Premium Member Database last update: Tuesday, December 18, 2018 14:03:20 GMT-0700

The Resurgence of Snowshoe Spam

Global spam problems have significantly increased during the first quarter of 2010, with a rise in snowshoe spam and an exponential growth in Botnet spam distribution. Snowshoe spam, which rose dramatically during the final quarter of 2009, before tapering off in January, is now experiencing resurgence. Snowshoe spam is identified as a central point of spam origin, using a wide variety of IP addresses to cloak the span. These addresses are typically within a /24 range but may encompass much larger address blocks. In this type of operation the spam is spewed from a network, rapidly spanning through the IP addresses within the network, emitting spam in a wide footprint. The intent is to make the technique more efficient and more difficult to identify. In such a coordinated effort the high volume of spam can become a Distributed Denial of Service attack collapsing mail servers and disrupting legitimate network traffic. Fortunately, monitoring live traffic will help the webmaster or network administrator quickly spot the traffic. Snowshoe spam is not safe, nor is it subtle. To help you better understand snowshoe spam traffic we will show you three samples of actual network traffic. Each of these networks has been identified as known spammers by Spamhaus. First, our typical disclaimer: While the evidence logs we present to you are factual and true, they should not be construed as an allegation of wrongdoing by the owner or owners of the networks mentioned. They may be completely unaware of a possible problem. Here are some real world examples: 173.44.146.0/24 identified by Spamhaus as a spam block on March 21, 2010. Over the course of nine hours, IPs allegedly on this network made 4409 SMTP connections to one mail server: [xxxx@xxxxx-www log]# grep -c 173.44.146. secure 4409 (smtp connections) Mar 21 23:11:32 xxxxx-www xinetd[27078]: START: smtp pid=23365 from=173.44.146.252 Mar 21 23:11:32 xxxxx-www xinetd[27078]: START: smtp pid=23366 from=173.44.146.251 ........................................................................................... Mar 22 08:09:16 xxxxx-www xinetd[27078]: START: smtp pid=2410 from=173.44.146.98 Mar 22 08:09:26 xxxxx-www xinetd[27078]: START: smtp pid=2428 from=173.44.146.95 Mar 22 08:09:26 xxxxx-www xinetd[27078]: START: smtp pid=2429 from=173.44.146.94 Mar 22 08:09:26 xxxxx-www xinetd[27078]: START: smtp pid=2430 from=173.44.146.93 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2432 from=173.44.146.92 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2433 from=173.44.146.91 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2434 from=173.44.146.90 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2435 from=173.44.146.89 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2438 from=173.44.146.88 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2439 from=173.44.146.87 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2440 from=173.44.146.86 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2441 from=173.44.146.85 Mar 22 08:09:27 xxxxx-www xinetd[27078]: START: smtp pid=2442 from=173.44.146.84 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2444 from=173.44.146.83 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2445 from=173.44.146.82 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2446 from=173.44.146.81 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2447 from=173.44.146.80 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2448 from=173.44.146.79 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2449 from=173.44.146.78 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2450 from=173.44.146.77 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2451 from=173.44.146.76 Mar 22 08:09:28 xxxxx-www xinetd[27078]: START: smtp pid=2453 from=173.44.146.75 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2455 from=173.44.146.74 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2456 from=173.44.146.73 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2457 from=173.44.146.72 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2458 from=173.44.146.71 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2459 from=173.44.146.70 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2460 from=173.44.146.69 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2461 from=173.44.146.68 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2462 from=173.44.146.67 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2463 from=173.44.146.66 Mar 22 08:09:29 xxxxx-www xinetd[27078]: START: smtp pid=2464 from=173.44.146.65 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2465 from=173.44.146.64 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2466 from=173.44.146.63 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2467 from=173.44.146.62 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2469 from=173.44.146.61 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2470 from=173.44.146.60 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2471 from=173.44.146.59 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2472 from=173.44.146.58 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2473 from=173.44.146.57 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2474 from=173.44.146.56 Mar 22 08:09:30 xxxxx-www xinetd[27078]: START: smtp pid=2475 from=173.44.146.55 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2476 from=173.44.146.54 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2477 from=173.44.146.53 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2479 from=173.44.146.52 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2480 from=173.44.146.51 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2481 from=173.44.146.50 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2482 from=173.44.146.49 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2483 from=173.44.146.48 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2484 from=173.44.146.47 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2485 from=173.44.146.46 Mar 22 08:09:31 xxxxx-www xinetd[27078]: START: smtp pid=2486 from=173.44.146.45 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2487 from=173.44.146.44 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2488 from=173.44.146.43 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2490 from=173.44.146.42 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2491 from=173.44.146.41 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2492 from=173.44.146.40 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2493 from=173.44.146.39 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2494 from=173.44.146.38 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2495 from=173.44.146.37 Mar 22 08:09:32 xxxxx-www xinetd[27078]: START: smtp pid=2496 from=173.44.146.36 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2498 from=173.44.146.35 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2499 from=173.44.146.34 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2500 from=173.44.146.33 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2502 from=173.44.146.32 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2504 from=173.44.146.31 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2505 from=173.44.146.30 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2506 from=173.44.146.29 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2507 from=173.44.146.28 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2508 from=173.44.146.27 Mar 22 08:09:33 xxxxx-www xinetd[27078]: START: smtp pid=2509 from=173.44.146.26 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2510 from=173.44.146.25 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2512 from=173.44.146.24 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2513 from=173.44.146.23 Mar 22 08:09:34 xxxxx-www xinetd[27078]: START: smtp pid=2514 from=173.44.146.22 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2515 from=173.44.146.21 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2516 from=173.44.146.20 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2519 from=173.44.146.19 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2520 from=173.44.146.18 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2521 from=173.44.146.17 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2522 from=173.44.146.16 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2523 from=173.44.146.15 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2524 from=173.44.146.14 Mar 22 08:09:35 xxxxx-www xinetd[27078]: START: smtp pid=2525 from=173.44.146.13 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2526 from=173.44.146.12 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2527 from=173.44.146.11 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2530 from=173.44.146.10 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2531 from=173.44.146.9 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2532 from=173.44.146.8 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2534 from=173.44.146.7 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2535 from=173.44.146.6 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2536 from=173.44.146.5 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2537 from=173.44.146.4 Mar 22 08:09:36 xxxxx-www xinetd[27078]: START: smtp pid=2538 from=173.44.146.3 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2539 from=173.44.146.2 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2541 from=173.44.146.254 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2542 from=173.44.146.253 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2543 from=173.44.146.252 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2544 from=173.44.146.251 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2545 from=173.44.146.250 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2546 from=173.44.146.249 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2547 from=173.44.146.248 Mar 22 08:09:37 xxxxx-www xinetd[27078]: START: smtp pid=2548 from=173.44.146.247 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2549 from=173.44.146.246 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2551 from=173.44.146.245 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2552 from=173.44.146.244 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2553 from=173.44.146.243 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2554 from=173.44.146.242 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2555 from=173.44.146.241 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2556 from=173.44.146.240 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2557 from=173.44.146.239 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2558 from=173.44.146.238 Mar 22 08:09:38 xxxxx-www xinetd[27078]: START: smtp pid=2559 from=173.44.146.237 Mar 22 08:09:39 xxxxx-www xinetd[27078]: START: smtp pid=2560 from=173.44.146.236 Mar 22 08:09:39 xxxxx-www xinetd[27078]: START: smtp pid=2562 from=173.44.146.235 Mar 22 08:09:44 xxxxx-www xinetd[27078]: START: smtp pid=2570 from=173.44.146.233 Mar 22 08:09:44 xxxxx-www xinetd[27078]: START: smtp pid=2571 from=173.44.146.232 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2572 from=173.44.146.231 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2573 from=173.44.146.230 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2575 from=173.44.146.229 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2576 from=173.44.146.228 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2577 from=173.44.146.227 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2578 from=173.44.146.226 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2579 from=173.44.146.225 Mar 22 08:09:45 xxxxx-www xinetd[27078]: START: smtp pid=2580 from=173.44.146.224 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2581 from=173.44.146.223 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2582 from=173.44.146.222 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2583 from=173.44.146.221 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2584 from=173.44.146.220 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2585 from=173.44.146.219 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2586 from=173.44.146.218 Mar 22 08:09:46 xxxxx-www xinetd[27078]: START: smtp pid=2587 from=173.44.146.217 Mar 22 08:09:47 xxxxx-www xinetd[27078]: START: smtp pid=2589 from=173.44.146.216 Mar 22 08:09:47 xxxxx-www xinetd[27078]: START: smtp pid=2590 from=173.44.146.215 Mar 22 08:09:47 xxxxx-www xinetd[27078]: START: smtp pid=2591 from=173.44.146.214 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2593 from=173.44.146.213 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2594 from=173.44.146.212 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2595 from=173.44.146.211 Mar 22 08:09:48 xxxxx-www xinetd[27078]: START: smtp pid=2596 from=173.44.146.210 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2599 from=173.44.146.209 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2600 from=173.44.146.206 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2601 from=173.44.146.196 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2602 from=173.44.146.168 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2603 from=173.44.146.155 Mar 22 08:09:49 xxxxx-www xinetd[27078]: START: smtp pid=2604 from=173.44.146.154 Mar 22 08:09:50 xxxxx-www xinetd[27078]: START: smtp pid=2605 from=173.44.146.153 Mar 22 08:09:50 xxxxx-www xinetd[27078]: START: smtp pid=2607 from=173.44.146.152 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2648 from=173.44.146.149 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2650 from=173.44.146.117 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2651 from=173.44.146.116 Mar 22 08:10:04 xxxxx-www xinetd[27078]: START: smtp pid=2652 from=173.44.146.115 Mar 22 08:10:05 xxxxx-www xinetd[27078]: START: smtp pid=2653 from=173.44.146.114 Mar 22 08:10:05 xxxxx-www xinetd[27078]: START: smtp pid=2654 from=173.44.146.113 Mar 22 08:10:05 xxxxx-www xinetd[27078]: START: smtp pid=2656 from=173.44.146.112 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2657 from=173.44.146.111 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2658 from=173.44.146.110 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2659 from=173.44.146.109 Mar 22 08:10:06 xxxxx-www xinetd[27078]: START: smtp pid=2661 from=173.44.146.108 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2662 from=173.44.146.107 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2663 from=173.44.146.106 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2664 from=173.44.146.105 Mar 22 08:10:07 xxxxx-www xinetd[27078]: START: smtp pid=2665 from=173.44.146.104 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2666 from=173.44.146.103 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2667 from=173.44.146.102 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2668 from=173.44.146.101 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2669 from=173.44.146.100 Mar 22 08:10:08 xxxxx-www xinetd[27078]: START: smtp pid=2671 from=173.44.146.99 Mar 22 08:10:13 xxxxx-www xinetd[27078]: START: smtp pid=2676 from=173.44.146.97 Mar 22 08:10:13 xxxxx-www xinetd[27078]: START: smtp pid=2678 from=173.44.146.96 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2679 from=173.44.146.234 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2680 from=173.44.146.175 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2681 from=173.44.146.174 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2682 from=173.44.146.173 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2684 from=173.44.146.172 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2685 from=173.44.146.171 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2686 from=173.44.146.170 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2687 from=173.44.146.169 Mar 22 08:10:14 xxxxx-www xinetd[27078]: START: smtp pid=2688 from=173.44.146.167 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2689 from=173.44.146.166 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2690 from=173.44.146.165 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2692 from=173.44.146.164 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2693 from=173.44.146.163 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2694 from=173.44.146.162 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2695 from=173.44.146.161 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2696 from=173.44.146.160 Mar 22 08:10:15 xxxxx-www xinetd[27078]: START: smtp pid=2697 from=173.44.146.159 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2734 from=173.44.146.151 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2735 from=173.44.146.150 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2736 from=173.44.146.148 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2737 from=173.44.146.147 Mar 22 08:10:38 xxxxx-www xinetd[27078]: START: smtp pid=2738 from=173.44.146.146 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2739 from=173.44.146.145 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2741 from=173.44.146.144 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2742 from=173.44.146.143 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2743 from=173.44.146.142 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2744 from=173.44.146.141 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2745 from=173.44.146.140 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2746 from=173.44.146.139 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2747 from=173.44.146.138 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2748 from=173.44.146.137 Mar 22 08:10:39 xxxxx-www xinetd[27078]: START: smtp pid=2749 from=173.44.146.136 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2750 from=173.44.146.135 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2751 from=173.44.146.134 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2753 from=173.44.146.133 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2754 from=173.44.146.132 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2755 from=173.44.146.131 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2756 from=173.44.146.130 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2757 from=173.44.146.129 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2758 from=173.44.146.128 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2760 from=173.44.146.127 Mar 22 08:10:40 xxxxx-www xinetd[27078]: START: smtp pid=2761 from=173.44.146.126 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2762 from=173.44.146.125 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2763 from=173.44.146.124 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2764 from=173.44.146.123 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2765 from=173.44.146.122 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2766 from=173.44.146.121 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2767 from=173.44.146.120 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2769 from=173.44.146.119 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2770 from=173.44.146.118 Mar 22 08:10:41 xxxxx-www xinetd[27078]: START: smtp pid=2771 from=173.44.146.208 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2772 from=173.44.146.207 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2773 from=173.44.146.205 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2774 from=173.44.146.204 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2776 from=173.44.146.203 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2777 from=173.44.146.202 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2778 from=173.44.146.201 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2779 from=173.44.146.200 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2780 from=173.44.146.199 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2781 from=173.44.146.198 Mar 22 08:10:42 xxxxx-www xinetd[27078]: START: smtp pid=2782 from=173.44.146.197 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2783 from=173.44.146.195 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2784 from=173.44.146.194 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2786 from=173.44.146.193 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2787 from=173.44.146.192 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2788 from=173.44.146.191 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2789 from=173.44.146.190 Mar 22 08:10:43 xxxxx-www xinetd[27078]: START: smtp pid=2790 from=173.44.146.189 Mar 22 08:10:56 xxxxx-www xinetd[27078]: START: smtp pid=2824 from=173.44.146.188 Mar 22 08:10:56 xxxxx-www xinetd[27078]: START: smtp pid=2825 from=173.44.146.187 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2826 from=173.44.146.186 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2827 from=173.44.146.185 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2828 from=173.44.146.183 Mar 22 08:10:57 xxxxx-www xinetd[27078]: START: smtp pid=2830 from=173.44.146.182 Mar 22 08:10:58 xxxxx-www xinetd[27078]: START: smtp pid=2831 from=173.44.146.181 Mar 22 08:10:58 xxxxx-www xinetd[27078]: START: smtp pid=2832 from=173.44.146.180 Mar 22 08:10:58 xxxxx-www xinetd[27078]: START: smtp pid=2833 from=173.44.146.179 Mar 22 08:10:59 xxxxx-www xinetd[27078]: START: smtp pid=2834 from=173.44.146.178 Mar 22 08:10:59 xxxxx-www xinetd[27078]: START: smtp pid=2836 from=173.44.146.177 Mar 22 08:10:59 xxxxx-www xinetd[27078]: START: smtp pid=2837 from=173.44.146.176 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2838 from=173.44.146.158 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2839 from=173.44.146.157 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2842 from=173.44.146.156 Mar 22 08:11:00 xxxxx-www xinetd[27078]: START: smtp pid=2843 from=173.44.146.184 Mar 22 08:11:01 xxxxx-www xinetd[27078]: START: smtp pid=2844 from=173.44.146.184 66.181.184.0/24 has been listed on Spamhaus as a snowshoe range spammer since December 28, 2009. 66.181.191.0/24 has been listed on Spamhaus as a snowshoe range since December 22, 2009. During a period of approximately two days in March, one mail server experienced 51,161 SMTP connections from addresses within these two ranges: [xxxxx@xxxxx-www log]# grep -c 66.181.184. secure.1 24492 (smtp connections) [xxxxx@xxxxx-www log]# grep -c 66.181.191. secure.1 24336 (smtp connections) [xxxxx@xxxxx-www log]# grep -c 66.181.191. secure.2 1199 (smtp connections) [xxxxx@xxxxx-www log]# grep -c 66.181.184. secure.2 1134 (smtp connections) A small sample of the server logs: 66.181.184.0/24 Mar 15 10:44:44 xxxxx-www xinetd[27078]: START: smtp pid=9569 from=66.181.184.40 Mar 15 10:44:44 xxxxx-www xinetd[27078]: START: smtp pid=9571 from=66.181.184.39 Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9572 from=66.181.184.38 Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9573 from=66.181.184.37 Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9575 from=66.181.184.36 Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9578 from=66.181.184.35 Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9579 from=66.181.184.34 Mar 15 10:44:45 xxxxx-www xinetd[27078]: START: smtp pid=9580 from=66.181.184.33 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9582 from=66.181.184.32 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9583 from=66.181.184.31 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9584 from=66.181.184.30 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9586 from=66.181.184.29 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9588 from=66.181.184.28 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9589 from=66.181.184.27 Mar 15 10:44:46 xxxxx-www xinetd[27078]: START: smtp pid=9590 from=66.181.184.26 Mar 15 10:44:47 xxxxx-www xinetd[27078]: START: smtp pid=9591 from=66.181.184.25 Mar 15 10:44:47 xxxxx-www xinetd[27078]: START: smtp pid=9592 from=66.181.184.24 Mar 15 10:44:48 xxxxx-www xinetd[27078]: START: smtp pid=9593 from=66.181.184.23 Mar 15 10:44:48 xxxxx-www xinetd[27078]: START: smtp pid=9594 from=66.181.184.22 Mar 15 10:44:48 xxxxx-www xinetd[27078]: START: smtp pid=9595 from=66.181.184.21 66.181.191.0/24 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31458 from=66.181.191.158 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31459 from=66.181.191.157 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31460 from=66.181.191.156 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31461 from=66.181.191.155 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31462 from=66.181.191.154 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31463 from=66.181.191.153 Mar 15 09:24:48 xxxxx-www xinetd[27078]: START: smtp pid=31464 from=66.181.191.152 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31465 from=66.181.191.151 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31466 from=66.181.191.150 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31467 from=66.181.191.149 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31468 from=66.181.191.148 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31470 from=66.181.191.147 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31471 from=66.181.191.146 Mar 15 09:24:49 xxxxx-www xinetd[27078]: START: smtp pid=31472 from=66.181.191.145 Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31473 from=66.181.191.144 Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31474 from=66.181.191.143 Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31475 from=66.181.191.142 Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31476 from=66.181.191.141 Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31477 from=66.181.191.140 Mar 15 09:24:50 xxxxx-www xinetd[27078]: START: smtp pid=31478 from=66.181.191.139 Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31479 from=66.181.191.138 Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31480 from=66.181.191.137 Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31481 from=66.181.191.136 Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31482 from=66.181.191.135 Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31483 from=66.181.191.134 Mar 15 09:24:51 xxxxx-www xinetd[27078]: START: smtp pid=31484 from=66.181.191.133 Mar 15 09:24:52 xxxxx-www xinetd[27078]: START: smtp pid=31485 from=66.181.191.132 Mar 15 09:24:52 xxxxx-www xinetd[27078]: START: smtp pid=31486 from=66.181.191.131 Mar 15 09:24:52 xxxxx-www xinetd[27078]: START: smtp pid=31487 from=66.181.191.130 Regardless of the payload, the traffic from snowshoe spam can cripple your web and mail servers. We are seeing a higher volume of malicious traffic beginning on Weekends and lasting through Monday mornings. Weekends seem to be the time when IT personnel are scarce, thus providing a perfect time window to launch such snowshoe spam assaults and avoid detection. Monitor your traffic. Watch your logs. Respond quickly and accordingly.