Re[4]: [sniffer] POP3 Account Question

[Pete McNeil]

On Monday, December 5, 2005, 6:02:02 PM, John wrote:







What is the best way to get a spam trap going. I have an old "abandoned" email account that I just use for testing. It gets some spam now, but a low volume. However, 100% of the mail is spam. It would be very easy to filter and keep the non-Sniff'd mail and delete the remainder.

Should I use it to sign up at some junkmail sites, kind of "seeding" the account to encourage spam to it?





When setting up a spamtrap, it's a bad idea to sign up for - or use the email account for anything. Technically, once you've done that the folks you signed up with have a reason to have you on their list. So, a pure spam trap is one that preferably has never been used, or, in some cases, hasn't been used for so long that you are absolutely sure not to get any legitimate messages.

The easiest way to get a spam trap going is just to have the email address out in the open somewhere on a web page --- some spammer will eventually collect the address. Another way - if you have the capacity to deal with it - is to set up a catch-all (nobody) account on a dead, or new and unused domain. This will capture all dictionary attacks that come by - but watch out -- it can be a LOT of volume.

There are other methods of "seeding" spamtraps, but they are all controversial or well kept secrets. I don't advise any of these practices, but I've seen them work:

* Some folks do, on occasion, have success seeding spamtraps by visiting spamvertized sites using throw-away email accounts and explicitly unsubscribing... generally, the less reputable sites will sell the email quickly to others.

* Some folks hide throw-away addresses in tag lines and post to usenet groups or blogs... for example, saying: Don't send mail to this address: ([EMAIL PROTECTED]) because it's not valid! Use this other address instead: ... Trolling spammers will generally pick up the bad addresses as well as the good ones - depending on how well you obfuscate them.

* Some folks will set up throw-away accounts on their web site's contacts pages - usually hidden to avoid confusion... When these addresses are harvested, they will make a point to visit the links in the messages (carefully on a well protected machine to avoid getting/spreading viruses). The links and images are generally bugs that will push the harvested addresses into the "known good targets" lists. Spammers are constantly trading lists -- so once you prove you exist you get pretty widely published. Note I said - they follow the links.. they do not sign up for anything... just looking.

All of these methods and others you may hear about are generally bad ideas - but they do tend to work none the less.

Hope this helps,

_M















This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[4]: [sniffer] POP3 Account Question

[Pete McNeil]

On Monday, December 5, 2005, 6:02:02 PM, John wrote:







What is the best way to get a spam trap going.





I forgot to mention another way to set up spamtraps that I definitely "don't recommend". It is, of course, highly theoretical and possibly dangerous ;-)

If a new pc (actually a very old PC with a fresh OS install) were to be placed on a cable modem or dsl line without appropriate virus protection or a firewall, then it would very quickly be taken over by spammers via viruses and worms and so forth. Of course, any email addresses found in files or address books on that box would very quickly fall into the hands of the blackhats.

You may have unwittingly tested this theory yourself when one of your family members hooked up their brand new PC to their brand new cable modem and shortly thereafter called you to figure out what was wrong with their new PC that worked just fine yesterday. They may have even been told by their provider's tech support to disable and remove any firewalls or security programs they had in place as part of the debugging process --- those things can interfere with network traffic, after all, and cause trouble to tech support folks. (My Mom has had this experience several times when dealing with her ISP, for example. Apparently it's a pretty standard part of the script to remove anything that stands between the DSL modem and the PC when trying to figure out why things aren't working. Of course, the end result is - often within fewer than 10 minutes - the unfortunate PC is completely compromised)

It's truly unfortunate how bad the Internet is these days.

Nobody should ever run a pc on the Internet without a good firewall and proper virus protection in place. It's just a bad idea.

_M





This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] POP3 Account Question

[William Van Hefner]

Pete,

How about just creating some accounts that are commonly targeted by
dictionary attacks, but that were never actually valid accounts on our
server? I could redirect all of them to a common mailbox. There are also a
few other common (non-role) addresses that we do not use, which always get
targeted by spammers. I am thinking of sales@, info@, etc. I have
accumulated quite a list of common dictionary attack names from my logs. I
wouldn't have to seed the addresses anywhere. They get hit just by virtue of
how common they are.


William Van Hefner
Network Administrator

Vantek Communications, Inc.
555 H Street, Ste. C
Eureka, CA 95501
707.476.0833 ph



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html