10

I have heard it suggested that we set up a special email address, with it's only purpose being to be harvested. Then blacklisting every sender that targets this address.

I'm wondering:

  • if anyone else has tried this
  • how do you go about doing it (ie - put the address in a hidden field on your website - or better ways?)
  • does it work?
  • Is there anything to watch out for when trying this (ie. legitimate senders using harvested addresses?)
Brent
  • 22,219
  • 19
  • 68
  • 102

10 Answers10

13

Has anyone else tried this:

  • Certainly, yes. Almost every anti-spam service out there uses them, the industry term is "spamtraps"

How do you go about doing it?

  • Normally, find an address in one of the domains which receives a lot of spam and confirm with the owner that it is not in use and they have no plans to resurrect it. This process can be (partially) automated.

Does it work?

  • Yes. The most useful thing is, that as you can guarantee that messages sent to traps are spams, you can use it to calibrate the effectiveness of an engine at any given time, to measure how well you're doing at blocking spam (false negatives) - provided you have a sufficiently large sample of spamtraps; most anti-spam companies would have hundreds or thousands
  • They can also be used by automatic learning systems to "learn" stuff about spams. But that could learn about spam sent to non-spamtrap addresses too (of course, you're never 100% sure it's a spam if it's sent to a non-spamtrap address)
  • "Blacklisting" sender addresses is not normally used. This is because apparent spammers usually invent garbage sender addresses anyway, and because apparent spammers occasionally reform their ways and start sending clean mail
  • IP address blacklisting isn't used (in a simplistic form) either, for the same reason; "bad" IP addresses can start being "good", so if you had a blanket ban, legitimate mail would end up being blocked.

Normally you wouldn't use just a single address; that wouldn't be enough. Try a few hundred spread throughout all your domains (for a start).

You can advertise them if you like, but if your domains are sufficiently well-known to spammers, candidate spamtrap addresses probably already exist within them (they are probably mailboxes which don't exist on your end-user systems).

Whole spamtrap domains can be set up - I'm sure many companies use these - either buy 2nd hand domains or register realistic sounding ones with a plausible (albeit fake) web site. Subdomains can work too. Spamtrap domains are handy because you can set them up with keywords or in specific top-level domains that spammers might be targetting.

MarkR
  • 2,898
  • 16
  • 13
  • 1
    Forgot to mention, I work for a major antispam company :) – MarkR May 25 '09 at 20:52
  • Note that if you're setting up traps on a domain that also receives legitimate mail, you should choose addresses which, while plausible-looking, are sufficiently distinct from any extant, legitimate addresses to preclude the possibility of a typo leading to a blacklisting. Likewise, understand the trade-off between using an "inactive" address and a new address as a spamtrap: The former gives you more coverage, but risks false positives from, e.g., emails forwarded by legitimate, non-commercial senders to a large number of addresses. – user70549 Mar 11 '11 at 00:20
5

i have not tried this method, but i think [ unless you handle tens of thousands of mailboxes ] you'll be much better off using anti-spam system that takes decision based on multiple rbls and content checks like dcc / razor / pyzor.

many rbls use spam traps on much wider scale than i think you could deploy.

pQd
  • 29,561
  • 5
  • 64
  • 106
  • We already have a pretty good spam-filter in place. I'm considering this as an additional measure, as blacklisting would reduce the load on te mailfilters. – Brent May 23 '09 at 13:34
5

Project Honey Pot may give you some ideas as to methods and effectiveness. If you want, you can subscribe to their blacklist and let them handle all this.

I am confused as to what you mean by "legitimate senders using harvested addresses" - I would, in almost all cases, deem such a sender illegitimate by definition.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
3

My concern with blacklisting every sender is that it is fairly easy to spoof who sent an email.

Andy
  • 1,493
  • 14
  • 14
  • 5
    if anyone is going to blacklist anything i would definitivly do it based on ip not sender mail address. – pQd May 23 '09 at 14:26
  • Good point. But do spammers have more difficulty in spoofing an IP? *genuinely curious* – Andy May 23 '09 at 16:49
  • 1
    Yes, it's more difficult. Plus they have less reason to do it. – Draemon May 23 '09 at 18:47
  • What happens when you get spam from someone behind a large NATed address? Entire hotels, schools etc will get blocked when using this technique if the offender / infected computer enters these networks. – Ben Ashton Mar 21 '12 at 22:25
3

Hmm... Just adding my opinion to the discussion.

I don't think this method has a good success rate. Just had a look on a bunch of Spams. Generally spammers use fake email addresses while spamming and they never use the same address again and again. So blacklisting the Email addresses or Domains would not be a good solution.

But your hidden address thing seems to be a nice idea. Since the actual users do not see it and only a crawler can filter out the email address you can assume that only the spammers will get that address.

Then you can integrate that idea with IP addresses. If the mails sent to the hidden address are coming from some IP range you can just assume that IP range is a spamming range.

But as of my view the result you are gaining by this is not worth while concerning the effort. I think the content based filtering mechanisms are fruitful than this "Honey pot" machanism

  • "I think the content based filtering mechanisms are fruitful than this "Honey pot" machanism." Honey pots can be wonderful for getting the content to filter against. You set one up and use it to seed your content filters. – ceejayoz Jun 02 '09 at 17:04
2

I have done this. I noticed in my logs certain invalid addresses getting hit again and again. These are addresses that were never active or posted anywhere. So I setup a mailbox that sends those emails to sa-learn to help train spamassassin's Bayesian database. I've never tested the effectiveness of this in any way, but I'm not too worried about it as it cost little time to setup.

sherbang
  • 361
  • 3
  • 6
2

My first though was that this would be of little value since the addresses are always changing.

But in my experience, spammers often send to a load of addresses@yourdomain.com - almost in a brute forced way.

It might be worth setting an address up (say adam@yourdomain.com) and filtering not on the from address or IP, but on content - filter out any email also sent to "adam". You'd want to pick an email address lexicographically before any real address to increase your chances. Also, you'd have to account for small content differences.

I still suspect it falls into the category of too much effort, too little gain, but it's a thought if you're experimenting.

Draemon
  • 517
  • 1
  • 5
  • 15
2

Our anti-spam product allows us to do this, an automated blacklist of everything sent to a honeypot. Here are a couple of the bullet points:

  • You post an email address on your website such that bots can find it and pick it up, but no real person would see it or send messages to that address.

  • You tell your anti-spam product to monitor incoming email sent to the address and all email coming into that honeypot will be blacklisted.

  • It works on the sending IP address level not the sending FROM address, that is how it avoids the spoofed sender issue mentioned.

  • Even though we have a honeypot for spam reporting, we don't use this feature, here is why. Spammer's will routinely send some messages from hotmail, yahoo, gmail, etc. These are typically the 419 scam messages that are hard to stop. Although the percentage isn't high, it would be enough that if we were to use an automatic system it would block legitimate email.

In summary, we haven't used the automatic blacklist system as you mentioned, however having a honeypot is still a useful feature. We monitor it and use email received to report spam, and to determine the effecitveness of our anti-spam measures.

Aaron
  • 1,002
  • 1
  • 12
  • 18
1

I put an address in a comment on my main page. It gets about 5 emails a day.

Paul Tomblin
  • 5,217
  • 1
  • 27
  • 39
1

I use ASSP (asspsmtp.org), an open source SPAM filter. If you set up authentication, it can automatically create spamtrap addresses for unknown addresses after a certain number of tries... so if I repeatedly get email for "invaliduser@domain.com", after try number X, the system will start harvesting all messages sent to that address as spam. X is set high enough that normal typos and mistakes will not trip it, but spammers will.

Jim G.
  • 2,607
  • 1
  • 18
  • 19