Subscribe
close up photo of a rat trapped inside the cage

What Is A Spamtrap

One of the issues I get to deal with in policy enforcement is handling complaints about customers sending messages to “spamtraps.” This invariably leads to a discussion about what, exactly, is a “spamtrap.”

There are a lot of different answers out there. For instance, a 2019 blog post at Validity asserts that it is a “fraud management tool” to “lure spam” from spammers through “list poisoning.”1 On the other hand, The Spamhaus Project gives this definition on its glossary page:

Spamtraps are broadly defined as email addresses which have not opted into any email. There are, however, many types of traps. They are also very effective in identifying email marketers with poor permission and list management practices. They are used by various reputation systems to highlight senders who add email addresses to their lists without obtaining prior permission.2

My definition

My definition of a spamtrap reads like this: “A spamtrap is an address which does not belong to an actual person, but is used as part of a system generally intended to gather evidence indicating poor execution of best practices by list owners.”

Let’s break that down just a little…

Spamtraps are email addresses. While I suppose it will not be long before mobile providers engage in similar strategies, it’s still pretty safe to say that when discussing “spamtraps,” we are discussing email addresses.

Different players in the field own those email addresses. Some spamtraps are owned by reputation monitoring systems ranging from DNSBLs (like Spamhaus) to spam/virus/security filtering companies (such as Proofpoint) to deliverability toolset providers (such as Validity/ReturnPath or 250ok) to mailbox providers. All these spamtraps have in common that they receive all messages sent to them, but there is no real person there to receive those messages. All messages received generally go into automated systems for classification and/or review.

Further, there are different types of spamtraps. While certainly not exhaustive, here are a few of the major types:

  1. Pristine traps. Some spamtraps have never been used before in the history of the Internet. I know of one person, for instance, who has a series of spamtraps derived from message IDs. Those addresses have never actually been email addresses, they were only derived from a field which looks like an email address. But, I have also known cases where the spamtraps were in domains that had never been used (no website, no mail server, etc.).
  2. Repurposed traps. These spamtraps are usually found in mail sent to formerly used domains. My usual example would be a company that existed during the dot-com bubble of the 1990s but went bankrupt when the bubble burst right around 2000. A trap operator may have found that old, no longer used domain and purchased it to see what kind of mail is being sent almost 20 years later.
  3. Typo traps. These are usually domain-based. The trap operator will obtain a domain name similar to, but not quite the same as, a well-known domain or brand. My usual example for this type would be to get the domain “comcats.net,” which is only one letter transposition away from the much better-known “comcast.net” domain. These traps, in particular, are usually used to find poor list collection practices in the form of a lack of proper validation and confirmation.
  4. Seed addresses. These would be addresses offered up for collection to ascertain if the collector will misuse the data. For instance, a company may give its salespeople contact lists with one or more seed addresses to ensure the data isn’t being sold or shared with unauthorized third parties. Or, Lashback offers a DNSBL, which it claims is populated by messages received at Lashback-owned addresses that were entered into a company’s unsubscription forms​.3

According to the M3AAWG Spamtrap Operations BCP, there are several reasons why spamtraps may exist:

  • Refining local spam filters
  • Creating reputation lists, including DNS-Based Black Lists (DNSBLs), based on a variety of heuristics
  • Monitoring client bulk mail lists
  • Capturing and analyzing viruses and other malicious payloads
  • Identifying and eradicating phishing
  • Identifying and detecting malicious URLs and domains
  • Detecting data leakage4

But, every instance of a spamtrap being on a given list does not necessarily indicate a breach of best practices. For instance, the owner of the spamtrap may be poisoning the list to detect data leakage. (For instance, the trap owner may be the list owner who suspects a data leak, such as an employee selling the company’s customer and/or user lists to competitors or data brokers, as in the seed list example above.) In that case, the presence of a spamtrap on the customer’s list does not indicate a breach of best practices. But, if that spamtrap turned up on someone else’s list, that would indicate the use of rented, purchased, or traded data — a definite breach of best practices.

Additionally, it’s possible that the trap owner is not following best practices. For instance, it’s entirely possible that the owner of the spamtrap did not properly condition the trap by bouncing messages for at least 12 contiguous months.5 Thus, the list owner was given an insufficient opportunity to notice that an email address legitimately added to their list is no longer in use and should be removed.

But these are exceptions. In more than 95% of the cases I have worked on over the last 20 years involving spamtraps, the spamtraps came into the list through list purchases, rentals, or appends. Further, the specific traps used to find and flag these cases were intended to find mailers sending non-permissioned data.

What it all means…

Generally speaking, a spamtrap is an address that helps locate list owners who are not following best practices. Thus, a spamtrap on a list indicates the presence of data that should not be there. And usually, from my viewpoint in policy enforcement, that data is there because someone is either not maintaining their list, is engaged in dangerous collection or retention practices, or is directly violating policy by purchasing, renting, appending, or trading data.

Footnotes

  1. Patty Atwater, The Truth about Spamtraps, Validity (2019), https://www.validity.com/blog/the-truth-about-spamtraps/ (last visited Feb 10, 2020). ↩︎
  2. The Spamhaus Project – Frequently Asked Questions (FAQ), The Spamhaus Project (2020), https://web.archive.org/web/20200428114701/https://www.spamhaus.org/faq/section/Glossary (last visited Feb 10, 2020). ↩︎
  3. Lashback LLC, The LashBack UBL, (2016), https://web.archive.org/web/20160810043403/http://blacklist.lashback.com/ (last visited Feb 10, 2020). ↩︎
  4. Messaging, Malware and Mobile Anti-Abuse Working Group, M3AAWG Best Current Practices For Building and Operating a Spamtrap – Version 1.2.0., (2016), https://www.m3aawg.org/sites/default/files/m3aawg-spamtrap-operations-bcp-2016-08.pdf (last visited Feb 10, 2020). ↩︎
  5. Id., at 3. ↩︎
Picture of Mickey

Mickey

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.