Skip to main content
DomainTools Announces Predictive Threat Feeds - Powering Preemptive Exposure Management
Farsight Long View

Spamtraps: Keeping it Confidential

Written by: 
Kelly Molloy
Published on: 
Jun 10, 2015
On This Page
TOC Element
Share:

Abstract

Last week we introduced the spamtrap. This week, we’ll discuss a very important partof keeping a spamtrap in good health: keeping it confidential.

In my experience and the experience of other spamtrap operators, when aspamtrap is “blown” (revealed to be a trap) the quantity and type of emailsent to that trap changes. These changes can be dramatic. When the sender isaware that they are being observed, their behavior changes. As such, keeping aspamtrap “under wraps” requires vigilance in several areas. Each is discussedbelow.

Camouflage

First, you will want to ensure your trap doesn’t look like a trap to theoutside world. Be aware that given enough time and financial resources, adetermined attacker can still find the true owner of any spamtrap. As such, ifit would be disastrous for you to be outed as the operator of a spamtrap, thenI suggest that you do not run one in the first place. With that said, here aresome good ways to protect a spamtrap:

  • Register the spamtrap domain under an assumed name, a variant on your realname, a friend’s name (with their permission!) or a business name. This doesnot mean you must be unreachable. Set up role accounts, and read that email.Use a burner phone for your phone number, and a PO Box or private mailboxservice for postal mail. If you are feeling very sneaky, set up a privatemailbox while you’re on a business trip or vacation, and have postal mailforwarded to your home or office.
  • Don’t give away too much information about your “users”. Either turn off

VRFY

  • entirely oruse

VRFY

  • with all addresses.
  • Don’t make your domain look too professional. It’s okay to not have an

MX

  • record and just use an

A

  • record, for example. It’s okay to have your serverlook like it’s administered by a moderately competent hobbyist rather than bythe consummate email professional you are. As an aside, is not okay to failto upgrade or patch your systems regularly. Don’t inadvertently make morespam by way of a system compromise.

Non-Interaction

Second, unless you have a compelling reason to do so and have put a great dealof thought into the matter, do not respond to or in any way interact with spam.I generally read email to spamtraps using mutt orpine in a shell, because then I’m sure Iwon’t trigger a web-based bug nor will I accidentally click on a link in one ofthe emails. If you are very paranoid, manually copy spamtrap email to anothersystem for subsequent analysis.

Sharing

Third, you will need to keep the spamtrap data in the right hands. Sharingspamtrap data can be useful and productive for many security-minded folk, ifyou are careful. So, the question becomes, how can you protect your data whenyou share it?

  • Demand non-disclosure agreements. These are sometimes burdensome to obtain,especially in large organizations, but very important nonetheless. Ahigh-volume, well-maintained spamtrap can be a corporate asset of greatvalue, so it is worth protecting legally. Be willing to sign an NDA yourselfas well.
  • Consider carefully what data will you release and what you will not. If youuse a spamtrap to feed a reputation system, you may wish to share somespamtrap information to assist those affected by listings. In this case,consider munging the messages you release. Be careful! There are many partsof an email that can reveal the recipient. If you not are absolutely certainthat you have not leaked information in your munged copy, have someone elsereview it. If you ARE absolutely certain that you have not leakedinformation, have someone else you trust review it anyway. Then review itagain. Then one more time wouldn’t hurt. Then maybe find someone else to lookat it. At one time in my career, I closely examined the headers and bodies ofat least two hundred messages per day, to make sure they’d been properlyparsed. When I needed to redact a header by hand, I still asked severalcolleagues to check my work. It’s simply that important. On the other hand,aggregate data (how many individual messages were received from an IP in thepast 24 hours, overall connection and volume data) are generally safe toshare without modification.
  • Watch your spamtrap closely. If the “profile” of the email the spamtrapreceives changes (ratio of malware spam to marketing spam, email to many newrecipients all at one time, and/or many confirmation requests), consider thatsuspicious and possibly indicative of a leak.
  • Vet your partners carefully. Have they been using spamtrap data long? How dothey use it? Do others find them trustworthy and are they willing to vouchfor them? Does the data they propose to share with you look to be of goodquality? Are they willing to sign an NDA or do they hesitate? Will theyreveal how they intend to use the data they receive from you? Is it easy toget in touch with them if there’s a technical issue? All these are goodquestions to ask yourself before you agree to share data.

Conclusion

Even if you are diligent in obeying the above guidelines, there will eventuallycome a day when one, some, or all fail and your spamtrap is outed. Considerthis part of the spamtrap life-cycle. The best countermeasure here is to havemany spamtraps and anticipate that you will need to replace them from time totime. Build new spamtraps regularly so you’ll have replacements on hand.

In the next installment, we’ll talk about a way to build new traps as well asgrow mature traps by seeding addresses.

Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.

Read the next part in this series: Spamtraps: Creating and Seeding

No items found.
Farsight Long View
Kelly Molloy

Heading

Login
Contact
Support
Request a Demo