Spider Trap

An automagically-generated web page which contains large numbers of spurious, realistic fake email addresses and hyperlinks to further, randomly-filled pages of more of the same. Which ought to completely snarl up SpamBots.

Also called BotBait?.

Here's one: http://members.hostedscripts.com/antispam.html

Here's another: http://www.tinylist.org/email.shtml Want the source tarball? Email me! mailto:grumpy@tinylist.org?Subject=Send%20me%20RAT%20POISON!

Why have you used valid mail domains? Of the first page of 20 "fake" addresses I got, 5 were for valid mail domains, 2 for domains which were registered but not receiving mail and three for .tv domains which appear to be currently broken in some way.

If I found someone advertising random address in a domain I owned, I would be rather upset.

I did not. INSTEAD, I gave it a bunch of likely looking names, toplevel domainnames, personal names, initials, a random number generator, and turned it loose. They are RANDOM, and if anything by purest coincidence matches a working domain and accountname, I am sorry.

HOWEVER, to avoid this I would need a list of domains that are legal, but not current. I do not know where to find such a list, and it would have to be updated regularly. The chances of a randomly generated good looking account name matching up with a REAL account on a REAL domain are so small as to demand a mathemetician. Frankly, this appears to be a bit of a molehill- whereas spam is FAR AND AWAY a serious dilemma.

-- KirkBailey

Randomly generating a lot of email addresses based on personal names, etc., will almost certainly generate real matches. I'd be pretty pissed off if your efforts made my life more difficult. You appear not to be taking sufficient precautions.

moved from SpamProof

What about using this on Web pages, especially wikis? http://members.hostedscripts.com/antispam.html

Inventing domains in .net and .com has been considered dodgy because it puts pointless extra load on the root nameservers (hmm, although perhaps if the load is going to be applied anyway it might as well be pointless) and if you manage to hit a valid domain by accident then you're being rude.

What is the impact of an "invented" TLD (I understand that ab isn't taken, so jdoe@foo.ab would be example)?

That would have the extra queries go off to one of 13 root-server.net servers, instead of one of 13 gtld-server.net (.com, .net) or less (for .org). I can't comment on what the loads are like on these machines, but when they get swamped we lose name service.

There are many more. I started yet another one after watching a SpamBot crawl my site, and I've gathered a few links. There is always more to be done, though. http://www.t8o.org/tramspap/ -- MatthewAstley

Couldn't you insert random numbers into the domain name part of the email address, just to reduce the chances of hitting a real domain name? (Some domain owners redirect all email that doesn't match an actual address to an account, to catch misspellings, etc.)
[moved from SpamAssassin]

This will not cost the spammer much time or money, but give the postmaster of innocent domains plenty of unnecessary bounces.

Unless someone defines 'innocent domains' and explains how these bounces are worse than the spammers, I would presume the above plea is from a spammer?

I do however think the email addresses need a better generator. The names I saw were too regular and easy to filter.

I think it refers to the domains that the spammers use in their forged headers. They are usually real domains, but not the one's where the spam comes from. It is an unpleasant surprise to find your inbox flooded with bounces because a spammer put your address in the from-field.

Frankly, this appears to be a bit of amolehill- whereas spam is FAR AND AWAY a serious dilemma.

Less of a molehill than you might think. One of my coworkers has a shareware side business that has been going for many years. Recently, he's had to abandon the customer support and sales addresses at his domain, because those email addresses have been used as the 'from' addresses for some particularly nasty spam. This isn't unknown--when it's done intentionally, to target someone, it's known as a JoeJob?.

More recently, it appears that spammers have been using 'from' addresses taken from the pool of 'recipient' addresses they're using at the time. I'm personally getting a lot of bounces for mail ostensibly from my home addresses to other (nonexistent or protected) addresses that are obvious spams, given the subject lines. I don't know whether it has anything to do with SpiderTraps, but I do know that my home email address is likely to be generated by the algorithm given above.

I think SpiderTraps seem attractive mostly because they give a false sense of somehow 'getting back' at the spammers, without really doing much to help the situation. I would guess that even if 90% of the email addresses a spammer uses bounce, and 90% of the remaining ones are thrown out, ignored, or otherwise unfruitful, the cheapness of generating and sending spam will still make it profitable for the spammer to get that 1% (numbers are for illustration only, of course).

Plus, I've been getting a lot more mileage out of adaptive filtering like SpamBayes?. I get one or two false negatives (spam that leaks through) per week, haven't gotten a false positive since the first week I started using it, and it filters out about 60-100 spam messages per day, just for my one home account.

-- TimLesher

Yes, filtering is more immediately helpful to me in improving my personal inbox. But it has absolutely no effect on the response rate spammers (since I never buy stuff advertised in spam, they get 0 response rate from me either way, whether the automatic filter eats it, or whether it gets through and I manually delete it). Spider traps, on the other hand, do (in theory) have an effect on the response rate. Every millisecond a spam bot uses to send spam to one of these non-existent email addresses is a millisecond that it is not annoying some real person.

If I had to choose, I would pick setting up a filter over setting up a spider trap. But I don't have to choose -- I can run a filter *and* a spider trap at the same time. Do spider traps really help much ? Hard to say, but at least it appears they don't hurt.

see SpamDefenseRoadmap, SpiderFood

View edit of July 12, 2006 or FindPage with title or text search