Snowshoe spam recommendations

If you have experienced a sudden rise in spam reaching end-users recently and you are located in the USA, you might be affected by snowshoe spam. This article tells you how to configure your ORF to deal with this type of spam.

How do I tell if I am affected?

Open a recent log file in the ORF Log Viewer and sort the events by the Related IP column. Scroll through the sorted list of events and look for large, continuous network blocks (e.g. a /24) with spammy email subjects. If the sender email addresses for these look like FirstnameLastname@domain.tld, you are affected. Otherwise, the increase in spam may be due to a technical issue and you should contact our Customer Service to investigate.

Typical example of a snowshoe campaign in the ORF Log Viewer.

Typical example of a snowshoe campaign in the ORF Log Viewer.

How do I stop this campaign?

As of writing this, the Greylisting Test of ORF can stop the campaign easily (when configured a certain way).

  • Open the Blacklists / Greylisting page in the Administration Tool.
  • Make sure the test is enabled (see “On” next to the page title).
  • Disable the “Accept delivery retries from the same /24 subnet” option
  • Disable the “Skip Greylisting if the sender explicitly passes the SPF Test” option
The recommended ORF configuration for the Greylisting Test against snowshoe spam

The recommended ORF configuration for the Greylisting Test against snowshoe spam

Greylisting is an aggressive measure that delays emails from unknown senders for 5-15 minutes. We are working on a less aggressive technology against this type of spam. Meanwhile, make sure you also have the Auto Sender Whitelist enabled and assigned to the Before Arrival or both filtering points.

Why do I have to configure ORF this way?

The campaign is run remarkably well compared to the average spam. Instead of using a network of compromised computers (botnets), the spammer abuses reputable hosting companies with a clean IP reputation for very short periods of time (2-4 hours) before it moving on the next provider. The usual heuristics, such as reverse DNS and SPF checks also check out.

We suspect that custom spamware is used for email delivery which Greylisting fends of well. However, as emails arrive from a continuous range of IPs and SPF is properly set up for the spamming domains, Greylisting defaults needs to be adjusted for this campaign.

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code