have radically changed the landscape of the criminal spamming world. For the first time in memory, Kaspersky Labs found that the bulk of illicit spam came from IP addresses outside the U.S. At the same time, studies suggest that profits from spamming are down, pushing cyber-criminals to more lucrative targeted attacks.
Still, organizations of all sizes spend considerable resources filtering and blocking both illegal and snowshoe spam, raising the cost of doing business online and reducing worker productivity, Cove said. Revising the CAN SPAM Act to target high volume spamming behavior, rather than merely enforcing consumer choice, are one way to curtail the snowshoe campaigns, he said.