Spam Trapping

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Spam Trapping

Mike Spenard
 What are some thoughts on purposely getting a spam trap email
address acquired by spammers and the best way to do so.

i.e. Is it best to use only a defunct address for trapping, or will
intentionally getting a new trap address spammed only increase
ones spam input and be detrimental overall.  I would like to hear
feedback based on experience and not just theory of course =)

If it's not detrimental overall how feasible would it be to construct
a service that automated the (counter intuitive) act getting an email
address acquired by as many spammers as possible?

Mike Spenard

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Kian Mohageri-2
Maybe you're really looking for something like spamd:

http://www.openbsd.org/spamd/

Much more effective than a trap e-mail address in my opinion?

Kian

On 6/1/06, Mike Spenard <[hidden email]> wrote:

>
> What are some thoughts on purposely getting a spam trap email
> address acquired by spammers and the best way to do so.
>
> i.e. Is it best to use only a defunct address for trapping, or will
> intentionally getting a new trap address spammed only increase
> ones spam input and be detrimental overall.  I would like to hear
> feedback based on experience and not just theory of course =)
>
> If it's not detrimental overall how feasible would it be to construct
> a service that automated the (counter intuitive) act getting an email
> address acquired by as many spammers as possible?
>
> Mike Spenard

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Joachim Schipper
On Thu, Jun 01, 2006 at 05:42:02PM -0700, Kian Mohageri wrote:
> Maybe you're really looking for something like spamd:
>
> http://www.openbsd.org/spamd/
>
> Much more effective than a trap e-mail address in my opinion?

Spamd can be configured to use a 'trap' e-mail address... See under
'GRAYTRAPPING'.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

John Draper
In reply to this post by Mike Spenard
Mike Spenard wrote:

> What are some thoughts on purposely getting a spam trap email
> address acquired by spammers and the best way to do so.

It is hard to do initially, unless you want to spend a lot of time
signing up for things over the web...  In my case, I have a very
good spam trap.   But I host about 60 Email users and I changed
everyone's Email address (with their cooperation), and removed
them from any mailing lists they might have joined.   Evventually,
almost all of these accounts have Pure spam coming in.

Next I forwarded each of them to "[hidden email]" and
presto...  I have a 100% spam source I can feed directly into my
spam reporting engine.   Most of these addresses has taken years
to accumulate this spam.  This is by far the best way...

>
> i.e. Is it best to use only a defunct address for trapping, or will
> intentionally getting a new trap address spammed only increase
> ones spam input and be detrimental overall.  I would like to hear
> feedback based on experience and not just theory of course =)

This would work,  but it won't catch the older spam proxies out there.
Some of these proxies have existed for years,  prolly because they
have not shown up on the ISP's radar.

>
> If it's not detrimental overall how feasible would it be to construct
> a service that automated the (counter intuitive) act getting an email
> address acquired by as many spammers as possible?

If you find out,  I would also like to know how to do this.

John

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Gilles Chehade
On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote:

> Mike Spenard wrote:
>
> >What are some thoughts on purposely getting a spam trap email
> >address acquired by spammers and the best way to do so.
>
> It is hard to do initially, unless you want to spend a lot of time
> signing up for things over the web...  In my case, I have a very
> good spam trap.   But I host about 60 Email users and I changed
> everyone's Email address (with their cooperation), and removed
> them from any mailing lists they might have joined.   Evventually,
> almost all of these accounts have Pure spam coming in.
>
> Next I forwarded each of them to "[hidden email]" and
> presto...  I have a 100% spam source I can feed directly into my
> spam reporting engine.   Most of these addresses has taken years
> to accumulate this spam.  This is by far the best way...
>

we used to have 'spammers ? spam this [hidden email]' at the
bottom of each page so that crawlers would spam it. also, we had a
few systems accounts, not supposed to receive mail, act as spam
traps which proved to be quite efficient.

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

tony sarendal
On 14/06/06, [hidden email] <[hidden email]> wrote:

>
> On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote:
> > Mike Spenard wrote:
> >
> > >What are some thoughts on purposely getting a spam trap email
> > >address acquired by spammers and the best way to do so.
> >
> > It is hard to do initially, unless you want to spend a lot of time
> > signing up for things over the web...  In my case, I have a very
> > good spam trap.   But I host about 60 Email users and I changed
> > everyone's Email address (with their cooperation), and removed
> > them from any mailing lists they might have joined.   Evventually,
> > almost all of these accounts have Pure spam coming in.
> >
> > Next I forwarded each of them to "[hidden email]" and
> > presto...  I have a 100% spam source I can feed directly into my
> > spam reporting engine.   Most of these addresses has taken years
> > to accumulate this spam.  This is by far the best way...
> >
>
> we used to have 'spammers ? spam this [hidden email]' at the
> bottom of each page so that crawlers would spam it. also, we had a
> few systems accounts, not supposed to receive mail, act as spam
> traps which proved to be quite efficient.
>
>
So what do you guys do with the email hitting the spam traps ?
My email address [hidden email] has been used as From address
by spammers, does that mean that I can't send you guys emails ?
Or do you do something else like teach spamassassin and record source
IP addresses ?

/Tony

--
Tony Sarendal - [hidden email]
IP/Unix
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Spruell, Darren-Perot
In reply to this post by Mike Spenard
From: [hidden email]

> > we used to have 'spammers ? spam this [hidden email]' at the
> > bottom of each page so that crawlers would spam it. also, we had a
> > few systems accounts, not supposed to receive mail, act as spam
> > traps which proved to be quite efficient.
> >
> >
> So what do you guys do with the email hitting the spam traps ?
> My email address [hidden email] has been used as From address
> by spammers, does that mean that I can't send you guys emails ?
> Or do you do something else like teach spamassassin and record source
> IP addresses ?

spamd. It works on the IP address level. Spam trap addresses function such
that offending source addresses are auto-blacklisted (for a configurable
length of time.)

In a sense, it is tied to the email address of the To: header, not From: as
you'd speculated.

DS

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

tony sarendal
On 14/06/06, Spruell, Darren-Perot <[hidden email]> wrote:

>
> From: [hidden email]
> > > we used to have 'spammers ? spam this [hidden email]' at the
> > > bottom of each page so that crawlers would spam it. also, we had a
> > > few systems accounts, not supposed to receive mail, act as spam
> > > traps which proved to be quite efficient.
> > >
> > >
> > So what do you guys do with the email hitting the spam traps ?
> > My email address [hidden email] has been used as From address
> > by spammers, does that mean that I can't send you guys emails ?
> > Or do you do something else like teach spamassassin and record source
> > IP addresses ?
>
> spamd. It works on the IP address level. Spam trap addresses function such
> that offending source addresses are auto-blacklisted (for a configurable
> length of time.)
>
> In a sense, it is tied to the email address of the To: header, not From:
> as
> you'd speculated.


I know how spamd works, but here we had more creative setups, the To:
address
of the spam emails were just used to route them to the spam trap. What point
would
it be to identify the spam with the To: header if all email for those
addresses end up
in a spam trap anyway ?

So if people route specific unused email addresses to spam traps,
what do they actually do with the received emails to reduce spam
to legitimate addresses ?

/T

--
Tony Sarendal - [hidden email]
IP/Unix
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Joachim Schipper
In reply to this post by tony sarendal
On Wed, Jun 14, 2006 at 08:29:17PM +0100, tony sarendal wrote:

> On 14/06/06, [hidden email] <[hidden email]> wrote:
> > On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote:
> > > Mike Spenard wrote:
> > > >What are some thoughts on purposely getting a spam trap email
> > > >address acquired by spammers and the best way to do so.
> > >
> > > It is hard to do initially, unless you want to spend a lot of time
> > > signing up for things over the web...  In my case, I have a very
> > > good spam trap.   But I host about 60 Email users and I changed
> > > everyone's Email address (with their cooperation), and removed
> > > them from any mailing lists they might have joined.   Evventually,
> > > almost all of these accounts have Pure spam coming in.
> > >
> > > Next I forwarded each of them to "[hidden email]" and
> > > presto...  I have a 100% spam source I can feed directly into my
> > > spam reporting engine.   Most of these addresses has taken years
> > > to accumulate this spam.  This is by far the best way...
> >
> > we used to have 'spammers ? spam this [hidden email]' at the
> > bottom of each page so that crawlers would spam it. also, we had a
> > few systems accounts, not supposed to receive mail, act as spam
> > traps which proved to be quite efficient.
> >
> So what do you guys do with the email hitting the spam traps ?
> My email address [hidden email] has been used as From address
> by spammers, does that mean that I can't send you guys emails ?
> Or do you do something else like teach spamassassin and record source
> IP addresses ?

Well, spamd works by source IP. Assuming a sane network setup, it
shouldn't reject too much legitimate mail.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Spruell, Darren-Perot
In reply to this post by Mike Spenard
From: [hidden email]
> So if people route specific unused email addresses to spam traps,
> what do they actually do with the received emails to reduce spam
> to legitimate addresses ?

If you're not making the connection, you don't understand how spamd(8)
works.

Your MX receives mail for your-domain.tld. The spammer attempts to email
'[hidden email]' and their MTA ends up being blacklisted. Now they
attempt to send spam to '[hidden email]' or '[hidden email]',
which is directed to your same MX host, and since they are blacklisted, they
cannot.

They try to send spam to '[hidden email]', also being serviced
via your MX, and are blacklisted still. No users at your-other-domain.tld
recieve spam.

Look up the definition of the "tuple" in the spamd references.

DS

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

tony sarendal
On 14/06/06, Spruell, Darren-Perot <[hidden email]> wrote:

>
> From: [hidden email]
> > So if people route specific unused email addresses to spam traps,
> > what do they actually do with the received emails to reduce spam
> > to legitimate addresses ?
>
> If you're not making the connection, you don't understand how spamd(8)
> works.
>
> Your MX receives mail for your-domain.tld. The spammer attempts to email
> '[hidden email]' and their MTA ends up being blacklisted. Now
> they
> attempt to send spam to '[hidden email]' or '[hidden email]
> ',
> which is directed to your same MX host, and since they are blacklisted,
> they
> cannot.
>
> They try to send spam to '[hidden email]', also being
> serviced
> via your MX, and are blacklisted still. No users at your-other-domain.tld
> recieve spam.
>
> Look up the definition of the "tuple" in the spamd references.
>
> DS
>
>
From the emails earlier in the thread I was expecting something else than
greytrapping.
Terms like "spam reporting engine" and "older spam proxies" indicated that
they were
talking about something else. I was interested in what that was.

/Tony

--
Tony Sarendal - [hidden email]
IP/Unix
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-

Reply | Threaded
Open this post in threaded view
|

Re: Spam Trapping

Mikhail Goriachev-2
In reply to this post by tony sarendal
tony sarendal wrote:

> On 14/06/06, [hidden email] <[hidden email]> wrote:
>> On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote:
>>> Mike Spenard wrote:
>>>
>>>> What are some thoughts on purposely getting a spam trap email
>>>> address acquired by spammers and the best way to do so.
>>> It is hard to do initially, unless you want to spend a lot of time
>>> signing up for things over the web...  In my case, I have a very
>>> good spam trap.   But I host about 60 Email users and I changed
>>> everyone's Email address (with their cooperation), and removed
>>> them from any mailing lists they might have joined.   Evventually,
>>> almost all of these accounts have Pure spam coming in.
>>>
>>> Next I forwarded each of them to "[hidden email]" and
>>> presto...  I have a 100% spam source I can feed directly into my
>>> spam reporting engine.   Most of these addresses has taken years
>>> to accumulate this spam.  This is by far the best way...
>>>
>> we used to have 'spammers ? spam this [hidden email]' at the
>> bottom of each page so that crawlers would spam it. also, we had a
>> few systems accounts, not supposed to receive mail, act as spam
>> traps which proved to be quite efficient.
>>
>>
> So what do you guys do with the email hitting the spam traps ?
> My email address [hidden email] has been used as From address
> by spammers, does that mean that I can't send you guys emails ?
> Or do you do something else like teach spamassassin and record source
> IP addresses ?
>
> /Tony
>


I feed it to spamassassin. I don't do anything with IPs because most of
them get dynamically reallocated between clean and infected computers. I
reckon you shouldn't worry about From address because it gets forged all
the time. This is very common. Therefore, it would be a bit silly for
someone to rely on the From field.


Cheers,
Mikhail.

--
Mikhail Goriachev
Webanoide

Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [hidden email]
Web: http://www.webanoide.org

PGP Key ID: 0x4E148A3B
PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B