Protecting against hailstorm spam with “Dynamic Updates”

October 5, 2018 by The Spamhaus Technology Team

High-speed and high-volume: Hailstorm spam is one method cyber criminals are using to overwhelm target organizations’ defenses, but Spamhaus is leading the fight back with threat intelligence delivered at high-speed.

Dynamic Updates from Spamhaus protect by alerting you to hailstorm attacks within seconds of them starting, giving you the unique capability to block this type of spam.

Powerful intelligence delivered at high speed

Hailstorm attacks can be over in a matter of minutes and every second counts.

At the first indication of a hailstorm attack, automatic incremental updates are made available. Instead of downloading a full set of IP and Domain-based threat intelligence periodically, Dynamic Updates allow you to receive data as soon as it is available.

Hailstorm spam attack timeline

Graph of a hailstorm attack

  • Before 0 sec: No info
  • 0 sec: Hailstorm attackstarts, traffic spikes to more than 800 emails sent every 10 seconds.
  • 16 sec: Domain used identified,published to Zero ReputationDomain list. Dynamic Updates subscribers can start blocking malicious domain.
  • 28 sec: Domain published to Spamhaus Zen and DomainBlocklist. Spam rate still running at over 800 emails every 10 seconds.
  • 90 sec: Domain generally accessible for rsync subscribers based on a standard 60 second rsync period. Spam rate starts to drop off.
  • 120 sec: Spam rate drops to negligible.

In three minutes, more than 15,000 spam messages sent –85% blocked by DynamicUpdates service at start of attack. Indicative real case example– individual attack profiles will vary.

The Dynamic Updates advantage

Table showing how dynamic updates compares to DQSIncluded is Spamhaus’ Zero Reputation Domain (ZRD) service, designed to stop cyber criminals who use newly registered domains.  This is a favoured method to send hailstorm spam; driving traffic to websites in the hope that users will fall victim before a domain has been analyzed for its reputation.

Legitimate organizations will rarely activate a domain and start using it immediately after registration so the ZRD automatically adds newly-registered and previously dormant domains to a block list for 24 hours.


Picture showing how dynamic updates is configuredDeploy Dynamics Updates in minutes following these easy steps:

  1. Generate your own authentication certificate (including self-signed)
  2. Submit certificate to Spamhaus via our user portal
  3. Connect! You will be informed via our portal

If you are not already a Spamhaus user, then sign up here and get access to our user portal.

March 25, 2019

Spamhaus & SpamAssassin provide a simple alternative to expensive email filters

In recent independent tests Spamhaus’s block lists, used alongside a specially configured SpamAssassin, stopped 99.43%* of spam emails, with 0.02%...

Read more
December 5, 2018

Getting your Spamhaus data feeds via Rsync? You may need to move to DQS

We’ve made some changes.  “Urgh!” we hear you sigh.  Few people like changes; be that a change in the user...

Read more
October 5, 2018

Protecting against hailstorm spam with “Dynamic Updates”

High-speed and high-volume: Hailstorm spam is one method cyber criminals are using to overwhelm target organizations’ defenses, but Spamhaus is...

Read more

Engage with us on

It’s time to protect your organization

Start my free trial