Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Spammers Work Up A Hailstorm

In their constant effort to evade anti-spam filters, spammers have devised a new way to deliver junk mail to your inbox.

With the best anti-spam systems being able to catch upwards of 99.9% of all spam email passing through them these days, spammers have been forced to constantly adapt and evolve their tactics. Researchers at Cisco Talos this week have an alert on the newest one.

The method is dubbed "hailstorm" and builds on an existing tactic favored by spammers called "snowshoe."

In snowshoe campaigns, spammers try to evade spam filters by sending bulk email from a very large number of IP addresses while ensuring that the volume of spam from each address itself is low. The goal with the approach is to try and stay under the radar of volume-based anti-spam systems by distributing the bulk email sending over a large network of computers.

Hailstorm spam also gets sent via a large network of sender IP addresses. The difference is that instead of sending a low volume of spam from each IP device, spammers send a very high volume in a short burst. "In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response," Cisco Talos researchers Jakob Dohrmann, David Rodriguez, and Jaeson Schultz wrote in the alert posted today.

The DNS query volumes associated with each method highlight the difference between a typical snowshoe campaign and a typical hailstorm attack, the researchers said.

For instance, the maximum query volume for a domain involved in a snowshoe campaign that the researchers analyzed was just 35 queries per hour. In contrast, when the researches looked at the DNS query volume for a domain caught up in a hailstorm campaign, they noticed practically no query volume for a period of time. Then they saw a sudden brief volume spike to over 75,000 queries per hour, and then back again to almost nothing. The initial spike in volume was caused by mail server activity associated with a sudden influx of emails, the researchers said.

“Hailstorm spammers are exploiting the tiny window of time from when the spam campaign begins and the anti-spam coverage is in place,” says Jaeson Schultz, technical leader, Cisco Talos. “During this window of time, they are able to land their mail into the inbox.”

Unlike snowshoe spammers who try to stay low, Hailstorm spammers do not appear interested in maintaining their cover for long. “The goal of hailstorm spam, rather, is to send as much email as possible as quickly as possible,” he says.

Analysis shows that spammers are using IP addresses around the world to propagate hailstorm spam. A bulk of the spam email however appears to be coming from IP addresses based in five countries—the US, Germany, Great Britain, Netherlands, and Russia.

As with most bulk email, hailstorm spam campaigns are more of a nuisance for end users rather than a threat. But the success that spammers appear to be having with hailstorm is prompting interest in the use of the technique for other, more dangerous, purposes as well. For instance, botnets such as Necurs have begun using hailstorm tactics to distribute malware, the Cisco Talos reearchers said.

Attacks from Necurs, for example, are largely distributing Dridex banking malware and Locky ransomware. “Evidently, this criminal activity is profitable enough to sustain these types of spam campaigns,” Schultz says.

From an adversary standpoint, the snowshoe method is better suited for spammers selling products because it gives them a way to remain hidden for longer from anti-spam systems.

Cybercrime activities such as distributing malware, meanwhile, tend to attract vastly more attention than spam, so for cybercriminals, hailstorm spam is a better choice, Schutz says. “Hailstorm campaigns will be caught rather quickly, but they will still manage to compromise enough victims to turn a profit.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.