Spamtraps

There is a lot of mythology surrounding spamtraps, what they are, what they mean, how they’re used and how they get on lists.
Spamtraps are very simply unused addresses that receive spam. They come from a number of places, but the most common spamtraps can be classified in a few ways.

  • Addresses that used to belong to someone and subsequently abandoned. This is where a lot of spamtraps at major ISPs come from.
  • Addresses that were never assigned to anyone, but they just started receiving spam one day. These are frequently used to drive filtering.
  • Addresses that were created and put on websites to track harvesters and web scrapers.  These addresses are frequently used to drive filters and track spammers.

Addresses that belonged to someone and were abandoned are usually “turned off” for a period of time between abandonment and re-purposing as a spam trap. They may return a 550 “user unknown” to any sender, or in some cases the entire domain will have no working mailserver. There are no hard and fast rules for how long the addresses are left unused, but most professionals leave them off for at least a year.
Addresses that were never assigned to anyone are not as common as they used to be. It used to be that some small or mid-size domain owners would turn on their SMTP server to accept all email to any address at that domain, existing or not. Mail to addresses that were not associated with a user would be stored. As the volumes of random mail increased, the spamtraps were used to drive filtering and blocking decisions. This is not as common now because the sheer volume of spam can create bandwidth and storage problems for domain owners.
Addresses that were seeded on websites, or on Usenet, are used for a number of purposes. These addresses often wind up on lists because someone has purchased addresses.
Spamtraps on a mailing list or in a database is a sign that there is some problem with the address acquisition process. As a result, the solution to spamtraps on a list is never just remove the available spamtraps. Instead, you need to figure out what broke and correct the underlying issues.

Related Posts

Forgery and spamware

Recently there has been a massive uptick in forgeries. I have been seeing hundreds of bounce back messages, peaking at more than 1000 in an hour. I have been talking about this with people who monitor large spamtrap feeds, large MTAs and spamfilters and it seems this is not an isolated experience. The consensus seems to be that there is new spamware out there which is using email addresses on the spam list as a From: address
The volume itself is annoying. Thousands of messages a day from “mailer-daemon” telling me that the mail I sent with the subject line “Get a longer tool” cannot be delivered to some random address some where. These are coming to at least 3 separate email addresses. One of them was given to Intuit back in 2001/2002 when I registered a copy of Quicken, and ended up leaked to loan spammers and is all over spam lists. The other two are addresses scraped from websites. Same spammer has them, same spammer is using them as part of his spam run.
Even more annoying than the volume, though, is the challenge/response emails. “Your email to jobobjimbo@example.com cannot be delivered until you click this link.” I have been adding every domain I can find that is using c/r to my filters, and just discarding the c/r emails so I do not have to deal with them. That is not my ideal solution, it does mean that if someone using c/r ever tries to contact me I will not see the challenge and our communications cannot happen.
Some people have recommended that the right way to deal with challenges from forged spam are actually to answer the challenges. As the reasoning goes, if someone using c/r is going to outsource their spam filtering to a victim of spam forgery, then they should expect that the “spam filter” may have a different opinion than they do. While I always sympathized with this viewpoint, I was not sure I would ever confirm spam forgeries. The sheer volume of c/r stuff I have received in the last few weeks has almost convinced me that people who use c/r deserve every bit of spam they get. If a c/r filter lets in spam, then perhaps they will reconsider their choice to spew challenges out to forged email addresses.
The amount of c/r spam I am getting as part of the forgery runs is decreasing, I think I have finally managed to block the primary sources. It does mean I will not be able to communicate with people who use c/r in the future, but I find this a small price to pay for not having to be an outsourced spam filter. I get enough of my own spam, I really do not want to have to deal with yours.

Read More

The secret to dealing with ISPs

What is the secret to dealing with ISPs?
The short answer is: Don’t do it if at all possible. Talking to ISP reps generally isn’t going to magically improve your reptuation.  There is no place in the reputation systems where delivery can be modified because the delivery specialist knows or is liked by the postmaster at an ISP.
With my clients, I work through delivery issues and can solve 80 – 90% of the issues without ever having to contact anyone at the ISPs. 90% of the remaining issues can be handled using the publicly available contacts and websites provided by the ISPs.
In the remaining cases, the “secret” to getting useful and prompt replies is to:

Read More

Controlling delivery

How much control over delivery do senders have? I have repeatedly said that senders control their delivery. This is mostly true. Senders control their side of the delivery chain, but there is a point where the recipient takes over and controls things.
As a recipient I can

Read More