A brief guide to spamtraps

“I thought spamtraps were addresses harvested off webpages.”

“I thought spamtraps were addresses that were valid and now aren’t.”

“I thought spamtraps were addresses created to catch spammers.”

There is a lot of “I thought…” about spamtraps. Most of the theories are accurate but limited. Like the blind men and the elephant, they catch the parts but not the whole of spamtraps.

When I first started out with email and spam, there was an easy definition of spamtrap. A spamtrap was an address that was never used but still received mail. By definition these addresses were never handed out, advertised or even used by a human. The only mail sent to that address was spam.

As spam filters became more sophisticated, other types of email addresses started being referred to as spam traps. The meaning of spam trap started to evolve into referencing an address that received all, or mostly all, spam.

This means that not all spam traps are created equal. Different kinds of traps tell you different information. This isn’t a problem as long as the people maintaining the traps understand the data they’re gathering. It also means that people dealing with blocking based on traps need to understand what kind of trap caused the block.

I’ve come up with a number of categories of spamtraps. This is not intended to be an exhaustive list. Also, there are overlaps in some categories. But this gives you an idea of the different sorts of traps in widespread use.

Classic spamtraps

Classic spamtraps are email addresses that were never assigned to a user but started receiving email.  In some cases, these are addresses at domains that accept mail to any address. In other cases, the domain owner will look through rejection logs, identify rejected addresses and then enable those addresses.

These traps tell the trap owner that the sender is randomly creating addresses or buying lists from someone who is. These are useful for identifying sources that are sending mail without permission.
There is a subset of classic traps that is the result of actual users submitting addresses they don’t own. Occasionally people sign up at various websites and use email addresses that they don’t own. One example is cute.net. People are constantly signing up for things with addresses at cute.net. But they don’t actually have an address at cute.net. To the domain owner, the mail is total spam and is indistinguishable from spammer created addresses.

Likewise, legitimate users might typo their own address while signing up for mail. Sometimes these typos find another user bob213 instead of bob123, but sometimes they will end up hitting addresses that are currently or will be spamtraps. To the domain owner, this is spam. Depending on the policies of the trap owner, these addresses may or may not trigger blocking.

Seeded traps

Seeded traps are email addresses that are created and seeded in various places online. Typically they are hidden on websites or sometimes dropped into unsubscribe forms.

These traps tell the trap owner that the sender is either scraping addresses or is buying lists from someone who is scraping addresses. These are good for identifying sources that are sending mail without permission, and those who are not honoring unsubscribe requests.

Message-id traps

Many address scrapers look for any string with an @ sign in it. Running scrapers over a websearch or usenet search will find valid addresses as well as message IDs. Some viruses will also scrape addresses, including message IDs, off machines they infect.

These traps tell the trap owner that the sender is scraping addresses or buying lists from someone who is. These types of addresses are almost never actually input into forms, so they make good “pure spam” traps.

Typo domain traps

These are traps at domains that are very similar to common domains, yaaho.com or ynail.com.

Mail to these traps tells the trap owner that the sender is trying to send mail to real people. Typically, these are not traps that are pure spam and in fact can contain a lot of real mail. Users frequently typo domains when sending mail, particularly if they are not using an address book.

These kinds of traps are often problematic when trying to run a blocklist. One trap driven blocklist told me about one of his typo domains, “I registered [a typo domain recommended by another blocklist], and it gets tons of mail. Unfortunately, it’s not all spam. It’s a firehose of personal correspondence between webmails and ISPs. It turned out to be very hard to separate that from any real spam and as a result, I ended up not using the domain to feed into my blacklist.”

Dead address traps

Dead address traps are once valid email addresses that are turned off. All mail to these addresses is rejected for some period of time, often 12 months or more. After consistently rejecting mail, the addresses are turned back on as spamtraps.

These are the type of traps made famous by Hotmail and are what most people seem to think about when they think spamtraps.  It’s not unreasonable as these are in use at major ISPs. These traps, though, mostly tell the trap owner that the sender has poor practices. Senders that are not purchasing addresses and who are removing bounces should not hit these traps.

There are some problems with dead address traps, though. These were valid addresses at some point, and some old correspondents may try and mail them. One person from a major ISP told me they tried to create these kinds of traps. The ISP spent 18 or so months “conditioning” the traps. First they rejected mail to the traps, then they monitored them, unsubscribing from commercial mail and notifying correspondents that the addresses were dead. Eventually, they abandoned the traps as too noisy to be useful.

Dead domain traps

Trap owners purchase expired domains and collect mail that comes into them. In many cases, these domains are turned off for a period of time, either rejecting mail or not resolving in DNS.
Dead domain traps are similar to dead address traps. Trap owners buy domains that have recently expired and turn them into spamtraps. Responsible trap owners will reject all mail to the domain for a significant period of time, to let real mail fall off.

Like the dead address traps, these traps may be too noisy to be used as a pure spamtrap.

Live traps

These are email addresses belonging to a real user. They are used for real mail, but the owners use the unsolicited mail coming into those addresses to make blocking decisions.

I have a number of these types of addresses. I use the addresses for one to one mail, but never use them to sign up for commercial mail. If I get any commercial mail at all, it’s spam by definition. The usefulness of these traps to drive blocks depends on the integrity of the person running them. There are people who I trust implicitly to only block mail they didn’t sign up for.

Domain registration addresses

Registration addresses are a special case of live traps. These addresses, published in whois records,  are frequently harvested and mailed.
Domain registration addresses are an interesting form of live traps. These addresses are frequently harvested and sold to unsuspecting business owners as “targeted business domains.” But any of us who own domains can tell you that not every domain is a business domain. Even if it is a business domain, mail to the registration address is still spam. All of us who have addresses on domain registrations can tell you that we get a lot of unsolicited, un-targeted crap to those addresses.

Investigative traps

These are email addresses created and submitted to senders. The goal of the trap is not to catch the sender doing anything bad, but to monitor the sender’s traffic. These traps can be used to catch addresses being stolen or sold. Some blocklists will also use these addresses to confirm that a sender is using confirmation on their list.

These are not traps that are necessarily useful for driving blocklists, but they are the sorts of addresses that are useful for monitoring ongoing behaviour of a sender.

Investigative traps can also be used to identify problem vendors. A few years ago I was working with a company doing confirmed co-reg. I signed up to their list with an investigative trap. Before I even received the confirmation message, I started receiving unexpected email to that address. Working with my client, we discovered that one of their vendors was siphoning off email addresses. That address was never confirmed with my customer, but is currently one of my largest spamtrap feeds.

Each kind of spamtrap tells the trap owner that a sender is mailing people who never asked to receive a mail. However, not every piece of mail received at a trap is spam. Not every piece of spam received at a trap is created equal. Each different kind of trap tells you something different about a sender and how they acquire email addresses.

The critical part of using spamtraps to publish blocklists is the integrity and trustworthiness of the trap maintainers. Most every trap out there could, conceivably, be the recipient of legitimate email. Some trap types have a higher probability of receiving legitimate mail than others. It’s highly unlikely someone is going to typo a message ID into a form. But it is quite likely that bob@cox.com might accidentally type bob@cix.com into a form.

Spamtraps are only as useful as their owners are honest.

Related Posts

What is an email address? (part three)

As promised last week, here are some actual recommendations for handling email addresses.
First some things to check when capturing an email address from a user, or when importing a list. These will exclude some legitimate email addresses, but not any that anyone is likely to actually be using. And they’ll allow in some email addresses that are technically not legal, by erring on the side of simple checks. But they’re an awful lot better than many of the existing email address filters.

Read More

Signing up for lists

How many email marketers hand over email addresses whenever asked? Are those of us in the email field more or less likely than the average consumer to sign up for something?
I sign up for a lot of mail, but there are different categories of that mail.
Mail I actually want from a company. Usually these are local companies where I visit their brick and mortar or an online only company that I actively buy from. I read the emails for the content and because I’m interested in the company and their products. I occasionally will actually analyze their headers and think about their sending practices. Usually I’m just interested in the sale they’re offering or the information they’re sharing. These companies get a tagged email address that goes into my main mailbox.
Mail where I’m interested in how the company is using email. Generally these are big, national brands. Sometimes they’ll ask me for an address during an offline transaction, other times I’ll make a purchase from. I’m not really interested in what they’re offering, but it’s good to keep an eye on how email is being used by large companies with expensive ad agencies and marketing departments. I do look at the headers of the mail, check their authentication and look at the format of the emails. These companies also get tagged address that goes right to my main mailbox.
One thing I don’t do is automatically provide email addresses to companies. This annoys some to no end. “We don’t have an email address on file for you. Do you have an email address?” They never ask if I want to give them the address, they just ask if I have one. I expect a lot of people just say, “Yes, it’s laura@example.com” and don’t think for a second this means they are opting in to mail from that company. I also think that some companies train their phone and sales reps to ask this way in order to get email addresses from people without informed consent.
I also do a lot of signups to client lists. This is mail I want as without copies of the email I can’t do the audits they’ve contracted me to do. I have a set of addresses that go to a special account and are automatically tagged with client and signup information so I can sort and filter by client and website and all sorts of fancy things. I spend a lot of time looking at the structure of the email. I look at headers for compliance with standards and to confirm any authentication is set up correctly. I look at the body for similar reasons.
I also sign up for some mail that I don’t really want to receive. For these classes of mail I have disposable addresses. This can be investigating affiliates (or potential affiliates) for clients. This can be for an ESP client who wants one of their customers investigated. Sometimes I can’t believe a website is for real so I sign up just to see what their hook is.
Using different addresses and different filtering schemes helps me keep all these email uses separate and clear. I can tell what category a mail is in just by the address that it was sent to. I can also filter on “To” addresses, meaning that mail I’ve signed up for doesn’t get caught in my spam filters. Complex? Yes. But it keeps me up to date not only on offers from companies I purchase from, but also on what others are doing in the email marketing world.

Read More

Spamtraps

There is a lot of mythology surrounding spamtraps, what they are, what they mean, how they’re used and how they get on lists.
Spamtraps are very simply unused addresses that receive spam. They come from a number of places, but the most common spamtraps can be classified in a few ways.

Read More