Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Spammers Work Up A Hailstorm

In their constant effort to evade anti-spam filters, spammers have devised a new way to deliver junk mail to your inbox.

With the best anti-spam systems being able to catch upwards of 99.9% of all spam email passing through them these days, spammers have been forced to constantly adapt and evolve their tactics. Researchers at Cisco Talos this week have an alert on the newest one.

The method is dubbed "hailstorm" and builds on an existing tactic favored by spammers called "snowshoe."

In snowshoe campaigns, spammers try to evade spam filters by sending bulk email from a very large number of IP addresses while ensuring that the volume of spam from each address itself is low. The goal with the approach is to try and stay under the radar of volume-based anti-spam systems by distributing the bulk email sending over a large network of computers.

Hailstorm spam also gets sent via a large network of sender IP addresses. The difference is that instead of sending a low volume of spam from each IP device, spammers send a very high volume in a short burst. "In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response," Cisco Talos researchers Jakob Dohrmann, David Rodriguez, and Jaeson Schultz wrote in the alert posted today.

The DNS query volumes associated with each method highlight the difference between a typical snowshoe campaign and a typical hailstorm attack, the researchers said.

For instance, the maximum query volume for a domain involved in a snowshoe campaign that the researchers analyzed was just 35 queries per hour. In contrast, when the researches looked at the DNS query volume for a domain caught up in a hailstorm campaign, they noticed practically no query volume for a period of time. Then they saw a sudden brief volume spike to over 75,000 queries per hour, and then back again to almost nothing. The initial spike in volume was caused by mail server activity associated with a sudden influx of emails, the researchers said.

“Hailstorm spammers are exploiting the tiny window of time from when the spam campaign begins and the anti-spam coverage is in place,” says Jaeson Schultz, technical leader, Cisco Talos. “During this window of time, they are able to land their mail into the inbox.”

Unlike snowshoe spammers who try to stay low, Hailstorm spammers do not appear interested in maintaining their cover for long. “The goal of hailstorm spam, rather, is to send as much email as possible as quickly as possible,” he says.

Analysis shows that spammers are using IP addresses around the world to propagate hailstorm spam. A bulk of the spam email however appears to be coming from IP addresses based in five countries—the US, Germany, Great Britain, Netherlands, and Russia.

As with most bulk email, hailstorm spam campaigns are more of a nuisance for end users rather than a threat. But the success that spammers appear to be having with hailstorm is prompting interest in the use of the technique for other, more dangerous, purposes as well. For instance, botnets such as Necurs have begun using hailstorm tactics to distribute malware, the Cisco Talos reearchers said.

Attacks from Necurs, for example, are largely distributing Dridex banking malware and Locky ransomware. “Evidently, this criminal activity is profitable enough to sustain these types of spam campaigns,” Schultz says.

From an adversary standpoint, the snowshoe method is better suited for spammers selling products because it gives them a way to remain hidden for longer from anti-spam systems.

Cybercrime activities such as distributing malware, meanwhile, tend to attract vastly more attention than spam, so for cybercriminals, hailstorm spam is a better choice, Schutz says. “Hailstorm campaigns will be caught rather quickly, but they will still manage to compromise enough victims to turn a profit.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.