Spammers are Avoiding Spam Filters: Cisco

139-h_main-wIf nothing else, spam and spam-related technologies often get really cool names. Rustock, Bagle, Cutwail, Zeus, Grum, Festi, Conficker, spam blizzards, Emotet, Blackhole, even bacon (Yum!). The list goes on and on. It’s as if a group of guys sit around in some dark, OLED-illuminated basement somewhere, listening to Iron Butterfly and passing a bong around. You can almost hear the conversation. “Hey, what about Grum? That’s a cool-sounding name!” Followed by a unified chorus of “Dude!” If researchers and IT professionals spent as much time addressing the problem as they did trying to come up with names for the exploits they discover, perhaps we’d have a leg up on the spam problem, instead of the current state of affairs. To use the leg analogy, our leg is exposed and spam is humping it ceaselessly.

So if you haven’t heard it yet, add a new moniker to the ever-growing database of spam nomenclature: snowshoe spam. It’s a good one, too, because in the same way a snowshoe distributes weight across its base to give the wearer the ability to walk on snow, this kind of spam spreads itself across multiple IP addresses to evade spam filters. In its 2015 Annual Security Report, networking firm Cisco reports that this new kind of spam, discovered by has many of the features of traditional spam, including the ability to drop a payload of malware through email attachments.

“Snowshoe spam,” says Cisco, “is unsolicited bulk email that is sent using a large number of IP addresses, and at a low message volume per IP address, thus preventing some spam systems from sinking the spam. In a recent snowshoe spam campaign observed by Cisco Security Research, a blitz approach was used. This means the total spam campaign took place over just three hours, but at one point accounted for 10 percent of global spam traffic.”

Computer Business Review advises companies to “look for other signs of spam, such as a mismatch between forward and reverse domain name systems (DNS) which is “generally considered an obvious indicator that a mail server is not legitimate.” As previously stated, the snowshoe messages observed by Cisco researchers show the signs of standard spam, for example, they have “misspelled subject lines such as “inovice 2921411.pdf,” and include a randomly generated number. Attachments were typically PDF files containing a Trojan exploiting a vulnerability in Adobe Reader.” The word ‘invoice’ is misspelled and the messages themselves have little to no content in the message body. While the From header varies, Cisco reports that they contain unusual character strings such as “EOF,” “endobj,” and “endstream.” The PDF file attachment was the same across all of the messages, the only difference being the name of the attachment. An analysis of the attachment yielded a “Trojan exploiting CVE-2013-2729, an integer overflow vulnerability found in Adobe Reader version families 9.x, 10.x and 11.x.”

Cisco discusses snowshoe spam in an August 2014 blog post. Researcher Alex Chiu points out that while neither the snowshoe method nor the PDF exploit is novel, Cisco is seeing a growing trend in the use of snowshoe spam. Anti-spam systems are very effective at identifying and isolating spam. Typically, they can have a 99.9 percent success rate, and that’s an important figure for anyone interested in keeping networks, whether small or large, safe from the security threats posed by malicious email. But it’s the .1 percent that worries us, and as Cisco points out, “spammers try just about anything to evade spam filters. To ensure that spam reaches its intended audience, spammers are increasingly using these tactics to avoid detection by IP-based anti-spam reputation technologies.”

“Snowshoe spam can be a challenge for some anti-spam detection techniques,” Chiu writes, “because it typically uses multiple IP addresses with very low spam volume per IP address. Depending on how an anti-spam technology works, this can cause severe problems with detection.”

Chiu points out that there are ways to mitigate the threat. “One of the best ways to combat snowshoe spam is to rely on more than simple reputation. While the DNS infrastructure is highly mutable – especially when using technologies like Dynamic DNS – the IP infrastructure is not. In this particular spam campaign, a large majority of the spam messages we observed came from a different IP address. Classic snowshoe spam.” The post provides a link to about 250 IP addresses that Cisco observed participating in the spam campaign, and that list can be found here.

Because many of the IP addresses observed in the campaign didn’t have a record of sending emails before, it’s safe to assume that the offending machines have been compromised as part of a botnet.

Yet another year, yet another threat of which to take note.