Security.com

spam trap

By Ben Lutkevich

What is a spam trap?

A spam trap is an email address that is used to identify and monitor spam email. It is also a type of honeypot because it uses a fake email address to bait spammers. Internet service providers (ISPs), antispam organizations, blocklist providers and corporations use spam traps to monitor and reduce the amount of spam traffic to their networks.

A spam trap uses filters to block certain email addresses that have a history of sending spam. The spam trap analyzes all or part of the email address to identify it and decides whether or not to mark it as a spam-sending address.

Despite their objective of blocking spam email addresses, spam traps can unintentionally block legitimate, nonspam email addresses as well, which can damage the sender's reputation and email deliverability. Spam traps can cause the sender's domain list or Internet Protocol (IP) address to be denied.

Types of spam traps

There are several types of spam traps, and they all work a little differently.

Pure spam traps. Also known as pristine spam traps, these are email addresses created by ISPs and other organizations that have never been associated with a real person. These email addresses only exist to function as a spam trap. The email addresses are embedded into websites so that, when spammers scrape the sites to add to their mailing list of spam targets, they unknowingly pick up the trap as well. The administrator of the spam trap then watches to see which addresses email the trap. Those that email the trap are deemed to be spam and are blocked, or are more closely monitored, as they harvested that contact -- the trap's address -- in a suspicious manner, as opposed to asking for the address as a legitimate sender would do. A pure spam trap will damage the sender's reputation if an antispam organization finds it in the sender's contact email list.

Recycled spam traps. These are often email addresses and domains that were at one time legitimate but have since been repurposed as spam trap addresses. Some common examples of repurposed addresses are role addresses, which might look like the following:

• [email protected]
• [email protected]
• [email protected]

Email addresses of employees who no longer work for a company can also be used as recycled spam traps. The address still exists, but it is no longer used for its intended purpose. So, it gets recycled as a spam trap. The recycled spam trap is generally not as harmful to senders as the pure trap but still can cause damage over time. Unlike addresses designed specifically for trapping spam, recycled addresses have an element of legitimacy. They are more likely to attract legitimate traffic -- for example, those who previously corresponded with the owner of the address before it was recycled.

Typo spam traps. These are spam traps that, like recycled traps, aim to look legitimate. However, instead of recycling a legitimate address, they contain subtle typos, even though they are a different address. Examples include the following:

• @gmil instead of @gmail
• @yaho or @yah0o instead of @yahoo
• @hotmal instead of @hotmail

Like recycled spam traps, these will not damage a sender's reputation as severely as pure traps but will signal antispam authorities over time.

How to identify spam traps

A spam trap has features that a normal user would typically notice and, as a result, would cause the user to cease correspondence. These include the following:

• The address has typos in the domain.
• The address was acquired through suspicious, illegitimate or uninvolved means, such as scraping or bulk list purchasing.
• The address appears outdated or no longer valid.

To check if a spam trap is included in an email list, the sender of that list should check their email delivery rates. If delivery rates are dropping drastically, the sender's list may contain a spam trap. This is because spam traps do not respond to or conventionally read emails sent to them. Emails are sent to them but not registered as delivered. Also, the fact that the address does not respond damages a sender's reputation. There are tools senders can use to analyze their contact list for spam traps.

If senders believe they have a spam trap in their list, they can check to see if the email addresses are on an email blocklist. Some common IP or domain blocklists to check include the following:

• Barracuda Reputation Block List (BRBL)
• Invaluement.com antispam
• SpamCop Blocking List (SCBL)

Blocklist tool vendors maintain and add to their blocklists. For example, SpamCop adds IP addresses reported by its user lists. Senders who suspect they are on SpamCop's list can check that list, but it is difficult to get an address removed from one of these lists.

How to avoid spam traps

The best way to avoid acquiring spam traps in a contact list is to practice good email management. A poorly maintained email list could indicate a potential spammer and, therefore, attract a spam trap. A spam trap in the contact list will then worsen the sender's reputation by decreasing their email delivery rate.

Examples of sender behaviors that indicate poor email management include the following:

• does not seem aware of the addresses that it consistently emails;
• consistently emails addresses that a legitimate sender would not email;
• consistently acquires email addresses through suspicious means, such as scraping;
• goes long periods without sending mail to an address; and
• sends mail to an address that has not opened sender email for several months.

In order to avoid acquiring a spam trap, which would cause one to exhibit these bad sender behaviors, senders should follow email best practices. Some examples of email best practices include the following:

• Avoid purchasing contact lists. Purchased lists are likely to include spam trap addresses. They also are generally considered a poor way to accrue contacts, as even the legitimate users on those lists may have no interest in receiving what the sender plans to provide.
• Use email validation on contact lists. Email validation can be incorporated in email signup forms that automatically check the legitimacy of the entered email addresses.
• Include a double opt-in for subscribers. Recipients should have to confirm their email address before they begin receiving actual sender content. A double opt-in ensures that recipients actually want the sender's emails and verifies that the sender's list contains only legitimate addresses.
• Keep contact lists up to date. Lists should be reviewed regularly to ensure all subscribers are engaging with the sender. Outdated email lists will appear to authorities as though the sender is sending spam. Reengagement campaigns can help senders engage with addresses they haven't emailed recently. If those don't work, it is best to remove addresses that are not engaging.
• Practice permission-based email marketing. Spam is generally defined as emails or traffic that the recipient likely didn't consent to and almost definitely doesn't want. Gaining recipient permission before sending bulk marketing emails ensures that the recipient participated in and consented to the communication in some way.

A cloud honeypot can help organizations gather threat intelligence. Learn more about the benefits and limitations of a cloud honeypot, as well as how to use a public cloud system to host a honeypot, here.