A New Showshoe Spam External Agent

UPDATE: The External Agent discussed in this article no longer works against the snowshoe spam campaign discussed below. Visit our latest article regarding this type of spam.

In the past few days, we have received reports of a snowshoe spam campaign hitting many of our US-based clients heavily. The campaign is characterized by a sudden influx of spam in high volumes from a continuous range of IP addresses. Outbreaks last for 2-4 hours before the spammer moves to another provider. Due to the nature of this campaign, the usual heuristics provided by ORF do very little to stop these emails.

We are now releasing a quick relief External Agent to address this campaign specifically. The agent relies on DNS-based heuristics to safely identify and blacklist these emails.

A typical example of the snowshoe campaign in the ORF logs.

A typical example of the snowshoe campaign in the ORF logs.

Is it for me?

You only need this agent if you are affected. If you are located in the US and suddenly started to see spam coming through ORF in numbers, you can verify if you are affected by opening a recent log file in the ORF Log Viewer and sorting the events by the Related IP column. When you scroll through the sorted list of events, look for large, continuous network blocks (e.g. a /24) with spammy email subjects. If the sender email addresses look like FirstnameLastname@subdomain.domain.tld, you are affected and you should install this agent.

How do I install this?

Download the agent from

http://vamsoft.com/downloads/agents/agent-snowshow-c15q1-01/agent.zip (95kB ZIP)

and extract the archive contents to any local directory on your server.

If you have used Windows Explorer to extract the archive contents, the ARSoft.Tools.Net.dll file in the arsoft-resolver folder may be blocked by Windows as being potentially harmful for its Internet origin. To verify and unblock the DLL right-click on the file, select Properties and click Unblock on the General tab, if required.

Import the External Agent definition agent-definition.xml. Once this is done, customize the definition to your system:

  • On the Run tab, set the Agent Executable to your powershell.exe binary. This is usually found under \Windows\System32\WindowsPowerShell\1.0\powershell.exe.
  • On the same Run tab, in the Command-Line Parameters box, replace the path in the -File parameter with the path of your script, e.g. “C:\ORF\snowshoe\agent-showshoe-c15q1-01.ps1”.
  • In the same edit box, replace “8.8.8.8” with your DNS server IP address. Note that you must specify the DNS server by IP address, names will not work.

Once you’re done with editing, be sure to save your configuration.

What else should I know?

  • The agent is written in PowerShell and was tested with PowerShell 3.0 and .NET Framework 4.0. The minimum system requirement should be PowerShell 2.0 and .NET Framework 2.0.
  • As this is a quick relief agent, it was not subjected to the stringent standards of testing we usually apply to our code. Use with caution.

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code