Two types of malicious spam attacks are especially problematic for defenders: hailstorm attacks and snowshoe attacks. Both employ the elements of speed and targeting, and both are highly effective.

Hailstorm attacks target antispam systems. The operators behind these attacks take advantage of the very small window of time between the moment they launch their spam campaign and when antispam systems see it and push coverage out to antispam scanners. Adversaries typically have only seconds or minutes to operate before their campaigns are detected and blocked.

...

Contrast the hailstorm attack to a snowshoe spam campaign, also shown in Figure 18, where attackers attempt to fly under the radar of volume-based detection solutions. The number of DNS lookups is steady, but there are only about 25 queries per hour. These low-volume attacks allow adversaries to quietly distribute spam from a large swath of IP addresses.

Even though these spam attacks operate differently, they do have things in common. Through either approach, adversaries can:

• Evade a bad reputation by sending from clean IPs and domains
• Emulate marketing mail with professional content and subscription management
• Use well-configured email systems rather than sloppy scripts or spam bots
• Properly set up forward-confirmed reverse DNS and Send Policy Framework (SPF) records

High