Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains

Olivier Isaac van der Toorn, Roland M. van Rijswijk, Bart Geesink, Anna Sperotto

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    12 Citations (Scopus)
    22 Downloads (Pure)


    Snowshoe spam is a type of spam that is notoriously hard to detect. Anti-abuse vendors estimate that 15% of spam can be classified as snowshoe spam. Differently from regular spam, snowshoe spammers distribute sending of spam over many hosts, in order to evade detection by spam reputation systems (blacklists). To be successful spammers need to appear as legitimate as possible, for example, by adopting email best practices, such as the Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Many previous studies have relied on DNS data to detect spam. However, this often happens based on passive DNS data. This limits detection to domains that have actually been used and have been observed on passive DNS sensors. To overcome this limitation, we take a different approach. We make use of active DNS measurements, covering more than 60% of the global DNS namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of over 93%. More importantly, we are able to detect a significant fraction of the malicious domains up to 100 days earlier than existing blacklists, which suggests our method can give us a time advantage in the fight against spam. In addition to testing the efficacy of our approach in comparison to existing blacklists, we validated our approach over a 3-month period in an actual mail filter system at a major Dutch network operator. Not only did this demonstrate that our approach works in practice, the operator has actually decided to deploy our method in production, based on the results obtained.

    Original languageEnglish
    Title of host publicationIEEE/IFIP Network Operations and Management Symposium
    Subtitle of host publicationCognitive Management in a Cyber World, NOMS 2018
    Number of pages9
    ISBN (Electronic)978-1-5386-3416-5, 978-1-5386-3415-8
    ISBN (Print)978-1-5386-3417-2
    Publication statusPublished - Jul 2018
    Event16th IEEE/IFIP Network Operations and Management Symposium 2018: Cognitive Management in a Cyber World - Taipei, Taiwan
    Duration: 23 Apr 201827 Apr 2018
    Conference number: 16


    Conference16th IEEE/IFIP Network Operations and Management Symposium 2018
    Abbreviated titleNOMS 2018
    Internet address


    Dive into the research topics of 'Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains'. Together they form a unique fingerprint.

    Cite this