What are the best methods for catching snowshoe spam?
Is this becoming a real problem for your users?
I'd recommend a full-on mail filtering service at this point. Bayesian isn't really that hot anymore. Reputation, RBL, header/intent-analysis and other factors seem to help more. Consider a cloud filtering service to combine multiple approaches (and collective volume) to provide better protection (I use Barracuda's ESS cloud solution for my customers).
And of course: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
We haven't been affected negatively by the uptick in the Snowshoe attacks. I did see a period where mail volume tripled day-to-day with these attacks. But none of the bad stuff made it through. In 3 days, Barracuda brought volumes down to normal levels.
I think filtering solutions that have a broad view of worldwide mail activity can react to attacks better than individual mail filters.
Edit:
This was also discussed recently on the LOPSA mailing list:
My contribution: https://www.mail-archive.com/[email protected]/msg04180.html
Another opinion: https://www.mail-archive.com/[email protected]/msg04181.html
I'm a DNS Ops guy who works closely with a group who is frequently subject to these attacks. Dealing with Snowshoe attacks is primarily a process problem, and as ewwhite points out it may beyond the scope of your company to solve in-house. I'd go as far as to say that unless you have a sizable operation and several commercial RBL feeds, you probably shouldn't be trying to solve this yourself over using a commercial filtering service.
That said, we do have some experience with this and it's more interesting to share than not. Some touch points are:
- If possible, training your mail platform to identify the characteristics of a Snowshoe attack in progress and temporarily rejecting messages from the networks in question. Well-behaved clients will try to resend messages on a temporary failure, others tend not to.
- Making sure your DNS admins are monitoring
UDP-MIB::udpInErrors
via SNMP, because mail platforms are very capable of overflowing the receive queues of UDP listeners when a Snowshoe attack is in progress. If they aren't, a quick way to tell under Linux is to runnetstat -s | grep 'packet receive errors'
on the DNS servers in question; a large count indicates that they need to get off their duffs and start paying attention. They will need to add capacity or increase the size of the receive buffers if frequent spillage is occurring. (which means lost DNS queries, and lost opportunities for spam prevention) - If you are frequently seeing these attacks utilizing freshly created domains, RBLs that highlight these do exist. An example of one is FarSight NOD (people reading this should perform their own research), but it is not free.
Full disclosure: Farsight Security was founded by Paul Vixie, who I have a bad habit of venting at when people violate DNS standards.