A brief guide to spamtraps

“I thought spamtraps were addresses harvested off webpages.”

“I thought spamtraps were addresses that were valid and now aren’t.”

“I thought spamtraps were addresses created to catch spammers.”

There is a lot of “I thought…” about spamtraps. Most of the theories are accurate but limited. Like the blind men and the elephant, they catch the parts but not the whole of spamtraps.

When I first started out with email and spam, there was an easy definition of spamtrap. A spamtrap was an address that was never used but still received mail. By definition these addresses were never handed out, advertised or even used by a human. The only mail sent to that address was spam.

As spam filters became more sophisticated, other types of email addresses started being referred to as spam traps. The meaning of spam trap started to evolve into referencing an address that received all, or mostly all, spam.

This means that not all spam traps are created equal. Different kinds of traps tell you different information. This isn’t a problem as long as the people maintaining the traps understand the data they’re gathering. It also means that people dealing with blocking based on traps need to understand what kind of trap caused the block.

I’ve come up with a number of categories of spamtraps. This is not intended to be an exhaustive list. Also, there are overlaps in some categories. But this gives you an idea of the different sorts of traps in widespread use.

Classic spamtraps

Classic spamtraps are email addresses that were never assigned to a user but started receiving email.  In some cases, these are addresses at domains that accept mail to any address. In other cases, the domain owner will look through rejection logs, identify rejected addresses and then enable those addresses.

These traps tell the trap owner that the sender is randomly creating addresses or buying lists from someone who is. These are useful for identifying sources that are sending mail without permission.
There is a subset of classic traps that is the result of actual users submitting addresses they don’t own. Occasionally people sign up at various websites and use email addresses that they don’t own. One example is cute.net. People are constantly signing up for things with addresses at cute.net. But they don’t actually have an address at cute.net. To the domain owner, the mail is total spam and is indistinguishable from spammer created addresses.

Likewise, legitimate users might typo their own address while signing up for mail. Sometimes these typos find another user bob213 instead of bob123, but sometimes they will end up hitting addresses that are currently or will be spamtraps. To the domain owner, this is spam. Depending on the policies of the trap owner, these addresses may or may not trigger blocking.

Seeded traps

Seeded traps are email addresses that are created and seeded in various places online. Typically they are hidden on websites or sometimes dropped into unsubscribe forms.

These traps tell the trap owner that the sender is either scraping addresses or is buying lists from someone who is scraping addresses. These are good for identifying sources that are sending mail without permission, and those who are not honoring unsubscribe requests.

Message-id traps

Many address scrapers look for any string with an @ sign in it. Running scrapers over a websearch or usenet search will find valid addresses as well as message IDs. Some viruses will also scrape addresses, including message IDs, off machines they infect.

These traps tell the trap owner that the sender is scraping addresses or buying lists from someone who is. These types of addresses are almost never actually input into forms, so they make good “pure spam” traps.

Typo domain traps

These are traps at domains that are very similar to common domains, yaaho.com or ynail.com.

Mail to these traps tells the trap owner that the sender is trying to send mail to real people. Typically, these are not traps that are pure spam and in fact can contain a lot of real mail. Users frequently typo domains when sending mail, particularly if they are not using an address book.

These kinds of traps are often problematic when trying to run a blocklist. One trap driven blocklist told me about one of his typo domains, “I registered [a typo domain recommended by another blocklist], and it gets tons of mail. Unfortunately, it’s not all spam. It’s a firehose of personal correspondence between webmails and ISPs. It turned out to be very hard to separate that from any real spam and as a result, I ended up not using the domain to feed into my blacklist.”

Dead address traps

Dead address traps are once valid email addresses that are turned off. All mail to these addresses is rejected for some period of time, often 12 months or more. After consistently rejecting mail, the addresses are turned back on as spamtraps.

These are the type of traps made famous by Hotmail and are what most people seem to think about when they think spamtraps.  It’s not unreasonable as these are in use at major ISPs. These traps, though, mostly tell the trap owner that the sender has poor practices. Senders that are not purchasing addresses and who are removing bounces should not hit these traps.

There are some problems with dead address traps, though. These were valid addresses at some point, and some old correspondents may try and mail them. One person from a major ISP told me they tried to create these kinds of traps. The ISP spent 18 or so months “conditioning” the traps. First they rejected mail to the traps, then they monitored them, unsubscribing from commercial mail and notifying correspondents that the addresses were dead. Eventually, they abandoned the traps as too noisy to be useful.

Dead domain traps

Trap owners purchase expired domains and collect mail that comes into them. In many cases, these domains are turned off for a period of time, either rejecting mail or not resolving in DNS.
Dead domain traps are similar to dead address traps. Trap owners buy domains that have recently expired and turn them into spamtraps. Responsible trap owners will reject all mail to the domain for a significant period of time, to let real mail fall off.

Like the dead address traps, these traps may be too noisy to be used as a pure spamtrap.

Live traps

These are email addresses belonging to a real user. They are used for real mail, but the owners use the unsolicited mail coming into those addresses to make blocking decisions.

I have a number of these types of addresses. I use the addresses for one to one mail, but never use them to sign up for commercial mail. If I get any commercial mail at all, it’s spam by definition. The usefulness of these traps to drive blocks depends on the integrity of the person running them. There are people who I trust implicitly to only block mail they didn’t sign up for.

Domain registration addresses

Registration addresses are a special case of live traps. These addresses, published in whois records,  are frequently harvested and mailed.
Domain registration addresses are an interesting form of live traps. These addresses are frequently harvested and sold to unsuspecting business owners as “targeted business domains.” But any of us who own domains can tell you that not every domain is a business domain. Even if it is a business domain, mail to the registration address is still spam. All of us who have addresses on domain registrations can tell you that we get a lot of unsolicited, un-targeted crap to those addresses.

Investigative traps

These are email addresses created and submitted to senders. The goal of the trap is not to catch the sender doing anything bad, but to monitor the sender’s traffic. These traps can be used to catch addresses being stolen or sold. Some blocklists will also use these addresses to confirm that a sender is using confirmation on their list.

These are not traps that are necessarily useful for driving blocklists, but they are the sorts of addresses that are useful for monitoring ongoing behaviour of a sender.

Investigative traps can also be used to identify problem vendors. A few years ago I was working with a company doing confirmed co-reg. I signed up to their list with an investigative trap. Before I even received the confirmation message, I started receiving unexpected email to that address. Working with my client, we discovered that one of their vendors was siphoning off email addresses. That address was never confirmed with my customer, but is currently one of my largest spamtrap feeds.

Each kind of spamtrap tells the trap owner that a sender is mailing people who never asked to receive a mail. However, not every piece of mail received at a trap is spam. Not every piece of spam received at a trap is created equal. Each different kind of trap tells you something different about a sender and how they acquire email addresses.

The critical part of using spamtraps to publish blocklists is the integrity and trustworthiness of the trap maintainers. Most every trap out there could, conceivably, be the recipient of legitimate email. Some trap types have a higher probability of receiving legitimate mail than others. It’s highly unlikely someone is going to typo a message ID into a form. But it is quite likely that bob@cox.com might accidentally type bob@cix.com into a form.

Spamtraps are only as useful as their owners are honest.

Related Posts

Setting expectations at the point of sale

In my consulting, I emphasize that senders must set recipient expectations correctly. Receiver sites spend a lot of time listening to their users and design filters to let wanted and expected mail through. Senders that treat recipients as partners in their success usually have much better email delivery than those senders that treat recipients as targets or marks.
Over the years I’ve heard just about every excuse as to why a particular client can’t set expectations well. One of the most common is that no one does it. My experience this weekend at a PetSmart indicates otherwise.
As I was checking out I showed my loyalty card to the cashier. He ran it through the machine and then started talking about the program.
Cashier: Did you give us your email address when you signed up for the program?
Me: I’m not sure, probably not. I get a lot of email already.
Cashier: Well, if you do give us an email address associated with the card every purchase will trigger coupons sent to your email address. These aren’t random, they’re based on your purchase. So if you purchase cat stuff we won’t send you coupons for horse supplies.
I have to admit, I was impressed. PetSmart has email address processes that I recommend to clients on a regular basis. No, they’re not a client so I can’t directly take credit. But whoever runs their email program knows recipients are an important part of email delivery. They’re investing time and training into making sure their floor staff communicate what the email address will be used for, what the emails will offer and how often they’ll arrive.
It’s certainly possible PetSmart has the occasional email delivery problem despite this, but I expect they’re as close to 100% inbox delivery as anyone else out there.

Read More

Watch those role accounts

Ben at Mailchimp has a post up explaining what role accounts are and why mailing to them can be a problem.

Read More

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Read More