- Jun 9, 2013
- 6,720
The “hailstorm” spam technique has re-emerged, according to security researchers.
The Cisco Talos and Umbrella research teams, via a detection system which brings together machine learning, stream processing of DNS requests and the curated Talos email corpus, is tracking a cloudburst of hailstorm campaigns, which are sent out in very high volume over a short timespan. In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response.
Hailstorm is an evolution of traditional “snowshoe” spam campaigns, which are sent from a large number of IP addresses with a low volume of spam email per IP address. Using such techniques, snowshoe spammers intend to fly under the radar with respect to any reputation or volume-based metrics that could be applied by anti-spam systems.
The DNS query volume for a domain involved in a typical hailstorm attack might show practically no query volume, until suddenly when the DNS query volume spikes to over 75,000 queries per hour, then drops back down to nothing.
“Hailstorm spam is being sent from IP addresses located all around the globe,” researchers said in a blog. “Looking at the geo-IP distribution from recent hailstorm spam campaigns, the US, Germany, Netherlands, Great Britain and Russia lead the pack in terms of volume of hailstorm spam sent by country. Hailstorm spam also involves domains registered at a wide array of top-level domains (TLDs). In a recent sample of about 500 hailstorm-related domains, the most common TLDs were .top, .bid, .us, .win and .stream.”
Most of the campaigns initially detected advertise products comprising home-surveillance systems, flashlights, dietary supplements and all sorts of items "as seen on TV". Services as diverse as bathroom remodeling, online degrees and psychic readings are common as well. The idea is to make money from generating traffic to affiliate pages.
Full Article. Hailstorm Spam Begins to Pelt
The Cisco Talos and Umbrella research teams, via a detection system which brings together machine learning, stream processing of DNS requests and the curated Talos email corpus, is tracking a cloudburst of hailstorm campaigns, which are sent out in very high volume over a short timespan. In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response.
Hailstorm is an evolution of traditional “snowshoe” spam campaigns, which are sent from a large number of IP addresses with a low volume of spam email per IP address. Using such techniques, snowshoe spammers intend to fly under the radar with respect to any reputation or volume-based metrics that could be applied by anti-spam systems.
The DNS query volume for a domain involved in a typical hailstorm attack might show practically no query volume, until suddenly when the DNS query volume spikes to over 75,000 queries per hour, then drops back down to nothing.
“Hailstorm spam is being sent from IP addresses located all around the globe,” researchers said in a blog. “Looking at the geo-IP distribution from recent hailstorm spam campaigns, the US, Germany, Netherlands, Great Britain and Russia lead the pack in terms of volume of hailstorm spam sent by country. Hailstorm spam also involves domains registered at a wide array of top-level domains (TLDs). In a recent sample of about 500 hailstorm-related domains, the most common TLDs were .top, .bid, .us, .win and .stream.”
Most of the campaigns initially detected advertise products comprising home-surveillance systems, flashlights, dietary supplements and all sorts of items "as seen on TV". Services as diverse as bathroom remodeling, online degrees and psychic readings are common as well. The idea is to make money from generating traffic to affiliate pages.
Full Article. Hailstorm Spam Begins to Pelt
