Spamtraps: Creating and Seeding
By Kelly Molloy
Two weeks ago I introduced the spamtrap and last week I gave you some tips for keeping it running undetected. This week, I'll cover how to create and seed a spamtrap.
The process of turning up a new spamtrap can raise several questions:
- Should you use an old domain?
- Should you register a new domain?
- What about a typo domain?
- How long can an account lay dormant until you can turn it into a spamtrap?
These are all good questions I hear frequently from new spamtrap operators. The answer to all of them, unfortunately, is the same – it depends. It depends on what you want to do with the data you collect and it depends on what kind of data you want to collect. Today we'll talk about the simplest and most reliable way to create a new spamtrap and how to seed it.
The process is simple: Find a domain that never been used for email in the past and start accepting email for it and see what you get. That's easy. The difficult part is finding a domain that hasn't been previously used for email.
There are several ways to find such a domain:
If you work for a company that has been around for a while, look through domains the company already owns, but has not used for email. In my experience, most companies have domains that were registered for projects that are gone dormant or defunct, or never even happened, or for variations on a product name, or to protect a brand name. Unless they are obvious typos, these domains can make perfect spamtraps.
If that doesn't work, turn to friends and colleagues. Someone has a domain they've registered that they intend to use someday but the right someday has never come. Offer to take the domain off their hands and perhaps pay the registration for a new, alternative domain.
If a prospective donor has a vanity domain that gets a lot of spam, but would like to continue to use their personal addresses, it is trivial to forward email for the email addresses that are actually in use while accepting the rest of the spam for a spamtrap. (Remember: Never feed role accounts to a spamtrap if you are using it for any kind of reputation work. Registrars do not enjoy being listed in a DNSBL or having an outbound email server's IP reputation degraded over renewal notices. Trust me on this one).
Friends and coworkers may find out that you’re building a spamtrap, and want to help. They may volunteer to give you individual addresses from their own domains that currently receive a lot of spam. So long as the address is not a typo for an account currently in use (like "kelley@" instead of "kelly@") and hasn't been used in the past, that is fine.
Once you've obtained an appropriate domain, let email collect for a few weeks. During that time, look at email to the domain closely. If you see anything that looks like it may be legitimate, solicited mail, discard all email to that username. If you see email from real entities that may contain personally identifiable information (PII), then discard email to that username. In theory, a "pristine" domain should never receive ham, but in practice they sometimes do receive very small amounts. People make mistakes when giving and obtaining email addresses and sometimes do not confirm the address before sending PII. This is most emphatically not best practice, but you have a responsibility as a spamtrap operator to protect PII and this is the best way I know of to do so. When you are satisfied that you have vetted your email stream adequately, go ahead and start using your spamtrap for its intended purpose.
Seeding the Trap
But what if you've obtained an appropriate domain, started accepting email, vetted the email you are receiving, and find you're just not getting email? It happens. In that case, I suggest seeding addresses. There are many ways to seed addresses effectively. Some are quite elaborate. Some simple methods include:
- If you or your company sends HTML email, hide addresses you've created in the bodies of your mail. (Ticketing systems are excellent for this purpose). Addresses in inboxes will be harvested by malware, eventually.
- Hide addresses on your webpages. You can get fancy, detecting harvester bots and serving them unique addresses that contain the date, time and source page so you can prove they were harvested and when, but you certainly don't need to. You can hide addresses in static HTML and they will get harvested just as well.
- Use spamtrap addresses to post comments on blogs. Say something innocuous, like "very useful!" or "great article." Strive to be unremarkable, but do not spam. In this vein, use spamtrap addresses to post (again, unremarkable) personal ads on Craigslist and the like.
- This is my favorite method, and it's really quite effective but it takes a little cash. Buy some cheap, old, pay-as-you-go Android smartphones off eBay. Cracked screens and cosmetic defects are fine. Wipe them (so you’re not exposing the previous owner's PII) and use a new SIM. Try to use a version of Android that's aged a little (at the time of writing, Lollipop is current so I would use Ice Cream Sandwich. Don't update, ever. Add spamtrap addresses to the contacts, then load the phone up with the dodgiest, scammiest looking apps you can find in Android Market. Attach your phone to the charger and connect to wifi. Watch your contacts list receive spam. Add and subtract apps regularly. Upload a new list of contacts every few weeks. You will have a lot of spam in a short time, I promise.
Whichever methods you use, keep track of how you seeded each address. It is useful to be able to analyze how each method performs and what kind of spam it receives. It's very helpful to know what method produces mostly bot spam, and which kind produces mostly 419 scams or phishing spam, so you can tweak things to get the spam that's most useful to you.
Follow the guidelines above and you should end up with a set of functioning spamtraps. There's no limit to how you can use this data. Happy trapping!
Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.