I have heard it suggested that we set up a special email address, with it's only purpose being to be harvested. Then blacklisting every sender that targets this address.
I'm wondering:
- if anyone else has tried this
- how do you go about doing it (ie - put the address in a hidden field on your website - or better ways?)
- does it work?
- Is there anything to watch out for when trying this (ie. legitimate senders using harvested addresses?)
Has anyone else tried this:
How do you go about doing it?
Does it work?
Normally you wouldn't use just a single address; that wouldn't be enough. Try a few hundred spread throughout all your domains (for a start).
You can advertise them if you like, but if your domains are sufficiently well-known to spammers, candidate spamtrap addresses probably already exist within them (they are probably mailboxes which don't exist on your end-user systems).
Whole spamtrap domains can be set up - I'm sure many companies use these - either buy 2nd hand domains or register realistic sounding ones with a plausible (albeit fake) web site. Subdomains can work too. Spamtrap domains are handy because you can set them up with keywords or in specific top-level domains that spammers might be targetting.
i have not tried this method, but i think [ unless you handle tens of thousands of mailboxes ] you'll be much better off using anti-spam system that takes decision based on multiple rbls and content checks like dcc / razor / pyzor.
many rbls use spam traps on much wider scale than i think you could deploy.
Project Honey Pot may give you some ideas as to methods and effectiveness. If you want, you can subscribe to their blacklist and let them handle all this.
I am confused as to what you mean by "legitimate senders using harvested addresses" - I would, in almost all cases, deem such a sender illegitimate by definition.
My concern with blacklisting every sender is that it is fairly easy to spoof who sent an email.
Hmm... Just adding my opinion to the discussion.
I don't think this method has a good success rate. Just had a look on a bunch of Spams. Generally spammers use fake email addresses while spamming and they never use the same address again and again. So blacklisting the Email addresses or Domains would not be a good solution.
But your hidden address thing seems to be a nice idea. Since the actual users do not see it and only a crawler can filter out the email address you can assume that only the spammers will get that address.
Then you can integrate that idea with IP addresses. If the mails sent to the hidden address are coming from some IP range you can just assume that IP range is a spamming range.
But as of my view the result you are gaining by this is not worth while concerning the effort. I think the content based filtering mechanisms are fruitful than this "Honey pot" machanism
I have done this. I noticed in my logs certain invalid addresses getting hit again and again. These are addresses that were never active or posted anywhere. So I setup a mailbox that sends those emails to sa-learn to help train spamassassin's Bayesian database. I've never tested the effectiveness of this in any way, but I'm not too worried about it as it cost little time to setup.
My first though was that this would be of little value since the addresses are always changing.
But in my experience, spammers often send to a load of [email protected] - almost in a brute forced way.
It might be worth setting an address up (say [email protected]) and filtering not on the from address or IP, but on content - filter out any email also sent to "adam". You'd want to pick an email address lexicographically before any real address to increase your chances. Also, you'd have to account for small content differences.
I still suspect it falls into the category of too much effort, too little gain, but it's a thought if you're experimenting.
Our anti-spam product allows us to do this, an automated blacklist of everything sent to a honeypot. Here are a couple of the bullet points:
You post an email address on your website such that bots can find it and pick it up, but no real person would see it or send messages to that address.
You tell your anti-spam product to monitor incoming email sent to the address and all email coming into that honeypot will be blacklisted.
It works on the sending IP address level not the sending FROM address, that is how it avoids the spoofed sender issue mentioned.
Even though we have a honeypot for spam reporting, we don't use this feature, here is why. Spammer's will routinely send some messages from hotmail, yahoo, gmail, etc. These are typically the 419 scam messages that are hard to stop. Although the percentage isn't high, it would be enough that if we were to use an automatic system it would block legitimate email.
In summary, we haven't used the automatic blacklist system as you mentioned, however having a honeypot is still a useful feature. We monitor it and use email received to report spam, and to determine the effecitveness of our anti-spam measures.
I put an address in a comment on my main page. It gets about 5 emails a day.
I use ASSP (asspsmtp.org), an open source SPAM filter. If you set up authentication, it can automatically create spamtrap addresses for unknown addresses after a certain number of tries... so if I repeatedly get email for "[email protected]", after try number X, the system will start harvesting all messages sent to that address as spam. X is set high enough that normal typos and mistakes will not trip it, but spammers will.