Snow-Shoeing and How to Avoid It
Director, Certification Security & Standards
As you may know, just in time for Christmas, The Spamhaus Project recently announced their new anti-snow-shoeing service the CSS component of the SBL: http://www.spamhaus.org/css/index.lasso
Spamhaus also has an article that offers some good information.
The CSS is the second such list to appear online; Invaluement was the first out of the gate with their ivmSIP/24 zone.
Both the SBL and ivmSIP/24 are part of the batch of checks we run constantly, against Return Path Certified and Safe whitelisted IPs. We also run a number of other tests to flag activity that is frowned upon by the receiving community.
SURBL, the domain blacklist, just announced their new, experimental zone of snowshoe domains, XS.
So, what is snowshoeing and how do you avoid such a pitfall?
Snowshoeing is, in a nutshell, spreading mail over IP ranges, domains or name-servers, in an attempt to lessen the impact of poor reputation upon an individual element.
For example, instead of sending email with poor reputation over a single IP, snow-shoers will send it over numerous IPs, or even split it up over several netblocks in the hope that not all of them become blacklisted, or suspended from a whitelist.
See The Spamhaus Projects’ glossary entry for more information.
Here’s some of what we look for among our whitelisted IPs, and strongly discourage as practices for any mailer who doesn’t want to appear to fit the profile.
Blacklisting: Naturally enough, presence on the Spamhaus CSS component of the SBL and ivmSIP/24 should be avoided at all costs
Number of IPs: At Return Path Certified, we look for too many IPs against the average of a given Certified volume tier that lack a reasonable segmentation plan. The following table shows the averages across our client volume tiers:
|Sender Tier||Volume Limit||Average # of IPs|
|Non Profit||Less than 250K||2|
|Tier1||Less than 50K||2|
|Tier2||Less than 250K||3|
|Tier3||Less than 1MM||3|
|Tier4||Less than 5MM||7|
|Tier5||Less than 10MM||13|
|Tier6||Less than 20MM||11|
|Tier7||Less than 50MM||33|
|Tier8||Less than 100MM||33|
|Tier9||Greater than 100MM||50|
When we see extraordinary numbers of IPs in a given IP Group, we ask the client to submit a complete segmentation plan, explaining the use of each IP, then we review them and suggest adjustments, bearing in mind that one of the big advantages of presence on the Return Path Certified whitelist is that Certified IPs are not subject to hourly throttling at Hotmail some and other receiver partners.
For non-certified senders: We recommend that you use as few IPs as possible to send any of your mail streams, while keeping an eye on your logs to determine if you have been subjected to throttling by receivers. You may want to consider any number of MTAs out there that do this for you automatically, keeping dynamic receiver throttling levels (messages per hour, and the number of simultaneous open connections) in mind as they deliver mail.
Contiguous Netspace: Some folks will try to send their mail from discontinuous netspace using IPs from disparate providers so their mail isn’t readily tied together at receiver sites. Return Path suggests a primary, and possibly a secondary IP range for contingency use in the case of a data centre malfunction, but no more. Beyond two IP ranges for your mail, you look suspiciously like someone trying to snowshoe. Drop the extra ranges, as soon as possible.
Volume Profile Disparity: Something we measure and keep an eye on at Return Path Certified is what we can ‘Volume Profile Disparity’. We use five receiver partners to determine the mailing volume of a given client: Yahoo! Hotmail, Senderbase and two anonymous webmail sites. Generally speaking, we see a 45%/45% split between Yahoo! and Hotmail volume, the remaining 10% accounted for by Senderbase and our other partners.
Domain Reputation: Over the past 18 months or so, all of us have been ramping up for domain-based reputation with the deployment of DKIM, and so on. Return Path president George Bilbrey has some terrific advice to clarify domain reputation over at Media Post and RP’s J.D. Falk published a series of articles on DKIM as well as a great synopsis at Deliverability.com entitled The Final Word on DKIM and Deliverability.
Domain Snowshoeing: One thing we very actively disallow for any Return Path Certification customer is the use of WHOIS cloaking for domains in use in their email. We expect that our customers are proud of their mail streams, and should not have anything in places that masks who they are; we expect full accountability so that if something does go wrong, any member of the Internet community with a complaint or concern can contact them quickly, and easily. And, of course, we expect our clients to maintain a reasonable number of domains from which they should send. That is just plain good sense. After all, you want recipients to recognize your mail as coming from you, to promote your brand and online identity. We are aware of at least one “high volume email deployment service” that has registered over 50,000 domains and not yet used them, apparently to skew one metric that receivers look for, namely, the age of a given domain.
Name Server Snowshoeing: Recently, we have spotted some interesting name server deployments for domains, which have lead to the termination of clients doing such things. It works (well, doesn’t work) like this:
A bad sender will get a series of domains, then set up a series of name-servers with the same name (or something else) as the domain. For example:
The domain entries then are rigged as follows:
Each name server will only serve up a handful;, or as few as one domain. Nice try, to firewall one domain from another. And naughty, naughty! Santa Claus and Security & Standards at Return Path Certified will be bringing you a lump of coal this Christmas if you deploy your name-servers in such a fashion. Normally, we, and receivers want to see:
Lastly, this holiday season, if you want to not appear to be a snowshoer, we suggest giving the Vancouver Olympics a miss, and vacation somewhere warm!