Bumping into this post because after 24 hours still no anwser from Symantec. To be clear: I want this to be solved, because we lose customers like this. And from a serious company like Symantec I would expect more.
Like you can read in my first message the mail from my client is not delivered to customers because Symantec thinks that the mailserver send spam in a format that is similar to snow show spamming techniques.
When you start to search for "snow shoe spamming" you will find a lot of pages which explain that snow shoe spamming is gaining popularity and even a document from Symantec with the subtitle “Snowshoe spam outbreak”. Some of them come with a little explaination. Like from Symantec:
snowshoe spamming distributes a broad load of spam across a varied array of IP addresses in much the same way.
Doesn’t say much, right?
A little further in the document:
Snowshoe campaigns commonly have the following characteristics:
- Originate from IP address ranges with a neutral reputation.
Ok, so if you move to a new VPS with a new IP you already have 1 flag. But in the real world hosting companies sell servers. They all got a new IP (or not used for a while). Is this fair to flag it? Answer: No. Should this be the problem? Don’t know because:
Symantec doesn’t answer!
-Use a large IP address range to delute the amount of spam sent from each IP address.
Ehh, what does it means? Large IP address range, for the mailserver? Ok, let’s try. Many websites use Cloudflare. For this you have to point your DNS to Cloudflare. There you get 2 IP4 addresses and 2 IP6 addresses. But you can’t use Cloudflare for your mail server, so that will be the 5th IP4 address and if you have IP6 installed on your server a 6th IP. Again, this is a normal situation. But hé…what if Symantic does a domain lookup? Then it will find 6 IP’s for the same domain. Wow!!! This is Snow Shoe spamming technic, right? Eh…NO! This is a misconfiguration from your scanner!
Against a domain lookup you can’t do anything. It will just find your IP’s. But for mail you can use a SPF record. It could look like this:
v=spf1 a mx a:domain.com ip4:xx.xx.xx.xx ?all
But this also will approve 5 or even 6 IP’s to send mail. When Symantec would check the spf record, bingo! Again multiple IP’s, so Snowshoe spam! I changed it already to this:
v=spf1 mx ip4:xx.xx.xx.xx ?all
Like this it will only valid the IP from the mx record in your DNS. But not sure if it will help. Because:
Symantec doesn’t answer!
Another thing related to changing IP’s. The website from my customer was hosted on another VPS with another IP till I moved it to a new VPS with new IP. Further the mail was send through a hosting company. But…also with different IP’s. Could be the fact that I just moved the website AND mail to another server? That somewhere in the Symantec records the old IP's are still kept. Could be, but:
Symantec doesn’t answer!
Contain features (such as the subject line, from line, and URL’s) which change quickly.
Ok, so imagine you have a webshop and customers can register for an account. So while ordering they fill in some information. Then the account is made and the website send a mail to the customer with some information. Almost immidialtly the mail with the order confirmation will be send. Ofcourse this mail has a different subject line, and different URL’s. Don’t have to explain this further, right? According the document this also give a flag. But is this Snowshoe spamming? Answer: NO. But could this be the problem? Don’t know because:
Symantec doesn’t answer!
- Include the call-to-action in the URL.
Ehh…should I take this literally? Or is a call to action already a link to their account or order? Could this be the problem? Don’t know because:
Symantec doesn’t answer!
I could go on, but I guess you get the point. This is like walking in the dark and trying to find the exit, while screaming for somebody to put on the light. Don't count in this case on Symantec because:
Symantec doesn't put on the light for you!
I thought already about a solution. But till now everything I tried doesn’t work. Ow wait..just one solution pops up. I could put a huge banner on the website with the following text:
Dear customer, when you use a mailaccount from KPN, Planet, Hetnet, XS4all you can’t order. Because all those providers use KPN mail, which will be scanned by Symantec. And it will not pass. We can’t fix it because:
Symantec doesn’t answer!
I will send KPN a mail with the link to this topic too. Maybe they can put some pressure on it, to avoid a bad reputation. In the mainwhile I will walk into the dark, trying to find the exit........