Are the spamtraps changed regularly?

[studog]

The first paragraph of DavidT's post:

http://forum.spamcop.net/forums/index.php?...indpost&p=18421

makes me wonder if the spamtrap addresses are rotated.

Here's what I'm thinking: spammer gets a list of addresses, and spams. Finds out he's blocked for sending to a spamtrap. Which address was it? He could find it out by using new (unlisted) machines to send spam to a subset of the list, and see whether or not it gets listed. This can be repeated as a binary search to locate the spamtrap address, and then list-wash it.

So. Are the spamtrap addresses changed regularly?

...Stu

[dbiel]

Do you really think you are going to get an answer on this one?

SpamCop restricts almost all information about spamtraps and how thy are used.

You are reading a bit too much into David's reply.

David's reference to specific messages relates to reports filed.

The reference to SpamTraps hit has no direct relationship to the reports filed. There was no implication that the spamtrap messages were the same messages as those for which reports were filed. Logically one might draw that conclusion.

Only the deputies have any access to what the spamtraps actually received and when they were received.

[studog]

Do you really think you are going to get an answer on this one?

Actually, yes. I'm expecting either a "Yes" or a "We hadn't thought about that. We will now."

"No" is a valid answer, but since I've just proved that spamtraps can be discovered and thus list-washed, I'll argue that "No" is no longer good enough.

SpamCop restricts almost all information about spamtraps and how thy are used.

I know. I don't think the question will reveal any useful information. No matter what the answer or whether or not it's truthful, the spammer has to hope that the reailty is that they are not changed, and thus can be list-washed. So their behaviour will not change as a result.

You are reading a bit too much into David's reply.

No. I wasn't clear on that point. The first paragraph is what led me to the conclusion that spamtraps can be discovered, by suggesting to me that a new unlisted machine could be used to spam a specific address and then check the results to see if it's listed as having hit a spamtrap thus confirming or denying that the address in question is a spamtrap. The rest of the post is irrelevant.

...Stu

[dbiel]

It will be interesting to see what responses will follow.

but since I've just proved that spamtraps can be discovered and thus list-washed

I would strongly disagree with that "proof". It is based on some serious assumptions.

1) a single spamtrap hit results in immediate listing. (Not proven or supported, may be true, may be false.) Remember the formula used for listing is very complex and spamtraps are only one part of it.

It is know that listing will automaticly delist in 48hours or less.

How may test runs would it take to discover 1,2,3,4,5 spamtrap addresses in a typical spammers mailing list of how many addresses?

If the assumption is that there is only one spamtrap address in the list and that point #1 is valid, then it might be feasible to do.

List-washing spamtraps is just too much work and would take far too much time that no serious spammer would bother especial since for now there are too many easier ways to get around being listed by moving to another IP

Don't forget that listing information is no longer real time.

[studog]

I would strongly disagree with that "proof". It is based on some serious assumptions.

1) a single spamtrap hit results in immediate listing. (Not proven or supported, may be true, may be false.)  Remember the formula used for listing is very complex and spamtraps are only one part of it.

Just up the quantity of spam sent from the machine.

It is know that listing will automaticly delist in 48hours or less.

How may test runs would it take to discover 1,2,3,4,5 spamtrap addresses in a typical spammers mailing list of how many addresses?

If the assumption is that there is only one spamtrap address in the list and that point #1 is valid, then it might be feasible to do.

There doesn't need to be only one; as long as the machine is listed for spamtraps then they know there's a spamtrap address in there, and they can partition the list and repeat.

List-washing spamtraps is just too much work and would take far too much time that no serious spammer would bother especial since for now there are too many easier ways to get around being listed by moving to another IP

For now perhaps. But unfortunately we see that spammers are improving in cleverness, and this is well within technological reach.

Don't forget that listing information is no longer real time.

18478[/snapback]

Ah, that I did not know. That might make the algorithm unworkable.

No reponse at all is likely what I'll get, especially since there isn't a response yet. But my main purpose has been accomplished if this thread is merely read, and the Spamcop PTB become aware of the ability to list-wash spamtraps.

...Stu

[eaolson]

There doesn't need to be only one; as long as the machine is listed for spamtraps then they know there's a spamtrap address in there, and they can partition the list and repeat.

True, but if there are a few spamtraps sprinkled in a list that could possibly contain millions of email addresses, it would take quite a while to make your way through it.

To answer your original question, the spamtraps are not static.

[louisd]

No reponse at all is likely what I'll get, especially since there isn't a response yet. But my main purpose has been accomplished if this thread is merely read, and the Spamcop PTB become aware of the ability to list-wash spamtraps.

18500[/snapback]

I don't really think that this is realisitic. A spammer probably spams hundreds of thousands or millions of accounts at the same run. Parsing out that list to try and determine what address is the spamtrap would just be plain crazy, even if the information online were real time.

[Ellen]

Actually, yes. I'm expecting either a "Yes" or a "We hadn't thought about that. We will now."

"No" is a valid answer, but since I've just proved that spamtraps can be discovered and thus list-washed, I'll argue that "No" is no longer good enough.

I know. I don't think the question will reveal any useful information. No matter what the answer or whether or not it's truthful, the spammer has to hope that the reailty is that they are not changed, and thus can be list-washed. So their behaviour will not change as a result.

No. I wasn't clear on that point. The first paragraph is what led me to the conclusion that spamtraps can be discovered, by suggesting to me that a new unlisted machine could be used to spam a specific address and then check the results to see if it's listed as having hit a spamtrap thus confirming or denying that the address in question is a spamtrap. The rest of the post is irrelevant.

...Stu

18477[/snapback]

Let's think this through -- I am a spammer and I have a spare /24 and nothing better to do with it and I decide I want to find one of the spamtraps. So I select 100 email addresses from my list -- rather than use all the multimillion addresses in my list. I send 100 spams from nn.nn.nn.1 and wait to see if the IP gets listed. Lets say it gets listed. I also make the assumption that no real users are reporting spam and that the list of addresses didn't hit any random SC reporters. I also conveniently ignore the fact that it takes more than 1 spam hit to get listed. OK now I divide the list in half. I send 50 emails using IP .2 and 50 using IP .3 For the sake of argument only IP 2 gets listed. Now I take those 50 addresses and send 25 using IP .4 and the others on IP .5 Again let's assume that only one IP gets listed -- and so on an so forth.

But -- it takes more than one spam report -- user or trap -- to get listed. And if it's a real dirty list, and I assume you are talking about real dirty lists, the assumption is that there are likely multiple bad addresses ... So the spammer is going to burn a lot of IPs using a very small number of addresses to find one trap, assuming that they can even do that. But you say -- IPs delist after 48 hours so they are not really burning those IPs for long. Well yes they are because even tho an IP delists after 48 hours, if the next spam report/hit shows up before the old spam ages off -- and that takes a week -- the IP will relist. So you have to not reuse that IP address for at least a week in this discovery process.

The thing is -- there are many many many spamtraps and finding one trap is not the magic key that opens the door to finding all of them. Do I think it is possible that someone somewhere does occassionally figure out a spamtrap address? Yeah that is possible, but the end result of that is pretty much nothing. There are a huge number of traps. There are a lot of spammers.

Do you want to know who is the most likely to find a spamtrap email address? It is the guy who sends out an email to 20 "friends" because he is having a party on Sat nite. Thru incredible fat-fingeredness he manages to completely mistype one of those 20 email addresses. He sends his email. 3 hours later he realizes that he needs to amend that email and sends another email. Then he realizes he needs to send a 3rd email. Ooops he gets bounces. He calls his ISP or postmaster in a tizzy. Assuming it's a small ISP or company postmaster, they write to us and say "blah blah blah" or they say to the guy -- what *are* you doing blah blah. The guy picks up the phone and calls his 20 buddies and says "what are your email addresses" and bingo he figures out which one is wrong.

We actually did have something like this happen -- it involved a list of about 5 or so email addresses. The postmaster eventually figured out which was a trap address and wrote and said so. Now of course this took about 2 days of effort on the part of the postmaster; lots of emails back and forth to us and to his user and he discovered one trap address. (yeah yeah we turned it off).

So, am I concerned that someone somewhere maybe discovered one trap? Not really. If the list is dirty, it is hitting other traps and reporters. Those lists are adding/generating new email addresses constantly some of which are going to be other traps and reporters. And we are more concerned about general listwashing and spend a whole lot more time on that.

It is more likely that a pretty clean, legit ESP might spend the time and effort and actually be able to figure out a spamtrap address using historical and statistical data then by burning IPs. Are they doing that? Damned if I know. And I don't see what I can do about it.

Do we add new traps regularly? yes. Do some traps get turned down from time to time? yes. Is it because they are *discovered* -- hardly ever. Do we keep an eye on the traps? yes. Are we very picky about them? yes. Are we a bunch of paranoid people? yes. Have we turned down traps because of free-floating paranoia? yes.

<rant> You know what I am really concerned about? Some stupid so-called anti-spammer somehow discovering one trap and then running around and signing it up to a bunch of unconfirmed lists which *never* get reported and which do not represent "the spam problem" </rant>

[studog]

Do we add new traps regularly? yes. Do some traps get turned down from time to time? yes. Is it because they are *discovered* -- hardly ever. Do we keep an eye on the traps? yes. Are we very picky about them? yes. Are we a bunch of paranoid people? yes. Have we turned down traps because of free-floating paranoia? yes.

18555[/snapback]

Thanks for the answer. I'll post a better reply later this weekend when I have more more time.

...Stu

[A.J.Mechelynck]

[...]

Do you want to know who is the most likely to find a spamtrap email address? It is the guy who sends out an email to 20 "friends" because he is having a party on Sat nite. Thru incredible fat-fingeredness he manages to completely mistype one of those 20 email addresses. He sends his email. 3 hours later he realizes that he needs to amend that email and sends another email. Then he realizes he needs to send a 3rd email. Ooops he gets bounces. He calls his ISP or postmaster in a tizzy. Assuming it's a small ISP or company postmaster, they write to us and say "blah blah blah" or they say to the guy -- what *are* you doing blah blah. The guy picks up the phone and calls his 20 buddies and says "what are your email addresses" and bingo he figures out which one is wrong.

We actually did have something like this happen -- it involved a list of about 5 or so email addresses. The postmaster eventually figured out which was a trap address and wrote and said so. Now of course this took about 2 days of effort on the part of the postmaster; lots of emails back and forth to us and to his user and he discovered one trap address. (yeah yeah we turned it off).

So, am I concerned that someone somewhere maybe discovered one trap? Not really. If the list is dirty, it is hitting other traps and reporters. Those lists are  adding/generating new email addresses constantly some of which are going to be other traps and reporters. And we are more concerned about general listwashing and spend a whole lot more time on that.

It is more likely that a pretty clean, legit ESP might spend the time and effort and actually be able to figure out a spamtrap address using historical and statistical data then by burning IPs. Are they doing that? Damned if I know. And I don't see what I can do about it.

Do we add new traps regularly? yes. Do some traps get turned down from time to time? yes. Is it because they are *discovered* -- hardly ever. Do we keep an eye on the traps? yes. Are we very picky about them? yes. Are we a bunch of paranoid people? yes. Have we turned down traps because of free-floating paranoia? yes.

<rant> You know what I am really concerned about? Some stupid so-called anti-spammer somehow discovering one trap and then running around and signing it up to a bunch of unconfirmed lists which *never* get reported and which do not represent "the spam problem"  </rant>

18555[/snapback]

Thanks for this detailed explanation, including the part I snipped.

Of course, spamtrap addresses are findable, or they wouldn't be harvested. It's not very hard to (figuratively) poke one's hand into a sorting hat and get out a spamtrap address. It is of course much harder to start with an email address not otherwise known, and find out whether or not it is a spamtrap or a legit, er, customer. In a programmer's language (let's say pseudo-C),

        *emailaddress GetSpamTrapAddress (void)

is much easier than

        bool IsSpamTrapAddress (*emailaddress)

But of what use is it to me? I'm not a spammer, not even a business. My only relation to spammers is that I hunt them, either the way English nobility hunt fox (or used to, it may soon get outlawed) or the way my landlord hunts cockroaches, take your pick ; except that for the time being my horse and dogs are at the vet's and I'm out of Fly-Tox. Oh, well, life has its ups and downs...

[studog]

Let's think this through -- I am a spammer and I have a spare /24 and nothing better to do with it and I decide I want to find one of the spamtraps.

18555[/snapback]

Incorrect assumption. Zombied PCs are a dime a hundred. We must assume that spammers have all the IP addresses available to them that they need.

So I select 100 email addresses from my list -- rather than use all the multimillion addresses in my list. I send 100 spams from nn.nn.nn.1 and wait to see if the IP gets listed. Lets say it gets listed. I also make the assumption that no real users are reporting spam and that the list of addresses didn't hit any random SC reporters.

Irrelevant assumption. SpamCop reports that an IP is listed as a result of hitting a spamtrap, or not.

I also conveniently ignore the fact that it takes more than 1 spam hit to get listed.

Ok, that might be a problem, and then you'd *want* real users reporting as well. I am under the impression that even one email to a spamtrap gets you listed, since the point of spamtraps is that a spammer wouldn't have gotten them except through automatic harvesting techniques.

OK now I divide the list in half. I send 50 emails using IP .2 and 50 using IP .3  For the sake of argument only IP 2 gets listed. Now I take those 50 addresses and send 25 using IP .4 and the others on IP .5  Again let's assume that only one IP gets listed -- and so on an so forth.

So far so good. However, also assume that the spammer has a list of "known non-spamtrap" addresses. That's as easy as sending a run, noting that it was listed but not for spamtraps, and noting every single email address as "good". So the actual number of emails in a "probing" run doesn't need to dimish, or be small.

But -- it takes more than one spam report -- user or trap -- to get listed. And if it's a real dirty list, and I assume you are talking about real dirty lists, the assumption is that there are likely multiple bad addresses ... So  the spammer is going to burn a lot of IPs using a very small number of addresses to find one trap, assuming that they can even do that. But you say -- IPs delist after 48 hours so they are not really burning those IPs for long. Well yes they are because even tho an IP delists after 48 hours, if the next spam report/hit shows up before the old spam ages off -- and that takes a week -- the IP will relist. So you have to not reuse that IP address for at least a week in this discovery process.

See above rebuttals.

The thing is -- there are many many many spamtraps and finding one trap is not the magic key that opens the door to finding all of them. Do I think it is possible that someone somewhere does occassionally figure out a spamtrap address? Yeah that is possible, but the end result of that is pretty much nothing. There are a huge number of traps. There are a lot of spammers.

Ah, but if the spammers are making a concerted effort to locate the traps and list-wash them, their usefulness is diminished. We have to assume that the bad guys are doing all they can to avoid being found out.

Actually, it just occurred to me. This whole thread is irrelevant, since the problem of spamtraps getting list-washed is self-correcting. After a while the PTB would notice that the spamtraps aren't getting hit anymore, and would then have to rotate them to make them useful again.

I should have realised that earlier. Sorry to waste everyone's time.

We actually did have something like this happen -- it involved a list of about 5 or so email addresses. The postmaster eventually figured out which was a trap address and wrote and said so. Now of course this took about 2 days of effort on the part of the postmaster; lots of emails back and forth to us and to his user and he discovered one trap address. (yeah yeah we turned it off).

This example is orthogonal to mine. So the fact that in this case a lot of effort was expended to locate one trap address has no bearing on mine.

It is more likely that a pretty clean, legit ESP might spend the time and effort and actually be able to figure out a spamtrap address using historical and statistical data then by burning IPs. Are they doing that? Damned if I know. And I don't see what I can do about it.

As I feel we've debated the issue and it's come to a close, I'm not going to reply to the rest of your post. But I have to say... a "legit ESP" should be able to figure out spamtraps pretty darn easily.

...Stu