A brief guide to spamtraps
“I thought spamtraps were addresses harvested off webpages.”
“I thought spamtraps were addresses that were valid and now aren’t.”
“I thought spamtraps were addresses created to catch spammers.”
There is a lot of “I thought…” about spamtraps. Most of the theories are accurate but limited. Like the blind men and the elephant, they catch the parts but not the whole of spamtraps.
When I first started out with email and spam, there was an easy definition of spamtrap. A spamtrap was an address that was never used but still received mail. By definition these addresses were never handed out, advertised or even used by a human. The only mail sent to that address was spam.
As spam filters became more sophisticated, other types of email addresses started being referred to as spam traps. The meaning of spam trap started to evolve into referencing an address that received all, or mostly all, spam.
This means that not all spam traps are created equal. Different kinds of traps tell you different information. This isn’t a problem as long as the people maintaining the traps understand the data they’re gathering. It also means that people dealing with blocking based on traps need to understand what kind of trap caused the block.
I’ve come up with a number of categories of spamtraps. This is not intended to be an exhaustive list. Also, there are overlaps in some categories. But this gives you an idea of the different sorts of traps in widespread use.
Classic spamtraps are email addresses that were never assigned to a user but started receiving email. In some cases, these are addresses at domains that accept mail to any address. In other cases, the domain owner will look through rejection logs, identify rejected addresses and then enable those addresses.
These traps tell the trap owner that the sender is randomly creating addresses or buying lists from someone who is. These are useful for identifying sources that are sending mail without permission.
There is a subset of classic traps that is the result of actual users submitting addresses they don’t own. Occasionally people sign up at various websites and use email addresses that they don’t own. One example is cute.net. People are constantly signing up for things with addresses at cute.net. But they don’t actually have an address at cute.net. To the domain owner, the mail is total spam and is indistinguishable from spammer created addresses.
Likewise, legitimate users might typo their own address while signing up for mail. Sometimes these typos find another user bob213 instead of bob123, but sometimes they will end up hitting addresses that are currently or will be spamtraps. To the domain owner, this is spam. Depending on the policies of the trap owner, these addresses may or may not trigger blocking.
Seeded traps are email addresses that are created and seeded in various places online. Typically they are hidden on websites or sometimes dropped into unsubscribe forms.
These traps tell the trap owner that the sender is either scraping addresses or is buying lists from someone who is scraping addresses. These are good for identifying sources that are sending mail without permission, and those who are not honoring unsubscribe requests.
Many address scrapers look for any string with an @ sign in it. Running scrapers over a websearch or usenet search will find valid addresses as well as message IDs. Some viruses will also scrape addresses, including message IDs, off machines they infect.
These traps tell the trap owner that the sender is scraping addresses or buying lists from someone who is. These types of addresses are almost never actually input into forms, so they make good “pure spam” traps.
Typo domain traps
These are traps at domains that are very similar to common domains, yaaho.com or ynail.com.
Mail to these traps tells the trap owner that the sender is trying to send mail to real people. Typically, these are not traps that are pure spam and in fact can contain a lot of real mail. Users frequently typo domains when sending mail, particularly if they are not using an address book.
These kinds of traps are often problematic when trying to run a blocklist. One trap driven blocklist told me about one of his typo domains, “I registered [a typo domain recommended by another blocklist], and it gets tons of mail. Unfortunately, it’s not all spam. It’s a firehose of personal correspondence between webmails and ISPs. It turned out to be very hard to separate that from any real spam and as a result, I ended up not using the domain to feed into my blacklist.”
Dead address traps
Dead address traps are once valid email addresses that are turned off. All mail to these addresses is rejected for some period of time, often 12 months or more. After consistently rejecting mail, the addresses are turned back on as spamtraps.
These are the type of traps made famous by Hotmail and are what most people seem to think about when they think spamtraps. It’s not unreasonable as these are in use at major ISPs. These traps, though, mostly tell the trap owner that the sender has poor practices. Senders that are not purchasing addresses and who are removing bounces should not hit these traps.
There are some problems with dead address traps, though. These were valid addresses at some point, and some old correspondents may try and mail them. One person from a major ISP told me they tried to create these kinds of traps. The ISP spent 18 or so months “conditioning” the traps. First they rejected mail to the traps, then they monitored them, unsubscribing from commercial mail and notifying correspondents that the addresses were dead. Eventually, they abandoned the traps as too noisy to be useful.
Dead domain traps
Trap owners purchase expired domains and collect mail that comes into them. In many cases, these domains are turned off for a period of time, either rejecting mail or not resolving in DNS.
Dead domain traps are similar to dead address traps. Trap owners buy domains that have recently expired and turn them into spamtraps. Responsible trap owners will reject all mail to the domain for a significant period of time, to let real mail fall off.
Like the dead address traps, these traps may be too noisy to be used as a pure spamtrap.
These are email addresses belonging to a real user. They are used for real mail, but the owners use the unsolicited mail coming into those addresses to make blocking decisions.
I have a number of these types of addresses. I use the addresses for one to one mail, but never use them to sign up for commercial mail. If I get any commercial mail at all, it’s spam by definition. The usefulness of these traps to drive blocks depends on the integrity of the person running them. There are people who I trust implicitly to only block mail they didn’t sign up for.
Domain registration addresses
Registration addresses are a special case of live traps. These addresses, published in whois records, are frequently harvested and mailed.
Domain registration addresses are an interesting form of live traps. These addresses are frequently harvested and sold to unsuspecting business owners as “targeted business domains.” But any of us who own domains can tell you that not every domain is a business domain. Even if it is a business domain, mail to the registration address is still spam. All of us who have addresses on domain registrations can tell you that we get a lot of unsolicited, un-targeted crap to those addresses.
These are email addresses created and submitted to senders. The goal of the trap is not to catch the sender doing anything bad, but to monitor the sender’s traffic. These traps can be used to catch addresses being stolen or sold. Some blocklists will also use these addresses to confirm that a sender is using confirmation on their list.
These are not traps that are necessarily useful for driving blocklists, but they are the sorts of addresses that are useful for monitoring ongoing behaviour of a sender.
Investigative traps can also be used to identify problem vendors. A few years ago I was working with a company doing confirmed co-reg. I signed up to their list with an investigative trap. Before I even received the confirmation message, I started receiving unexpected email to that address. Working with my client, we discovered that one of their vendors was siphoning off email addresses. That address was never confirmed with my customer, but is currently one of my largest spamtrap feeds.
Each kind of spamtrap tells the trap owner that a sender is mailing people who never asked to receive a mail. However, not every piece of mail received at a trap is spam. Not every piece of spam received at a trap is created equal. Each different kind of trap tells you something different about a sender and how they acquire email addresses.
The critical part of using spamtraps to publish blocklists is the integrity and trustworthiness of the trap maintainers. Most every trap out there could, conceivably, be the recipient of legitimate email. Some trap types have a higher probability of receiving legitimate mail than others. It’s highly unlikely someone is going to typo a message ID into a form. But it is quite likely that email@example.com might accidentally type firstname.lastname@example.org into a form.
Spamtraps are only as useful as their owners are honest.