Skip to main content
DomainTools Announces Predictive Threat Feeds - Powering Preemptive Exposure Management
Farsight Long View

Demystifying Spamtraps

Written by: 
Kelly Molloy
Published on: 
Jun 3, 2015
On This Page
TOC Element
Share:

Abstract

In security and spamblocking circles, you often hear vendors and theirresearchers talk about mysterious and very confidential spamtrap data. Inthis article, I will provide a brief introduction to what a spamtrap reallyis, how a spamtrap is created or maintained, and how spamtrap data can be used.

Introduction

A spamtrap is very simple. It is an email address or domain that exists solelyto receive spam. The address generally has never been assigned to an actualuser, or the address has bounced mail or been unreachable for a significantperiod of time before being put into use as a trap. The address exists for noreason except to receive spam.

Creating a Spamtrap

One can find or create spamtrap addresses in a variety of ways:

  • The most common type of spamtrap is a dictionary attack trap: a spammertries to deliver addresses to non-existent users at a domain. Thosepotential traps are simple to find by searching for “no such user” errorsin your logs. It is wise to disqualify addresses that are similar to knownusers at a domain (for example, I would accept mail for both “kelly@” and“kelley@” as well as several other variant spellings).
  • Another good source of spamtraps are domains that may have been registeredbut were not used for email. Adding an

MX

  • record and seeing what mailresults can be useful and interesting. Simply accept and save all mail. Itwill quickly become apparent if there isham in the trap; you can thendiscard all mail to the user names that receive ham.
  • Deliberately creating an email address and exposing it publicly to “seed”it also works well. Addresses that are hidden in HTML either in web pages orin email will get non-trivial amounts of spam over time. Hide a non-visiblespamtrap address in your HTML email. Malware infections will harvest thoseaddresses from the recipient’s inbox and the address will receive spam untilthe heat death of the universe.

In general, it is a poor practice to use role accounts (“postmaster@”,“abuse@”, “hostmaster@”, and variations thereof) as spamtraps. Those addressesand other role accounts are required to be deliverable by RFC and may containreal, one-to-one mail. Running a spamtrap does not preclude being a goodInternet citizen.

It may take time for a seeded spamtrap to bear fruit. Do not be discouraged ifit takes several months for a seed to start receiving spam, or to receive morethan a trickle. Addresses are harvested via a variety of bad actors andmethods, and it takes time for harvested addresses to propagate.

A spamtrap address will eventually dry up. To ensure a steady supply of spam,many trap operators create and seed addresses on a regular schedule. Agood operator also looks for ham intheir spamtrap, as well. If a spamtrap receives real mail, it should be takenout of service immediately. The stealthiest way to do so is to simply receivethe mail as usual and then send it to

/dev/null

. Rejecting mail outright cantip your hand; spamtraps work best when their operation is opaque tooutsiders.

Spamtrap Uses

Once a spamtrap address is receiving spam consistently there is thequestion of what to do with that spam. One of the core values here at Farsightis that data should never go to waste, and spamtraps are an excellentillustration of that point. Some potential uses of spamtraps include:

  • Feeding a DNSBL or reputation system.
  • Feeding a firewall or intrusion detection system.
  • Detecting malicious URLs in message bodies.
  • Detecting compromised systems.
  • Collecting rDNS, HELO or other data from message headers.
  • Brand protection.
  • Collecting volume and connection data.
  • Detecting spam from your own domain or users; a reasonably large spamtrap islikely faster at detecting spam in progress than a feedback loopnotification or mail to “abuse@yourdomain”.

The only restrictions are your own creativity and available resources.

Conclusion

As I’ve shown, setting up a spamtrap is a fairly straightforward process andthe value to an organization can be immense.

As a spamtrap’s volume grows, so does its complexity. In the next post, I willdiscuss how to keep your spamtrap from looking like a spamtrap and theimportance of keeping spamtrap data in the right hands.

Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.

Read the next part in this series: Spamtraps: Keeping it Confidential

No items found.
Farsight Long View
Kelly Molloy

Heading

Login
Contact
Support
Request a Demo