Abstract
Two weeks ago I introduced the spamtrap and last week I gave you some tips forkeeping it running undetected. This week, I’ll cover how to create and seed aspamtrap.
Spamtrap Decisions
The process of turning up a new spamtrap can raise several questions:
- Should you use an old domain?
- Should you register a new domain?
- What about a typo domain?
- How long can an account lay dormant until you can turn it into a spamtrap?
These are all good questions I hear frequently from new spamtrap operators. Theanswer to all of them, unfortunately, is the same — it depends. It depends onwhat you want to do with the data you collect and it depends on what kind ofdata you want to collect. Today we’ll talk about the simplest and most reliableway to create a new spamtrap and how to seed it.
Spamtrap Creation
The process is simple: Find a domain that never been used for email in the pastand start accepting email for it and see what you get. That’s easy. Thedifficult part is finding a domain that hasn’t been previously used for email.
There are several ways to find such a domain:
- If you work for a company that has been around for a while, look throughdomains the company already owns, but has not used for email. In myexperience, most companies have domains that were registered for projectsthat are gone dormant or defunct, or never even happened, or for variationson a product name, or to protect a brand name. Unless they are obvioustypos, these domains can make perfect spamtraps.
- If that doesn’t work, turn to friends and colleagues. Someone has a domainthey’ve registered that they intend to use someday but the right someday hasnever come. Offer to take the domain off their hands and perhaps pay the registration for a new, alternative domain.
- If a prospective donor has a vanity domain that gets a lot of spam, butwould like to continue to use their personal addresses, it is trivial toforward email for the email addresses that are actually in use whileaccepting the rest of the spam for a spamtrap. (Remember: Never feed roleaccounts to a spamtrap if you are using it for any kind of reputation work.Registrars do not enjoy being listed in a DNSBL or having an outbound emailserver’s IP reputation degraded over renewal notices. Trust me on this one).
- Friends and coworkers may find out that you’re building a spamtrap, and wantto help. They may volunteer to give you individual addresses from their owndomains that currently receive a lot of spam. So long as the address is nota typo for an account currently in use (like “kelley@” instead of “kelly@”)and hasn’t been used in the past, that is fine.
Once you’ve obtained an appropriate domain, let email collect for a few weeks.During that time, look at email to the domain closely. If you see anything thatlooks like it may be legitimate, solicited mail, discard all email to thatusername. If you see email from real entities that may contain personallyidentifiable information (PII), then discard email to that username. In theory,a “pristine” domain should never receive ham, but in practice they sometimes doreceive very small amounts. People make mistakes when giving and obtainingemail addresses and sometimes do not confirm the address before sending PII.This is most emphatically not best practice, but you have a responsibility as aspamtrap operator to protect PII and this is the best way I know of to do so.When you are satisfied that you have vetted your email stream adequately, goahead and start using your spamtrap for its intended purpose.
Seeding the Trap
But what if you’ve obtained an appropriate domain, started accepting email,vetted the email you are receiving, and find you’re just not getting email? Ithappens. In that case, I suggest seeding addresses. There are many ways to seedaddresses effectively. Some are quite elaborate. Some simple methods include:
- If you or your company sends HTML email, hide addresses you’ve created inthe bodies of your mail. (Ticketing systems are excellent for this purpose).Addresses in inboxes will be harvested by malware, eventually.
- Hide addresses on your webpages. You can get fancy, detecting harvester botsand serving them unique addresses that contain the date, time and sourcepage so you can prove they were harvested and when, but you certainly don’tneed to. You can hide addresses in static HTML and they will get harvestedjust as well.
- Use spamtrap addresses to post comments on blogs. Say something innocuous,like “very useful!” or “great article.” Strive to be unremarkable, but donot spam. In this vein, use spamtrap addresses to post (again, unremarkable)personal ads on Craigslist and the like.
- This is my favorite method, and it’s really quite effective but it takes alittle cash. Buy some cheap, old, pay-as-you-go Android smartphones offeBay. Cracked screens and cosmetic defects are fine. Wipe them (so you’renot exposing the previous owner’s PII) and use a new SIM. Try to use aversion of Android that’s aged a little (at the time of writing, Lollipop is current so I would useIce Cream Sandwich. Don’t update, ever. Add spamtrap addresses to the contacts,then load the phone up with the dodgiest, scammiest looking apps you canfind in Android Market. Attach your phone to the charger and connect towifi. Watch your contacts list receive spam. Add and subtract appsregularly. Upload a new list of contacts every few weeks. You will have alot of spam in a short time, I promise.
Whichever methods you use, keep track of how you seeded each address. It isuseful to be able to analyze how each method performs and what kind of spam itreceives. It’s very helpful to know what method produces mostly bot spam, andwhich kind produces mostly 419 scamsor phishing spam, so you can tweak things to get the spam that’s most usefulto you.
Conclusion
Follow the guidelines above and you should end up with a set of functioningspamtraps. There’s no limit to how you can use this data. Happy trapping!
Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.
Heading
