Snowshoe Spammers Target the British Royal Wedding

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring were observed in the past few days, sent by well established spammers.

Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email. This domain has also been used in other spam campaigns, such as the long running Who’s Who social networking spam messages (see our May 2008 State of Spam report for similar attacks). It was registered on February 9, 2011, using Moniker Privacy Services for anonymity, and since then has been used in at least half a million spam emails. This spammer has registered many different domains across a range of IPs in a technique that is sometimes known as “snowshoe spamming”.

If the user clicks on the link in the email, it firstly redirects to the ‘’ domain, which checks that the user’s IP is based in the US, before redirecting to the final destination product site. The product site was registered much earlier, on December 21, 2010, using a different registration service, indicating that the people behind the site might be purchasing spam services rather than sending it themselves.

Symantec Brightmail has had predictive filters in place to block these particular snowshoe attacks since October 2010. The graph below shows how many messages per day have been blocked from this spammer.

As the British Royal wedding gets closer though, we do expect to see it featured in other spam campaigns to attract users’ attention; at the very least in scraped news headlines.

Thank you to Pavlo Prodanchuk for contributed content.