A brief guide to spamtraps

A

“I thought spamtraps were addresses harvested off webpages.”

“I thought spamtraps were addresses that were valid and now aren’t.”

“I thought spamtraps were addresses created to catch spammers.”

There is a lot of “I thought…” about spamtraps. Most of the theories are accurate but limited. Like the blind men and the elephant, they catch the parts but not the whole of spamtraps.

When I first started out with email and spam, there was an easy definition of spamtrap. A spamtrap was an address that was never used but still received mail. By definition these addresses were never handed out, advertised or even used by a human. The only mail sent to that address was spam.

As spam filters became more sophisticated, other types of email addresses started being referred to as spam traps. The meaning of spam trap started to evolve into referencing an address that received all, or mostly all, spam.

This means that not all spam traps are created equal. Different kinds of traps tell you different information. This isn’t a problem as long as the people maintaining the traps understand the data they’re gathering. It also means that people dealing with blocking based on traps need to understand what kind of trap caused the block.

I’ve come up with a number of categories of spamtraps. This is not intended to be an exhaustive list. Also, there are overlaps in some categories. But this gives you an idea of the different sorts of traps in widespread use.

Classic spamtraps

Classic spamtraps are email addresses that were never assigned to a user but started receiving email.  In some cases, these are addresses at domains that accept mail to any address. In other cases, the domain owner will look through rejection logs, identify rejected addresses and then enable those addresses.

These traps tell the trap owner that the sender is randomly creating addresses or buying lists from someone who is. These are useful for identifying sources that are sending mail without permission.
There is a subset of classic traps that is the result of actual users submitting addresses they don’t own. Occasionally people sign up at various websites and use email addresses that they don’t own. One example is cute.net. People are constantly signing up for things with addresses at cute.net. But they don’t actually have an address at cute.net. To the domain owner, the mail is total spam and is indistinguishable from spammer created addresses.

Likewise, legitimate users might typo their own address while signing up for mail. Sometimes these typos find another user bob213 instead of bob123, but sometimes they will end up hitting addresses that are currently or will be spamtraps. To the domain owner, this is spam. Depending on the policies of the trap owner, these addresses may or may not trigger blocking.

Seeded traps

Seeded traps are email addresses that are created and seeded in various places online. Typically they are hidden on websites or sometimes dropped into unsubscribe forms.

These traps tell the trap owner that the sender is either scraping addresses or is buying lists from someone who is scraping addresses. These are good for identifying sources that are sending mail without permission, and those who are not honoring unsubscribe requests.

Message-id traps

Many address scrapers look for any string with an @ sign in it. Running scrapers over a websearch or usenet search will find valid addresses as well as message IDs. Some viruses will also scrape addresses, including message IDs, off machines they infect.

These traps tell the trap owner that the sender is scraping addresses or buying lists from someone who is. These types of addresses are almost never actually input into forms, so they make good “pure spam” traps.

Typo domain traps

These are traps at domains that are very similar to common domains, yaaho.com or ynail.com.

Mail to these traps tells the trap owner that the sender is trying to send mail to real people. Typically, these are not traps that are pure spam and in fact can contain a lot of real mail. Users frequently typo domains when sending mail, particularly if they are not using an address book.

These kinds of traps are often problematic when trying to run a blocklist. One trap driven blocklist told me about one of his typo domains, “I registered [a typo domain recommended by another blocklist], and it gets tons of mail. Unfortunately, it’s not all spam. It’s a firehose of personal correspondence between webmails and ISPs. It turned out to be very hard to separate that from any real spam and as a result, I ended up not using the domain to feed into my blacklist.”

Dead address traps

Dead address traps are once valid email addresses that are turned off. All mail to these addresses is rejected for some period of time, often 12 months or more. After consistently rejecting mail, the addresses are turned back on as spamtraps.

These are the type of traps made famous by Hotmail and are what most people seem to think about when they think spamtraps.  It’s not unreasonable as these are in use at major ISPs. These traps, though, mostly tell the trap owner that the sender has poor practices. Senders that are not purchasing addresses and who are removing bounces should not hit these traps.

There are some problems with dead address traps, though. These were valid addresses at some point, and some old correspondents may try and mail them. One person from a major ISP told me they tried to create these kinds of traps. The ISP spent 18 or so months “conditioning” the traps. First they rejected mail to the traps, then they monitored them, unsubscribing from commercial mail and notifying correspondents that the addresses were dead. Eventually, they abandoned the traps as too noisy to be useful.

Dead domain traps

Trap owners purchase expired domains and collect mail that comes into them. In many cases, these domains are turned off for a period of time, either rejecting mail or not resolving in DNS.
Dead domain traps are similar to dead address traps. Trap owners buy domains that have recently expired and turn them into spamtraps. Responsible trap owners will reject all mail to the domain for a significant period of time, to let real mail fall off.

Like the dead address traps, these traps may be too noisy to be used as a pure spamtrap.

Live traps

These are email addresses belonging to a real user. They are used for real mail, but the owners use the unsolicited mail coming into those addresses to make blocking decisions.

I have a number of these types of addresses. I use the addresses for one to one mail, but never use them to sign up for commercial mail. If I get any commercial mail at all, it’s spam by definition. The usefulness of these traps to drive blocks depends on the integrity of the person running them. There are people who I trust implicitly to only block mail they didn’t sign up for.

Domain registration addresses

Registration addresses are a special case of live traps. These addresses, published in whois records,  are frequently harvested and mailed.
Domain registration addresses are an interesting form of live traps. These addresses are frequently harvested and sold to unsuspecting business owners as “targeted business domains.” But any of us who own domains can tell you that not every domain is a business domain. Even if it is a business domain, mail to the registration address is still spam. All of us who have addresses on domain registrations can tell you that we get a lot of unsolicited, un-targeted crap to those addresses.

Investigative traps

These are email addresses created and submitted to senders. The goal of the trap is not to catch the sender doing anything bad, but to monitor the sender’s traffic. These traps can be used to catch addresses being stolen or sold. Some blocklists will also use these addresses to confirm that a sender is using confirmation on their list.

These are not traps that are necessarily useful for driving blocklists, but they are the sorts of addresses that are useful for monitoring ongoing behaviour of a sender.

Investigative traps can also be used to identify problem vendors. A few years ago I was working with a company doing confirmed co-reg. I signed up to their list with an investigative trap. Before I even received the confirmation message, I started receiving unexpected email to that address. Working with my client, we discovered that one of their vendors was siphoning off email addresses. That address was never confirmed with my customer, but is currently one of my largest spamtrap feeds.

Each kind of spamtrap tells the trap owner that a sender is mailing people who never asked to receive a mail. However, not every piece of mail received at a trap is spam. Not every piece of spam received at a trap is created equal. Each different kind of trap tells you something different about a sender and how they acquire email addresses.

The critical part of using spamtraps to publish blocklists is the integrity and trustworthiness of the trap maintainers. Most every trap out there could, conceivably, be the recipient of legitimate email. Some trap types have a higher probability of receiving legitimate mail than others. It’s highly unlikely someone is going to typo a message ID into a form. But it is quite likely that bob@cox.com might accidentally type bob@cix.com into a form.

Spamtraps are only as useful as their owners are honest.

About the author

18 comments

Leave a Reply to laura

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • The most complete breakdown on spam traps I’ve seen, nice. What is your view on the relative importance of each type? As you report ‘Typo domain traps’ are not reliable and thefore not used.
    For each different type of trap, how widespread are they and how impactful?

  • Actually, typo traps are in quite wide use. Most of the people using them generally understand the limitations of typo traps. Because of the policies and processes around the listings, many of the lists driven off typo traps are quite good. This isn’t always the case, but I know a number of blocklists driven in part by typo traps that produce good, clean data.

  • I see typo traps unsuitable for “one hit and you’re listed” blacklists, but probably very useful in broader reputation systems. Stack rank hits against other activity or other reputational measures, and it’s much more accurate. From my own spamtrap testing, I find that typo domains catch a ton of misdirected personal mail from webmails you’ve never heard of.

  • I work for an ESP that has recently come under fire from MAPS and I really wish they would learn something from your post. From what I can tell they use almost all types of traps you’ve got listed above and no matter what type you hit, you are a spammer and must reconfirm your entire list (even typo domains).

  • The investigative traps is pretty interesting. I only send emails to addresses that are confirmed by double opt-in just so I know that I’m reducing my complaints and keeping the integrity of my list high.
    Occasionally I get bots auto-filling my website forms and the confirmation email goes to either a blocked, undeliverable, or bouncing address.
    I’ve always guessed that there were investigative traps out there, but I wasn’t sure.
    Thanks for the new knowledge. Great info as always Laura.

  • I love that this article covers the full spectrum. I go just a hair off subject, but old-school harvester traps are still working quite well.
    I provide MX entries to Project Honeypot for their advanced email traps, in addition I put a number of harvesting traps on my sites that get very good results.PH actually takes into account how many times a particular ip is noticed in having hit a link that humans can’t see. After so many hits the ip is listed and documented. PH also keeps a pretty decent database and many many web admins report their suspicious ip’s there for everyone to look up.
    If everyone with a website actually took the time to drop a trap in their header, we’d knock out a very significant number of problem machines/harvesters, and thereby reduce the spam.

  • What do you recommend doing to avoid hitting spam traps when sending confirmation of consent emails?
    This appears to be a catch 22 situation. Confirming consent is the most recommended method to ensure email is only sent to those that request it. However, I have seen senders get blacklisted for sending confirmation email. And what is worse is that these are transactional emails sent after sign up or website subscription. What to do?

  • Is it possible to harness spam traps for “sabotage” purposes? For instance, can a user deliberately set up several email accounts that only serve as spam traps for the purpose of hurting a particular sender’s IP reputation? Our deliverability issues seem to indicate this as a possibility.

  • @Phil. to be harmed, is to be blacklisted, and to blacklist requires the cooperation of a blacklist operator. (you could set up your own list, but if the list is not used, no harm is done)
    If you know some spamtrap addresses you could use them on the signup form, provoking the signup form to email the spamtrap.
    Or you could change your accoiunt email after sign-up. – this is a reason why email address changes should be double-opt-in.
    One of these may be what happened to you.

By laura

Recent Posts

Archives

Follow Us