How to publish honeypot addresses?

Introduction

Honeypots (spamtraps) in ORF are email addresses that you publish specifically as baits for spammers. Anyone sending to the honeypots is considered malicious and as such, banned temporarily from the server.

The tricky part is the publication: you need to place these honeypot addresses where spammers can find them.

This article gives you a few tips how to make and publish your own honeypots.

Creating honeypot addresses

A honeypot address can be anything in your domain, from [email protected] to [email protected]. We have a few recommendations to follow:

• Never use an address that used to be valid. If [email protected] was once valid, that address can receive legitimate email newsletters years after the account was deleted.
• Create addresses that do not match your regular address pattern (if there is any). If your usual email addresses are in [email protected] format, [email protected] is unlikely to become valid and so there will be no John from Accounting complaining about spam.
• Check the ORF Reporting Tool's Top Spammed Recipients section—you will probably find a couple of interesting addresses there. Last year, the #4 most-spammed address at Vamsoft was [email protected], even though that address never existed and was not published anywhere. Addresses like these are ideal candidates for bait.
• Generic mailbox names, like info@, jobs@, sales@, accounting@ or support@ are spam magnets (your mileage may vary), even without being published anywhere. If you do not use them, they can be turned into honeypots.
• Use subdomains reserved for honeypots, e.g. [email protected] and add all email addresses (*@honeypots.example.com) to the Honeypot Address list. This may catch a few Directory Harvest Attacks, too.
• Make at least 10 honeypot address. Generally, the more the merrier. Spam is usually sent to several local email addresses at once, so the more poisoned the spammer address list, the earlier the attack is detected.

Note: you do not need to create actual mailboxes for the honeypot email addresses.

Publishing honeypots

You can get as creative as you want when it comes to publishing, just make sure that

• Legitimate users will never mistake a honeypot address with a legitimate one,
• Spammers will find them.

Addresses are harvested from several sources, including the web (forums, your blog or website), Directory/Dictionary Harvest Attacks and worm-infected computers (mail archives, address books).

The easiest way is to publish the honeypot addresses on your website and wait for address harvester robots to come and pick them up. The rest of the article will try to give you a few ideas how to do this.

Note that it may take a while for spammers to find your honeypot addresses.

Tip: Use example package

You can download an example web package from the link below.

The package contains (X)HTML, CSS and a JPG file and instructions on inserting your honeypot addresses. A link to this page must be placed on your website—it's OK, the link can be hidden from the regular visitors. Open readme.txt to learn more.

Tip: Add honeypots as hidden text to your web page

This tip requires some HTML knowledge. You can hide any HTML element with the CSS property "display". The following block will not be rendered in the web browser:

<div style="display: none;">
    Contact our <a href="[email protected]">Honeypot department</a> if you are
    <a href="[email protected]">desperate</a> to get blacklisted.
</div>

A similar trick is to use the same background and foreground color, but in this case your visitors will see what is hidden if they highlight the text.

No matter what link-hiding technique you choose, other web spiders like Google may index and show the hidden content in search hits. By creating a separate page with indexing disabled you can reduce the chance for such issues.

Tip: If you have a blog, publish a dedicated Honeypots entry

Explain the readers what the post is about, then pour in your honeypot addresses.