How are you dealing with Snowshoeing? - ORF Forums

How are you dealing with Snowshoeing? RSS Back to forum


Our userbase have been reporting an uptick in SPAM and I concur with them that it feels like there is a large increase in SPAM not being detected by ORF. In looking at trends in what is passing checks I am noticing that many new vanity country TLDs are being compromised and used by spammers.

It appears that these new attacks have gained a clever name, Snowshoe spamming.

This is a spamming technique in which the spammer uses a wide array of IP addresses in order to spread out the spam load. The large spread of IP addresses makes it difficult to identify and trap the spam, allowing at least some of it to reach email inboxes. For companies which specialize in trapping spam, snowshoe spamming is particularly noxious because it is difficult to trap it with traditional spam filters, and I think that ORF isn't doing a good job with the available tests.

What I've resulted to is occasionally filtering my logs based on emails passing checks but not coming from a traditional .com .net .edu style domain name. What I am finding is that I am having to block TLDs like .asia .club .in .mobi .me .co because the emails originating from these are 99.9% SPAM.

What other approaches are working for other ORF users? Our ORF setup includes the following OnArrival tests:

SURBL Tests ( SpamHaus, Combined, and URIBL)
DNS BlackLists (Barracuda Reputation, SORBS, SpamCOP, SpamHaus)
SPF Software Blacklist
Domain Validation via Sender domain must have a DNS MX or A record
Custom Keyword Blacklist
Custom Sender Blacklist
HoneyPot Tests resulting in a 24 hour ban
Helo Blacklist
Attachment Filtering
DHA Protection
External Agents (ClamAV for Windows, Vamsoft Backscatter, and Vamsoft Self-Spam)

What else could we be doing? Any help would be appreciated.

by felipe.garcia 5 years ago

@felipe.garcia: Spamhaus CSS lists snowshoe spamming IPs, this list is included by default in the Spamhaus Zen DNS Blacklist ( response):

As for the configuration, I'd also enable the PTR check (Blacklists / Reverse DNS Test, Enable Sender IP Reverse Name Validation), and update the SURBL definition set to the latest (, as Spamhaus recently added some new zones to DBL (

I'd also check the ORF logs for any DNS-related errors which may explain the sudden increase in incoming spam. SERVFAIL, RCODE2 errors seem to be affecting many people lately, see our related KB article:

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)


@Krisztián Fekete (Vamsoft): KrisztiĆ”n,

Thank you very much for your response. I went ahead and looked at the the updated definition XMLs and we are already subscribed to all those lists with our v5.2 product. I did look at the DNS related issues and did see a large amount of SERFAIL,RCODE2 issues specifically with SPAMHAUS ZEN and DBL. Over the course of 7 days we had 190,115 lookup failures.

I looked at their website and I think we are right on the cusp of possibly requesting too many lookups per day, pushing us over the amounts defined as being in the Free User category. Perhaps we need to subcribe to their datafeed services because of the volume of requests. I don't see any issues with our Microsoft DNS servers that would be causing this high volume of SERVAILs. I am signing up for their free 30 day trial and will probably go ahead and subscribe for the year if this does indeed clear up the amount of failed lookups.

Once again I appreciate you taking the time to look over our setup based on this post. This seems like a promsing course of action, and I do hope that it has a positive effect.

by felipe.garcia 5 years ago
(in reply to this post)


@felipe.garcia: KrisztiƔn,

We succesfully signed up for a 30 day SpamHaus trial and we are seeing much better results after changing our DNS and SURBL tests to use their registered datafeed DNS entries. The DNS errors have gone away and our Spam detection rate went up from 75% to 84% meaning that more and more is being detected. Thanks for that tip, it is appreciated.

Best, Felipe

by felipe.garcia 5 years ago
(in reply to this post)


@felipe.garcia: Glad to hear the problem has been solved :)

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2