Blog , 23 Aug 2021

About Honeypots and Spam Traps

Steve Freegard,

Sr. Product Owner Abusix Intelligence

Honeypots and Spam Traps are hosts that are set up to look like common services which contain vulnerabilities or are set up insecurely. They record and report all activity back to the operator who can then build a blocklist from any malicious activity.

You don’t like to read? You can also check out our #AskAbusix session on YouTube.

What are Honeypots?

Honeypots are network services (like web, email, SSH or telnet servers) that are set up to catch and report abuse of these types of services. They will, typically, log all interactions made with them. Honeypots might catch data files that have been uploaded or executable files which can be hashed, etc. Essentially, they work to prevent successful attacks from causing damage to others.

For example, they can limit secure shell (SSH) or telnet attacks, web or network proxies or other attacks that are used to gain remote access to a system.  Other common honeypots are:

  • SIP (IP Telephony)
  • HTTP (web services, web forms etc.)
  • Remote Desktop Protocol (RDP) used for remote access on Windows devices or any type of SQL service (Microsoft SQL Server, MySQL, Postgres, etc.)
  • NoSQL databases (like Redis, Memcached, MongoDB, etc.).

Whatever the honeypot catches, that information is reported to the operator. Any malicious activity can now be used for blocklisting. Typically, the blocklist would be by IP address, but not exclusively.

What are Spam Traps?

Spam traps are just email honeypots that are also set up to receive messages for domains or email addresses that have been specifically created to catch spam.

The domains or email addresses used for spam traps can take several years to build. When you register a domain name, you can never tell whether it has been used in the past. Genuine mail might be coming to any previous owners, so all traffic must be completely rejected for several years before they can be used for any blocklisting. However, once they are used for blocklisting, any email sent to them will likely be accepted.

It is also important to note that there can be interaction with URLs contained within any messages received (click tracking or open tracking), but they will never opt-in to receive messages. 

Because it takes multiple years to build up a spam trap, the trap operator will never disclose their identities, so you will never know which traps you are hitting and what the destination domains are.

Ultimately, you shouldn’t be hitting them in the first place as these have all rejected mail for multiple years. If you have messages that are hitting spam trap domains or spam trap email addresses, then you should review your list collection practices. Good practices, like confirming opt-ins to protect against bot sign-ups, can eliminate a lot of spam in the first place. We have several articles and videos in our #AskAbusix session about list building, avoiding spam, and blocklisting.

Share
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

Start Your Free Trial

Are you running your own mail servers and are looking for an additional layer of protection against spam, malware, and other email-related threats? Start your 14-day free trial today!

Get Started

Products & Tools

Type

Topic

Get in touch

Talk to us

The quickest way to get in touch with the team is via our online chat feature at the bottom right of this page. Alternatively, feel free to email us at [email protected] or send us a message via our form.

Is your IP blocked?
To get that resolved, please use our lookup-service and follow the instructions in order to delist your IP/domain.