Organised criminal spamming groups have recently adapted to improvements in spam filter and spam filter technology by sending short bursts of spam to evade filters. On average, spam filters take five minutes to respond to a new campaign.
Furthermore, spammers in growing numbers are using “snowshoe” tactics to evade detection. Just as a snowshoe spreads the weight of a person across an expanse of snow, snowshoe spam spreads delivery across many IPs and domains – often hijacked from legitimate network providers. They use each IP address lightly, which makes it difficult for anti-spam systems to detect enough malicious activity to warrant blocking any one of the IP Address’s.
This snowshoe spamming trend, combined with hit-and-run tactics, means more spam is getting past filters. Anti-spam systems need to improve their game to stay ahead of the bad guys.
How we fight spammers
Digital O2’s Hosted Exchange already uses cutting edge commercial spam filters to detect and block spam. Our filters detect new spam campaigns incredibly fast: our median response time to a new campaign (as identified by the subject line) is less than one minute, as shown in the chart below. This means that it takes us less than one minute on average to detect and block a new spam campaign.
To better defend against hit-and-run tactics and snowshoeing, We are taking these countermeasures:
We have a new IP address rate limiting approach also known as “greylisting” that will severely limit the amount of email we accept from IPs that have not sent a consistent amount of legitimate mail to our users over a long period of time. Why? Because snowshoe spammers are vulnerable in one significant way: the IP addresses they send from only deliver very small volumes of email and never have a long history of sending legitimate email.
We are also adding new data sources from providers who track snowshoeing activities on a global basis. This data draws on intelligence from a wide variety of security sources in real-time.
To thwart hit-and-run attacks, we will track emergent spam campaigns by analyzing recurrent patterns of similar messages and behavior. This approach enables us to quarantine new spam campaigns even before end users or spam analysts have a chance to categorize them.
Spammers constantly evolve to outwit our defenses. In response, we continually invest in aggressive anti-spam measures to ensure that our customers have the best protection available.
These new measures and systems will be implemented by the end of the month (November).