Country IP Blocks

Home > Malicious Internet Traffic, Networking > The Resurgence of Snowshoe Spam

The Resurgence of Snowshoe Spam

March 22nd, 2010

Global spam problems have significantly increased during the first quarter of 2010, with a rise in snowshoe spam and an exponential growth in Botnet spam distribution.

Snowshoe spam, which rose dramatically during the final quarter of 2009, before tapering off in January, is now experiencing resurgence. Snowshoe spam is identified as a central point of spam origin, using a wide variety of IP addresses to cloak the span. These addresses are typically within a /24 range but may encompass much larger address blocks. In this type of operation the spam is spewed from a network, rapidly spanning through the IP addresses within the network, emitting spam in a wide footprint. The intent is to make the technique more efficient and more difficult to identify.

In such a coordinated effort the high volume of spam can become a Distributed Denial of Service attack collapsing mail servers and disrupting legitimate network traffic. Fortunately, monitoring live traffic will help the webmaster or network administrator quickly spot the traffic. Snowshoe spam is not safe, nor is it subtle.

To help you better understand snowshoe spam traffic we will show you three samples of actual network traffic. Each of these networks has been identified as known spammers by Spamhaus. First, our typical disclaimer: While the evidence logs we present to you are factual and true, they should not be construed as an allegation of wrongdoing by the owner or owners of the networks mentioned. They may be completely unaware of a possible problem.

Here are some real world examples:

173.44.146.0/24 identified by Spamhaus as a spam block on March 21, 2010.

Over the course of nine hours, IPs allegedly on this network made 4409 SMTP connections to one mail server:

[xxxx@xxxxx-www log]# grep -c 173.44.146. secure
4409 (smtp connections)

Mar 21 23:11:32 xxxxx-www xinetd[27078]: START: smtp pid=23365 from=173.44.146.252 Mar 21 23:11:32 xxxxx-www xinetd[27078]: START: smtp pid=23366 from=173.44.146.251 ........................................................................................... Mar 22 08:09:16 xxxxx-www xinetd[27078]: START: smtp pid=2410 from=173.44.146.98 Mar 22 08:09:26 xxxxx-www xinetd[27078]: START: smtp pid=2428 from=173.44.146.95 Mar 22 08:09:26 xxxxx-www xinetd[27078]: START: smtp pid=2429 from=173.44.146.94 Mar 22 08:09:26 xxxxx-www xinetd[27078]: START: smtp pid=2430 from=173.44.146.93 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2432 from=173.44.146.92 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2433 from=173.44.146.91 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2434 from=173.44.146.90 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2435 from=173.44.146.89 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2438 from=173.44.146.88 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2439 from=173.44.146.87 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2440 from=173.44.146.86 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2441 from=173.44.146.85 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2442 from=173.44.146.84 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2444 from=173.44.146.83 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2445 from=173.44.146.82 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2446 from=173.44.146.81 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2447 from=173.44.146.80 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2448 from=173.44.146.79 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2449 from=173.44.146.78 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2450 from=173.44.146.77 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2451 from=173.44.146.76 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2453 from=173.44.146.75 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2455 from=173.44.146.74 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2456 from=173.44.146.73 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2457 from=173.44.146.72 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2458 from=173.44.146.71 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2459 from=173.44.146.70 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2460 from=173.44.146.69 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2461 from=173.44.146.68 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2462 from=173.44.146.67 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2463 from=173.44.146.66 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2464 from=173.44.146.65 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2465 from=173.44.146.64 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2466 from=173.44.146.63 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2467 from=173.44.146.62 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2469 from=173.44.146.61 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2470 from=173.44.146.60 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2471 from=173.44.146.59 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2472 from=173.44.146.58 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2473 from=173.44.146.57 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2474 from=173.44.146.56 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2475 from=173.44.146.55 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2476 from=173.44.146.54 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2477 from=173.44.146.53 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2479 from=173.44.146.52 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2480 from=173.44.146.51 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2481 from=173.44.146.50 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2482 from=173.44.146.49 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2483 from=173.44.146.48 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2484 from=173.44.146.47 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2485 from=173.44.146.46 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2486 from=173.44.146.45 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2487 from=173.44.146.44 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2488 from=173.44.146.43 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2490 from=173.44.146.42 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2491 from=173.44.146.41 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2492 from=173.44.146.40 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2493 from=173.44.146.39 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2494 from=173.44.146.38 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2495 from=173.44.146.37 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2496 from=173.44.146.36 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2498 from=173.44.146.35 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2499 from=173.44.146.34 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2500 from=173.44.146.33 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2502 from=173.44.146.32 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2504 from=173.44.146.31 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2505 from=173.44.146.30 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2506 from=173.44.146.29 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2507 from=173.44.146.28 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2508 from=173.44.146.27 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2509 from=173.44.146.26 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2510 from=173.44.146.25 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2512 from=173.44.146.24 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2513 from=173.44.146.23 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2514 from=173.44.146.22 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2515 from=173.44.146.21 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2516 from=173.44.146.20 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2519 from=173.44.146.19 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2520 from=173.44.146.18 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2521 from=173.44.146.17 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2522 from=173.44.146.16 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2523 from=173.44.146.15 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2524 from=173.44.146.14 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2525 from=173.44.146.13 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2526 from=173.44.146.12 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2527 from=173.44.146.11 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2530 from=173.44.146.10 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2531 from=173.44.146.9 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2532 from=173.44.146.8 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2534 from=173.44.146.7 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2535 from=173.44.146.6 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2536 from=173.44.146.5 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2537 from=173.44.146.4 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2538 from=173.44.146.3 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2539 from=173.44.146.2 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2541 from=173.44.146.254 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2542 from=173.44.146.253 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2543 from=173.44.146.252 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2544 from=173.44.146.251 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2545 from=173.44.146.250 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2546 from=173.44.146.249 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2547 from=173.44.146.248 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2548 from=173.44.146.247 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2549 from=173.44.146.246 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2551 from=173.44.146.245 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2552 from=173.44.146.244 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2553 from=173.44.146.243 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2554 from=173.44.146.242 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2555 from=173.44.146.241 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2556 from=173.44.146.240 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2557 from=173.44.146.239 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2558 from=173.44.146.238 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2559 from=173.44.146.237 Mar 22 08:09:39 xxxxx-www xinetd[27078]: START: smtp pid=2560 from=173.44.146.236 Mar 22 08:09:39 xxxxx-www xinetd[27078]: START: smtp pid=2562 from=173.44.146.235 Mar 22 08:09:44 xxxxx-www xinetd[27078]: START: smtp pid=2570 from=173.44.146.233 Mar 22 08:09:44 xxxxx-www xinetd[27078]: START: smtp pid=2571 from=173.44.146.232 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2572 from=173.44.146.231 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2573 from=173.44.146.230 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2575 from=173.44.146.229 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2576 from=173.44.146.228 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2577 from=173.44.146.227 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2578 from=173.44.146.226 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2579 from=173.44.146.225 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2580 from=173.44.146.224 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2581 from=173.44.146.223 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2582 from=173.44.146.222 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2583 from=173.44.146.221 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2584 from=173.44.146.220 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2585 from=173.44.146.219 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2586 from=173.44.146.218 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2587 from=173.44.146.217 Mar 22 08:09:47 xxxxx-www xinetd[27078]: START: smtp pid=2589 from=173.44.146.216 Mar 22 08:09:47 xxxxx-www xinetd[27078]: START: smtp pid=2590 from=173.44.146.215 Mar 22 08:09:47 xxxxx-www xinetd[27078]: START: smtp pid=2591 from=173.44.146.214 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2593 from=173.44.146.213 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2594 from=173.44.146.212 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2595 from=173.44.146.211 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2596 from=173.44.146.210 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2599 from=173.44.146.209 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2600 from=173.44.146.206 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2601 from=173.44.146.196 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2602 from=173.44.146.168 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2603 from=173.44.146.155 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2604 from=173.44.146.154 Mar 22 08:09:50 xxxxx-www xinetd[27078]: START: smtp pid=2605 from=173.44.146.153 Mar 22 08:09:50 xxxxx-www xinetd[27078]: START: smtp pid=2607 from=173.44.146.152 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2648 from=173.44.146.149 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2650 from=173.44.146.117 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2651 from=173.44.146.116 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2652 from=173.44.146.115 Mar 22 08:10:05 xxxxx-www xinetd[27078]: START: smtp pid=2653 from=173.44.146.114 Mar 22 08:10:05 xxxxx-www xinetd[27078]: START: smtp pid=2654 from=173.44.146.113 Mar 22 08:10:05 xxxxx-www xinetd[27078]: START: smtp pid=2656 from=173.44.146.112 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2657 from=173.44.146.111 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2658 from=173.44.146.110 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2659 from=173.44.146.109 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2661 from=173.44.146.108 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2662 from=173.44.146.107 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2663 from=173.44.146.106 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2664 from=173.44.146.105 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2665 from=173.44.146.104 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2666 from=173.44.146.103 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2667 from=173.44.146.102 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2668 from=173.44.146.101 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2669 from=173.44.146.100 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2671 from=173.44.146.99 Mar 22 08:10:13 xxxxx-www xinetd[27078]: START: smtp pid=2676 from=173.44.146.97 Mar 22 08:10:13 xxxxx-www xinetd[27078]: START: smtp pid=2678 from=173.44.146.96 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2679 from=173.44.146.234 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2680 from=173.44.146.175 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2681 from=173.44.146.174 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2682 from=173.44.146.173 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2684 from=173.44.146.172 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2685 from=173.44.146.171 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2686 from=173.44.146.170 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2687 from=173.44.146.169 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2688 from=173.44.146.167 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2689 from=173.44.146.166 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2690 from=173.44.146.165 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2692 from=173.44.146.164 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2693 from=173.44.146.163 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2694 from=173.44.146.162 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2695 from=173.44.146.161 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2696 from=173.44.146.160 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2697 from=173.44.146.159 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2734 from=173.44.146.151 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2735 from=173.44.146.150 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2736 from=173.44.146.148 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2737 from=173.44.146.147 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2738 from=173.44.146.146 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2739 from=173.44.146.145 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2741 from=173.44.146.144 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2742 from=173.44.146.143 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2743 from=173.44.146.142 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2744 from=173.44.146.141 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2745 from=173.44.146.140 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2746 from=173.44.146.139 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2747 from=173.44.146.138 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2748 from=173.44.146.137 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2749 from=173.44.146.136 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2750 from=173.44.146.135 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2751 from=173.44.146.134 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2753 from=173.44.146.133 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2754 from=173.44.146.132 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2755 from=173.44.146.131 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2756 from=173.44.146.130 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2757 from=173.44.146.129 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2758 from=173.44.146.128 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2760 from=173.44.146.127 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2761 from=173.44.146.126 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2762 from=173.44.146.125 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2763 from=173.44.146.124 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2764 from=173.44.146.123 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2765 from=173.44.146.122 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2766 from=173.44.146.121 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2767 from=173.44.146.120 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2769 from=173.44.146.119 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2770 from=173.44.146.118 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2771 from=173.44.146.208 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2772 from=173.44.146.207 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2773 from=173.44.146.205 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2774 from=173.44.146.204 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2776 from=173.44.146.203 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2777 from=173.44.146.202 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2778 from=173.44.146.201 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2779 from=173.44.146.200 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2780 from=173.44.146.199 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2781 from=173.44.146.198 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2782 from=173.44.146.197 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2783 from=173.44.146.195 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2784 from=173.44.146.194 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2786 from=173.44.146.193 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2787 from=173.44.146.192 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2788 from=173.44.146.191 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2789 from=173.44.146.190 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2790 from=173.44.146.189 Mar 22 08:10:56 xxxxx-www xinetd[27078]: START: smtp pid=2824 from=173.44.146.188 Mar 22 08:10:56 xxxxx-www xinetd[27078]: START: smtp pid=2825 from=173.44.146.187 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2826 from=173.44.146.186 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2827 from=173.44.146.185 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2828 from=173.44.146.183 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2830 from=173.44.146.182 Mar 22 08:10:58 xxxxx-www xinetd[27078]: START: smtp pid=2831 from=173.44.146.181 Mar 22 08:10:58 xxxxx-www xinetd[27078]: START: smtp pid=2832 from=173.44.146.180 Mar 22 08:10:58 xxxxx-www xinetd[27078]: START: smtp pid=2833 from=173.44.146.179 Mar 22 08:10:59 xxxxx-www xinetd[27078]: START: smtp pid=2834 from=173.44.146.178 Mar 22 08:10:59 xxxxx-www xinetd[27078]: START: smtp pid=2836 from=173.44.146.177 Mar 22 08:10:59 xxxxx-www xinetd[27078]: START: smtp pid=2837 from=173.44.146.176 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2838 from=173.44.146.158 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2839 from=173.44.146.157 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2842 from=173.44.146.156 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2843 from=173.44.146.184 Mar 22 08:11:01 xxxxx-www xinetd[27078]: START: smtp pid=2844 from=173.44.146.184

66.181.184.0/24 has been listed on Spamhaus as a snowshoe range spammer since December 28, 2009.

66.181.191.0/24 has been listed on Spamhaus as a snowshoe range since December 22, 2009.

During a period of approximately two days in March, one mail server experienced 51,161 SMTP connections from addresses within these two ranges:

[xxxxx@xxxxx-www log]# grep -c 66.181.184. secure.1
24492 (smtp connections)

[xxxxx@xxxxx-www log]# grep -c 66.181.191. secure.1
24336 (smtp connections)

[xxxxx@xxxxx-www log]# grep -c 66.181.191. secure.2
1199 (smtp connections)

[xxxxx@xxxxx-www log]# grep -c 66.181.184. secure.2
1134 (smtp connections)

A small sample of the server logs:
66.181.184.0/24
Mar 15 10:44:44 xxxxx-www xinetd[27078]: START: smtp pid=9569 from=66.181.184.40
Mar 15 10:44:44 xxxxx-www xinetd[27078]: START: smtp pid=9571 from=66.181.184.39
Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9572 from=66.181.184.38
Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9573 from=66.181.184.37
Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9575 from=66.181.184.36
Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9578 from=66.181.184.35
Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9579 from=66.181.184.34
Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9580 from=66.181.184.33
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9582 from=66.181.184.32
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9583 from=66.181.184.31
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9584 from=66.181.184.30
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9586 from=66.181.184.29
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9588 from=66.181.184.28
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9589 from=66.181.184.27
Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9590 from=66.181.184.26
Mar 15 10:44:47 xxxxx-www xinetd[27078]: START: smtp pid=9591 from=66.181.184.25
Mar 15 10:44:47 xxxxx-www xinetd[27078]: START: smtp pid=9592 from=66.181.184.24
Mar 15 10:44:48 xxxxx-www xinetd[27078]: START: smtp pid=9593 from=66.181.184.23
Mar 15 10:44:48 xxxxx-www xinetd[27078]: START: smtp pid=9594 from=66.181.184.22
Mar 15 10:44:48 xxxxx-www xinetd[27078]: START: smtp pid=9595 from=66.181.184.21

66.181.191.0/24
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31458 from=66.181.191.158
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31459 from=66.181.191.157
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31460 from=66.181.191.156
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31461 from=66.181.191.155
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31462 from=66.181.191.154
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31463 from=66.181.191.153
Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31464 from=66.181.191.152
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31465 from=66.181.191.151
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31466 from=66.181.191.150
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31467 from=66.181.191.149
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31468 from=66.181.191.148
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31470 from=66.181.191.147
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31471 from=66.181.191.146
Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31472 from=66.181.191.145
Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31473 from=66.181.191.144
Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31474 from=66.181.191.143
Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31475 from=66.181.191.142
Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31476 from=66.181.191.141
Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31477 from=66.181.191.140
Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31478 from=66.181.191.139
Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31479 from=66.181.191.138
Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31480 from=66.181.191.137
Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31481 from=66.181.191.136
Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31482 from=66.181.191.135
Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31483 from=66.181.191.134
Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31484 from=66.181.191.133
Mar 15 09:24:52 xxxxx-www xinetd[27078]: START: smtp pid=31485 from=66.181.191.132
Mar 15 09:24:52 xxxxx-www xinetd[27078]: START: smtp pid=31486 from=66.181.191.131
Mar 15 09:24:52 xxxxx-www xinetd[27078]: START: smtp pid=31487 from=66.181.191.130

Regardless of the payload, the traffic from snowshoe spam can cripple your web and mail servers. We are seeing a higher volume of malicious traffic beginning on Weekends and lasting through Monday mornings. Weekends seem to be the time when IT personnel are scarce, thus providing a perfect time window to launch such snowshoe spam assaults and avoid detection.

Monitor your traffic. Watch your logs. Respond quickly and accordingly.

Author: Stewart White Categories: Malicious Internet Traffic, Networking Tags: 173.44.146.0/24, 66.181.184.0/24, 66.181.191.0/24, snowshoe, spam

Comments (0) Trackbacks (0) Leave a comment Trackback

No comments yet.

No trackbacks yet.

Top 10 Global Spammers 1Q 2010 Validating IP Addresses Using PHP

Select Format CIDR Netmask IP Range .htaccess deny
.htaccess allow Decimal/CIDR Hex/CIDR

Select Countries

The Resurgence of Snowshoe Spam

Message Board

Categories

Archives

Meta

AFGHANISTAN
ALAND ISLANDS
ALBANIA
ALGERIA
AMERICAN SAMOA
ANDORRA
ANGOLA
ANGUILLA
ANTARCTICA
ANTIGUA AND BARBUDA
ARGENTINA
ARMENIA
ARUBA
ASIA PACIFIC
AUSTRALIA
AUSTRIA
AZERBAIJAN
BAHAMAS
BAHRAIN
BANGLADESH
BARBADOS
BELARUS
BELGIUM
BELIZE
BENIN
BERMUDA
BHUTAN
BOGONS
BOLIVIA
BOSNIA AND HERZEGOVINA
BOTSWANA
BOUVET ISLAND
BRAZIL
BRITISH INDIAN OCEAN TERRITORY
BRUNEI DARUSSALAM
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CAPE VERDE
CAYMAN ISLANDS
CENTRAL AFRICAN REPUBLIC
CHAD
CHILE
CHINA
CHRISTMAS ISLAND
COCOS (KEELING) ISLANDS
COLOMBIA
COMOROS
CONGO - BRAZZAVILLE
CONGO, THE DEMOCRATIC REPUBLIC OF THE
COOK ISLANDS
COSTA RICA
COTE D'IVOIRE
CROATIA
CUBA
CYPRUS
CZECH REPUBLIC
DENMARK
DJIBOUTI
DOMINICA
DOMINICAN REPUBLIC
ECUADOR
EGYPT
EL SALVADOR
EQUATORIAL GUINEA
ERITREA
ESTONIA
ETHIOPIA
EUROPEAN UNION
FALKLAND ISLANDS (MALVINAS)
FAROE ISLANDS
FIJI
FINLAND
FRANCE
FRENCH GUIANA
FRENCH POLYNESIA
FRENCH SOUTHERN TERRITORIES
GABON
GAMBIA
GEORGIA
GERMANY
GHANA
GIBRALTAR
GREECE
GREENLAND
GRENADA
GUADELOUPE
GUAM
GUATEMALA
GUERNSEY
GUINEA
GUINEA-BISSAU
GUYANA
HAITI
HEARD AND MC DONALD ISLANDS
HOLY SEE
HONDURAS
HONG KONG
HUNGARY
ICELAND
INDIA
INDONESIA
IRAN, ISLAMIC REPUBLIC OF
IRAQ
IRELAND
ISLE OF MAN
ISRAEL
ITALY
JAMAICA
JAPAN
JERSEY
JORDAN
KAZAKHSTAN
KENYA
KIRIBATI
KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF
KOREA, REPUBLIC OF
KOSOVO
KUWAIT
KYRGYZSTAN
LAO PEOPLE'S DEMOCRATIC REPUBLIC
LATVIA
LEBANON
LESOTHO
LIBERIA
LIBYAN ARAB JAMAHIRIYA
LIECHTENSTEIN
LITHUANIA
LUXEMBOURG
MACAO
MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF
MADAGASCAR
MALAWI
MALAYSIA
MALDIVES
MALI
MALTA
MARSHALL ISLANDS
MARTINIQUE
MAURITANIA
MAURITIUS
MAYOTTE
MEXICO
MICRONESIA, FEDERATED STATES OF
MOLDOVA, REPUBLIC OF
MONACO
MONGOLIA
MONTENEGRO
MONTSERRAT
MOROCCO
MOZAMBIQUE
MYANMAR
NAMIBIA
NAURU
NEPAL
NETHERLANDS
NETHERLANDS ANTILLES
NEW CALEDONIA
NEW ZEALAND
NICARAGUA
NIGER
NIGERIA
NIUE
NORFOLK ISLAND
NORTHERN MARIANA ISLANDS
NORWAY
OMAN
PAKISTAN
PALAU
PALESTINIAN TERRITORY
PANAMA
PAPUA NEW GUINEA
PARAGUAY
PERU
PHILIPPINES
PITCAIRN
POLAND
PORTUGAL
PUERTO RICO
QATAR
REUNION
ROMANIA
RUSSIAN FEDERATION
RWANDA
SAINT HELENA
SAINT KITTS AND NEVIS
SAINT LUCIA
SAINT PIERRE AND MIQUELON
SAINT VINCENT AND THE GRENADINES
SAMOA
SAN MARINO
SAO TOME AND PRINCIPE
SAUDI ARABIA
SENEGAL
SERBIA
SEYCHELLES
SIERRA LEONE
SINGAPORE
SLOVAKIA
SLOVENIA
SOLOMON ISLANDS
SOMALIA
SOUTH AFRICA
SOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDS
SPAIN
SRI LANKA
SUDAN
SURINAME
SVALBARD & JAN MAYEN ISLANDS
SWAZILAND
SWEDEN
SWITZERLAND
SYRIAN ARAB REPUBLIC
TAIWAN, PROVINCE OF CHINA
TAJIKISTAN
TANZANIA, UNITED REPUBLIC OF
THAILAND
TIMOR-LESTE
TOGO
TOKELAU
TONGA
TRINIDAD AND TOBAGO
TUNISIA
TURKEY
TURKMENISTAN
TURKS AND CAICOS ISLANDS
TUVALU
UGANDA
UKRAINE
UNITED ARAB EMIRATES
UNITED KINGDOM
UNITED STATES
UNITED STATES MINOR OUTLYING ISLANDS
URUGUAY
UZBEKISTAN
VANUATU
VENEZUELA
VIET NAM
VIRGIN ISLANDS, BRITISH
VIRGIN ISLANDS, U.S.
WALLIS AND FUTUNA ISLANDS
WESTERN SAHARA
YEMEN
ZAMBIA
ZIMBABWE