Jump to content.

IFX Group


Email Honey Pot

Long-term spam fighting solutions are very hard to find. This is a gem most people quickly overlook in their pursuit to just block the latest spammer technique.

A little background.

The whole Internet is being bombarded with unwanted email. The problem has created whole industries around both sides of the problem. On one side you have a virtually free or very low cost marketing machine able to push out literally billions of email messages promoting anything from stocks to medicine. If even a tiny fraction of a percent respond it is considered a big success. On the other hand there are some very bright thinkers working to detect and filter out the unwanted mail while still allowing real mail through. These two sides are continually at odds and are always looking for a way to get an advantage over the other side.

One of the hallmarks of this kind of fight is the continual improvements each side makes. In the early days spam was easy to detect because it was obviously different from normal email. As more people started to implement filters, the spammers started to include blocks of text quoted from random documents to trick simple text content scanners into thinking it was legitimate email. When the spam scanners were improved to detect this trick, the spammers put their messages inside pictures embedded into the email. When the spam scanners started to use optical character recognition (OCR) to read the text from the graphics, the spammers started to add lots of lines and patterns to the graphic background. This evolution only ensures that every spam-fighting technique will quickly become obsolete if it relies just on the spam content for detection.

Thinking long-term.

The IPAD-OS has a very long track record of going for the long term solution in everything it does. Fighting spam is no different. While the IPAD-OS mail server has some very dynamic spam detection tools available, one stands out as a very low maintenance and highly effective long term spam fighting method. The IPAD-OS calls this SPAMTO, but in non-technical terms this is better known as a honey pot.

Where do spammers get email addresses?

To understand how to make an effective honey pot you must first understand how spammers get email addresses and how they verify the addresses work. There are many ways, but the most popular use a very few techniques.

  • Web pages and Guest books
  • Address books (a.k.a. infected email clients)
  • Public forums, News groups, IRC and other activity points

Email addresses on web pages.

There was a time when every company openly posted the email addresses of their staff on their web page. It was also common for every personal web page to include the email address of the page owner. This became an open resource for anyone collecting email addresses because they could literally crawl their way through every web page on the Internet with a very simple program to collect the email addresses.

Some web hosts allowed customers to create guest books that collect the email addresses of visitors making even more opportunity to harvest email addresses from web pages. This ultimately became so much of a problem that every company was forced to change the email addresses inside the company and use all kinds of different cloaking techniques to limit the public exposure of the new addresses.

Email address books.

All of the email addresses on the web are dwarfed by the number of email addresses stored in the address book of your email client. Most email clients default to store all of the email addresses for the mail you send and receive. These are virtually all known good email addresses which makes them very valuable to spammers. Fortunately the most common email clients are all made by Microsoft and included with the Windows operating system. These email clients have a very long track record of being notoriously easy to infect with malware because it is difficult or nearly impossible for the average user to prevent the email client from running scripts (programs) in the received email. In some cases, just looking at an infected email in one of these email client programs is enough to infect the whole computer. The prize the infection wants may not be your bank account or credit card, but your address book and maybe to send some fake emails out under your name.

Other protocols.

In the early days of the Internet, before the HTTP (web) protocol took off, most group communication was done through messaging either relayed from server to server or echoed through a network of servers. News groups (also known as USENET) was very popular because a message posted to one server would eventually echo through every other news server no matter how far away or how slow the connection. Since most of the early USENET accounts used email address, it was an easy resource to harvest for spammers. The same goes for Internet Relay Chat (IRC) and all of the related instant messaging technologies that can publish email addresses on purpose or by accident. Anyplace where an email address can be easily logged for address harvesting is vulnerable.

How does this help you fight spam?

Now that you know the more common ways spammers try to get email addresses, how does this help you fight them?

What if you had an easy way to find all of the spam sources no matter if they were infected computers, open mail relays or stolen connections? Once you can recognize a spam source, it is trivial to block it. This is exactly what the SPAMTO honey pot does and the only work you have is to spread the honey pot email address around in some conspicuous places.

Set the trap.

The first step is to create some fake email addresses that are alphabetically close to the real email addresses you want to protect. For example, if you have an email address for jane@example.com, you want to create a honey pot address for jand@example.com and janf@example.com so no matter how the spammer sorts their address list, it is likely the honey pot address will get mail before your real address does. Do this for all of your important addresses and for best results make sure there is at least one honey pot address close to the beginning of the alphabet and one close to the end.

In your DNSBL.CTL file add entries like these.

SPAMTO 99 jand@example.com
SPAMTO 99 janf@example.com

And in your mail authority file, add entries like these.

RESP jand@example.com unsub.txt
RESP janf@example.com unsub.txt

The unsub.txt file should contain a generic request to unsubscribe. This makes it so every spammer that sends a test email to these addresses will get a reply requesting to be removed from their mailing list. Most spammers just view this as proof the address is real enough to sell the email address to other spammers as validated. After you are sure all of your honey pot addresses have been validated at least once or twice, change the 99 score to 100 to block the spam sources immediately.

Bait the trap.

Now that you have set the trap, it is time to lure the prey with something sweet.

We know web pages are popular sources for email addresses, so make sure you put your honey pot email addresses in HTML comments on all of your web pages. If you have a lot of honey pot email addresses, consider sprinkling only a few of them on each page.

The next step is to find some web pages with public guest books that show email addresses. Some creative use of web search engines like Google and Yahoo can quickly find plenty of places to enter your honey pot email addresses. The goal is to make sure these email addresses visible, so avoid guest books that mask or otherwise hide the email address you type.

As much as you might not like to hear it, all of your friends that use Microsoft email client programs are spam sources just waiting to be exploited if they have not already been infected without their knowledge. Sending an email from one or more of your honey pot email addresses to everyone with a Microsoft email client will get into their address book. Don't worry if they practice safe computing. Your honey pot address can sit there waiting for the time they do get infected and then you will be rewarded.

By now you should have more than enough activity on your honey pot addresses to significantly improve your IPAD's ability to detect spam sources for years. If you really want to get the maximum benefit, call your Internet connection provider to see if they run a news server or offer access to a news server hosted elsewhere. In some cases there will be a small monthly fee. You really only need one month.

The important part here is to get your honey pot email addresses into as many different news groups as possible in a very little time. Try to target news groups for new users and anything with warez in the name. Keep the messages very simple. Ask for help on some generic topic, like how to download a web page, and leave one of your honey pot email addresses at the bottom. This kind of question will typically become background noise for most of the real people in the news group, but is always seen by spam address scanners.

While all of these steps take some effort to create, they work together to ensure your honey pot email addresses get a wide audience and become very effective long term spam fighting tools. But don't feel like this is an all-or-nothing game. Do whatever you can and it will be an improvement. Simply adding a single honey pot email address to a web page is a start. Everything additional you do to publish your honey pot email addresses only makes the detection and filtering more effective.

First published 2007-08-01. The last major review or update of this information was on 2009-03-28. Your feedback using the form below helps us correct errors and omissions on this page.