Honeypots and Spam Traps are hosts that are set up to look like common services which contain vulnerabilities or are set up insecurely. They record and report all activity back to the operator who can then build a blocklist from any malicious activity.
You don’t like to read? You can also check out our #AskAbusix session on YouTube.
What are Honeypots?
Honeypots are network services (like web, email, SSH or telnet servers) that are set up to catch and report abuse of these types of services. They will, typically, log all interactions made with them. Honeypots might catch data files that have been uploaded or executable files which can be hashed, etc. Essentially, they work to prevent successful attacks from causing damage to others.
For example, they can limit secure shell (SSH) or telnet attacks, web or network proxies or other attacks that are used to gain remote access to a system. Other common honeypots are:
- SIP (IP Telephony)
- HTTP (web services, web forms etc.)
- Remote Desktop Protocol (RDP) used for remote access on Windows devices or any type of SQL service (Microsoft SQL Server, MySQL, Postgres, etc.)
- NoSQL databases (like Redis, Memcached, MongoDB, etc.).
Whatever the honeypot catches, that information is reported to the operator. Any malicious activity can now be used for blocklisting. Typically, the blocklist would be by IP address, but not exclusively.
What are Spam Traps?
Spam traps are just email honeypots that are also set up to receive messages for domains or email addresses that have been specifically created to catch spam.
The domains or email addresses used for spam traps can take several years to build. When you register a domain name, you can never tell whether it has been used in the past. Genuine mail might be coming to any previous owners, so all traffic must be completely rejected for several years before they can be used for any blocklisting. However, once they are used for blocklisting, any email sent to them will likely be accepted.
It is also important to note that there can be interaction with URLs contained within any messages received (click tracking or open tracking), but they will never opt-in to receive messages.
Because it takes multiple years to build up a spam trap, the trap operator will never disclose their identities, so you will never know which traps you are hitting and what the destination domains are.
Ultimately, you shouldn’t be hitting them in the first place as these have all rejected mail for multiple years. If you have messages that are hitting spam trap domains or spam trap email addresses, then you should review your list collection practices. Good practices, like confirming opt-ins to protect against bot sign-ups, can eliminate a lot of spam in the first place. We have several articles and videos in our #AskAbusix session about list building, avoiding spam, and blocklisting.