Cisco Researchers Detail ‘Hailstorm’ Spam Detection Method

Researchers from Cisco’s security research team Talos and the research team at OpenDNS have combined data and machine learning techniques to detect an evolved spamming technique the team has dubbed “hailstorm.”

According to a post from Talos researchers, the historical method for avoiding metric-based discovery security tools in spam campaigns has been to conduct what is known as “snowshoeing.” These campaigns are spread over a large number of IP addresses, but issue a small amount of spam e-mails per IP. Thus they fly under the radar by delivering a very low volume.

In the evolved hailstorm method, researchers wrote in a blog post, “campaigns are sent out in very high volume over a short timespan.” The timespan is so short, most campaigns are over by the time a traditional anti-spam measure could update itself to block them.

[caption id=”attachment_892" align=”aligncenter” width=”640"]

A comparison of the traffic from a snowshoe campaign versus the high-volume, single blast of traffic in a hailstorm campaign. Source: Talos blog[/caption]

These campaigns, the researchers wrote, originate from all over the globe and include a wide array of top-level domains. Leading origin countries include “the US, Germany, Netherlands, Great Britain and Russia lead the pack in terms of volume.” And they push a diverse amount of spam like dietary pills, flashlight sales, bathroom remodeling, online degrees and psychic readings, to name a few.

The teams at OpenDNS and Talos worked together combining their e-mail corpus intelligence and machine learning data science to produce a method of detecting hailstorm campaigns the moment they hit, while discovering any related domains that may be used in the future.

“Rather than waiting for a campaign to unfold and trying to catch up, protection against the next spam campaign is deployed ahead of time.”