On 8 Jun 2016, at 9:10, RW wrote:
On Wed, 8 Jun 2016 13:48:13 +0200
Reindl Harald wrote:
[...]
but that don't mean when my machine is hacked, sending snowshoe spam
and it *has* a dynamic IP that it don't get listed at
css.spamhaus.org for that reason
one hour later you or anybody else could end in get the very same IP
No, because they aren't addresses from dynamic pools.
The initial announcement of the CSS
(https://www.spamhaus.org/news/article/646) was explicit about that: CSS
lists statically assigned addresses. CSS lists single addresses because
it is not always clear where the boundaries of a snowshoe range are and
in some cases snowshoers have scattered their systems amongst legitimate
mail systems, apparently with ISP or hosting reseller complicity.
There also seems to be some misunderstanding about what constitutes
"snowshoe spam". To the best of my knowledge, Steve Linford of Spamhaus
coined the term (circa 2003) so the Spamhaus explanations of it get
seniority. One from before the CSS existed is at
https://www.spamhaus.org/news/article/641
Important from that article is this distinction:
Where botnet spammers hide behind illegally obtained Trojan horse
proxies,
snowshoers pay ISPs for many diverse IP ranges for their spam
spigots.
Snowshoe spam isn't defined by its content, although the snowshoe
strategy is a good fit for spam that is plausibly legitimate: a cut
above what comes out of botnets. Snowshoers tend not to do phishing and
malware distribution, but rather mostly send what can be called
"superficially CAN-SPAM-compliant spam" in reference to the very loose
US federal law regulating spam. Snowshoe spam has been responsible for
beclowning some true believers in anti-spam magic bullets (e.g. SPF)
because snowshoers spend real money and make a real effort to evade easy
filtering and seem to recipients like it might be somewhat legitimate. A
compromised machine on a dynamically-assigned address might be a conduit
for superficially similar spam with similar content but that does not
make it "snowshoe spam." Snowshoe is a technical strategy, not a flavor
of spam.
The main Spamhaus CSS description page *is* a bit vague and I suspect
that's partly to avoid telling snowshoers how to avoid CSS detection and
partly because CSS is not perfectly 100% snowshoe spammers. CSS does
automated detection using a composite of criteria that are designed to
identify snowshoers and it catches a small number of chronically abused
insecure web servers as a side effect because they share some
characteristics, such as being on static IPs in cheap sloppy hosting
networks. It is also helpful to understand the nuance of "compromised
host" in the CSS description. The word "host" implies a machine that
isn't a personal computer, is rarely shut down or rebooted, isn't
getting a different address from DHCP every time it boots, and has
symmetric A and PTR records in DNS that are not derived from its IP.
