A brief guide to spamtraps

“I thought spamtraps were addresses harvested off webpages.”

“I thought spamtraps were addresses that were valid and now aren’t.”

“I thought spamtraps were addresses created to catch spammers.”

There is a lot of “I thought…” about spamtraps. Most of the theories are accurate but limited. Like the blind men and the elephant, they catch the parts but not the whole of spamtraps.

When I first started out with email and spam, there was an easy definition of spamtrap. A spamtrap was an address that was never used but still received mail. By definition these addresses were never handed out, advertised or even used by a human. The only mail sent to that address was spam.

As spam filters became more sophisticated, other types of email addresses started being referred to as spam traps. The meaning of spam trap started to evolve into referencing an address that received all, or mostly all, spam.

This means that not all spam traps are created equal. Different kinds of traps tell you different information. This isn’t a problem as long as the people maintaining the traps understand the data they’re gathering. It also means that people dealing with blocking based on traps need to understand what kind of trap caused the block.

I’ve come up with a number of categories of spamtraps. This is not intended to be an exhaustive list. Also, there are overlaps in some categories. But this gives you an idea of the different sorts of traps in widespread use.

Classic spamtraps

Classic spamtraps are email addresses that were never assigned to a user but started receiving email.  In some cases, these are addresses at domains that accept mail to any address. In other cases, the domain owner will look through rejection logs, identify rejected addresses and then enable those addresses.

These traps tell the trap owner that the sender is randomly creating addresses or buying lists from someone who is. These are useful for identifying sources that are sending mail without permission.
There is a subset of classic traps that is the result of actual users submitting addresses they don’t own. Occasionally people sign up at various websites and use email addresses that they don’t own. One example is cute.net. People are constantly signing up for things with addresses at cute.net. But they don’t actually have an address at cute.net. To the domain owner, the mail is total spam and is indistinguishable from spammer created addresses.

Likewise, legitimate users might typo their own address while signing up for mail. Sometimes these typos find another user bob213 instead of bob123, but sometimes they will end up hitting addresses that are currently or will be spamtraps. To the domain owner, this is spam. Depending on the policies of the trap owner, these addresses may or may not trigger blocking.

Seeded traps

Seeded traps are email addresses that are created and seeded in various places online. Typically they are hidden on websites or sometimes dropped into unsubscribe forms.

These traps tell the trap owner that the sender is either scraping addresses or is buying lists from someone who is scraping addresses. These are good for identifying sources that are sending mail without permission, and those who are not honoring unsubscribe requests.

Message-id traps

Many address scrapers look for any string with an @ sign in it. Running scrapers over a websearch or usenet search will find valid addresses as well as message IDs. Some viruses will also scrape addresses, including message IDs, off machines they infect.

These traps tell the trap owner that the sender is scraping addresses or buying lists from someone who is. These types of addresses are almost never actually input into forms, so they make good “pure spam” traps.

Typo domain traps

These are traps at domains that are very similar to common domains, yaaho.com or ynail.com.

Mail to these traps tells the trap owner that the sender is trying to send mail to real people. Typically, these are not traps that are pure spam and in fact can contain a lot of real mail. Users frequently typo domains when sending mail, particularly if they are not using an address book.

These kinds of traps are often problematic when trying to run a blocklist. One trap driven blocklist told me about one of his typo domains, “I registered [a typo domain recommended by another blocklist], and it gets tons of mail. Unfortunately, it’s not all spam. It’s a firehose of personal correspondence between webmails and ISPs. It turned out to be very hard to separate that from any real spam and as a result, I ended up not using the domain to feed into my blacklist.”

Dead address traps

Dead address traps are once valid email addresses that are turned off. All mail to these addresses is rejected for some period of time, often 12 months or more. After consistently rejecting mail, the addresses are turned back on as spamtraps.

These are the type of traps made famous by Hotmail and are what most people seem to think about when they think spamtraps.  It’s not unreasonable as these are in use at major ISPs. These traps, though, mostly tell the trap owner that the sender has poor practices. Senders that are not purchasing addresses and who are removing bounces should not hit these traps.

There are some problems with dead address traps, though. These were valid addresses at some point, and some old correspondents may try and mail them. One person from a major ISP told me they tried to create these kinds of traps. The ISP spent 18 or so months “conditioning” the traps. First they rejected mail to the traps, then they monitored them, unsubscribing from commercial mail and notifying correspondents that the addresses were dead. Eventually, they abandoned the traps as too noisy to be useful.

Dead domain traps

Trap owners purchase expired domains and collect mail that comes into them. In many cases, these domains are turned off for a period of time, either rejecting mail or not resolving in DNS.
Dead domain traps are similar to dead address traps. Trap owners buy domains that have recently expired and turn them into spamtraps. Responsible trap owners will reject all mail to the domain for a significant period of time, to let real mail fall off.

Like the dead address traps, these traps may be too noisy to be used as a pure spamtrap.

Live traps

These are email addresses belonging to a real user. They are used for real mail, but the owners use the unsolicited mail coming into those addresses to make blocking decisions.

I have a number of these types of addresses. I use the addresses for one to one mail, but never use them to sign up for commercial mail. If I get any commercial mail at all, it’s spam by definition. The usefulness of these traps to drive blocks depends on the integrity of the person running them. There are people who I trust implicitly to only block mail they didn’t sign up for.

Domain registration addresses

Registration addresses are a special case of live traps. These addresses, published in whois records,  are frequently harvested and mailed.
Domain registration addresses are an interesting form of live traps. These addresses are frequently harvested and sold to unsuspecting business owners as “targeted business domains.” But any of us who own domains can tell you that not every domain is a business domain. Even if it is a business domain, mail to the registration address is still spam. All of us who have addresses on domain registrations can tell you that we get a lot of unsolicited, un-targeted crap to those addresses.

Investigative traps

These are email addresses created and submitted to senders. The goal of the trap is not to catch the sender doing anything bad, but to monitor the sender’s traffic. These traps can be used to catch addresses being stolen or sold. Some blocklists will also use these addresses to confirm that a sender is using confirmation on their list.

These are not traps that are necessarily useful for driving blocklists, but they are the sorts of addresses that are useful for monitoring ongoing behaviour of a sender.

Investigative traps can also be used to identify problem vendors. A few years ago I was working with a company doing confirmed co-reg. I signed up to their list with an investigative trap. Before I even received the confirmation message, I started receiving unexpected email to that address. Working with my client, we discovered that one of their vendors was siphoning off email addresses. That address was never confirmed with my customer, but is currently one of my largest spamtrap feeds.

Each kind of spamtrap tells the trap owner that a sender is mailing people who never asked to receive a mail. However, not every piece of mail received at a trap is spam. Not every piece of spam received at a trap is created equal. Each different kind of trap tells you something different about a sender and how they acquire email addresses.

The critical part of using spamtraps to publish blocklists is the integrity and trustworthiness of the trap maintainers. Most every trap out there could, conceivably, be the recipient of legitimate email. Some trap types have a higher probability of receiving legitimate mail than others. It’s highly unlikely someone is going to typo a message ID into a form. But it is quite likely that bob@cox.com might accidentally type bob@cix.com into a form.

Spamtraps are only as useful as their owners are honest.

Related Posts

Signing up for lists

How many email marketers hand over email addresses whenever asked? Are those of us in the email field more or less likely than the average consumer to sign up for something?
I sign up for a lot of mail, but there are different categories of that mail.
Mail I actually want from a company. Usually these are local companies where I visit their brick and mortar or an online only company that I actively buy from. I read the emails for the content and because I’m interested in the company and their products. I occasionally will actually analyze their headers and think about their sending practices. Usually I’m just interested in the sale they’re offering or the information they’re sharing. These companies get a tagged email address that goes into my main mailbox.
Mail where I’m interested in how the company is using email. Generally these are big, national brands. Sometimes they’ll ask me for an address during an offline transaction, other times I’ll make a purchase from. I’m not really interested in what they’re offering, but it’s good to keep an eye on how email is being used by large companies with expensive ad agencies and marketing departments. I do look at the headers of the mail, check their authentication and look at the format of the emails. These companies also get tagged address that goes right to my main mailbox.
One thing I don’t do is automatically provide email addresses to companies. This annoys some to no end. “We don’t have an email address on file for you. Do you have an email address?” They never ask if I want to give them the address, they just ask if I have one. I expect a lot of people just say, “Yes, it’s laura@example.com” and don’t think for a second this means they are opting in to mail from that company. I also think that some companies train their phone and sales reps to ask this way in order to get email addresses from people without informed consent.
I also do a lot of signups to client lists. This is mail I want as without copies of the email I can’t do the audits they’ve contracted me to do. I have a set of addresses that go to a special account and are automatically tagged with client and signup information so I can sort and filter by client and website and all sorts of fancy things. I spend a lot of time looking at the structure of the email. I look at headers for compliance with standards and to confirm any authentication is set up correctly. I look at the body for similar reasons.
I also sign up for some mail that I don’t really want to receive. For these classes of mail I have disposable addresses. This can be investigating affiliates (or potential affiliates) for clients. This can be for an ESP client who wants one of their customers investigated. Sometimes I can’t believe a website is for real so I sign up just to see what their hook is.
Using different addresses and different filtering schemes helps me keep all these email uses separate and clear. I can tell what category a mail is in just by the address that it was sent to. I can also filter on “To” addresses, meaning that mail I’ve signed up for doesn’t get caught in my spam filters. Complex? Yes. But it keeps me up to date not only on offers from companies I purchase from, but also on what others are doing in the email marketing world.

Read More

Privacy policies in court

Venkat has an analysis of a case where an individual provided a unique address to a vendor and that vendor released the address in violation of the posted privacy policy. The federal court rejected the suit due to the failure of the plaintiff to provide evidence of harm.
I posted last week about privacy policies and how often they are intentionally or unintentionally violated and when email addresses leak. Courts have consistently ruled against plaintiffs. It seems that the courts believe merely revealing information, even in contradiction to a posted privacy policy, is not actionable by the plaintiff.
As a consumer, I really don’t like the ruling. If a company is going to post a privacy policy, then they should follow it and if they don’t, I should be able to hold them responsible for their lies. Back in the land of reality, I am not surprised at the rulings. Individuals have never owned their personal information, it is the property of the people who compile and sell data
It does mean, however, that privacy polices are not worth the paper they’re written on.

Read More

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Read More