By Kelly Molloy
In security and spamblocking circles, you often hear vendors and their researchers talk about mysterious and very confidential spamtrap data. In this article, I will provide a brief introduction to what a spamtrap really is, how a spamtrap is created or maintained, and how spamtrap data can be used.
A spamtrap is very simple. It is an email address or domain that exists solely to receive spam. The address generally has never been assigned to an actual user, or the address has bounced mail or been unreachable for a significant period of time before being put into use as a trap. The address exists for no reason except to receive spam.
Creating a Spamtrap
One can find or create spamtrap addresses in a variety of ways:
The most common type of spamtrap is a dictionary attack trap: a spammer tries to deliver addresses to non-existent users at a domain. Those potential traps are simple to find by searching for "no such user" errors in your logs. It is wise to disqualify addresses that are similar to known users at a domain (for example, I would accept mail for both "kelly@" and "kelley@" as well as several other variant spellings).
Another good source of spamtraps are domains that may have been registered but were not used for email. Adding an
MXrecord and seeing what mail results can be useful and interesting. Simply accept and save all mail. It will quickly become apparent if there is ham in the trap; you can then discard all mail to the user names that receive ham.
Deliberately creating an email address and exposing it publicly to "seed" it also works well. Addresses that are hidden in HTML either in web pages or in email will get non-trivial amounts of spam over time. Hide a non-visible spamtrap address in your HTML email. Malware infections will harvest those addresses from the recipient's inbox and the address will receive spam until the heat death of the universe.
In general, it is a poor practice to use role accounts ("postmaster@", "abuse@", "hostmaster@", and variations thereof) as spamtraps. Those addresses and other role accounts are required to be deliverable by RFC and may contain real, one-to-one mail. Running a spamtrap does not preclude being a good Internet citizen.
It may take time for a seeded spamtrap to bear fruit. Do not be discouraged if it takes several months for a seed to start receiving spam, or to receive more than a trickle. Addresses are harvested via a variety of bad actors and methods, and it takes time for harvested addresses to propagate.
A spamtrap address will eventually dry up. To ensure a steady supply of spam,
many trap operators create and seed addresses on a regular schedule. A
good operator also looks for ham in
their spamtrap, as well. If a spamtrap receives real mail, it should be taken
out of service immediately. The stealthiest way to do so is to simply receive
the mail as usual and then send it to
/dev/null. Rejecting mail outright can
tip your hand; spamtraps work best when their operation is opaque to
Once a spamtrap address is receiving spam consistently there is the question of what to do with that spam. One of the core values here at Farsight is that data should never go to waste, and spamtraps are an excellent illustration of that point. Some potential uses of spamtraps include:
- Feeding a DNSBL or reputation system.
- Feeding a firewall or intrusion detection system.
- Detecting malicious URLs in message bodies.
- Detecting compromised systems.
- Collecting rDNS, HELO or other data from message headers.
- Brand protection.
- Collecting volume and connection data.
- Detecting spam from your own domain or users; a reasonably large spamtrap is likely faster at detecting spam in progress than a feedback loop notification or mail to "abuse@yourdomain".
The only restrictions are your own creativity and available resources.
As I've shown, setting up a spamtrap is a fairly straightforward process and the value to an organization can be immense.
As a spamtrap's volume grows, so does its complexity. In the next post, I will discuss how to keep your spamtrap from looking like a spamtrap and the importance of keeping spamtrap data in the right hands.
Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.