What is a honeypot, and how does it impact email senders?

The moment Vesper Lynd slinks onto the screen in Casino Royale, you know exactly how this will all play out. Despite being a world-class spy, James Bond will fall hard for the mysterious Vesper, who will use all her feminine wiles to pry information out of Bond. Vesper is the honeypot in her operation: the tempting target who entraps our protagonist.

But, honeypots are for more than just spies. In this article, we’ll talk about how honeypots affect you as an email sender, the different types of honeypots, and the risks of getting caught.

In cybersecurity terms, a honeypot is a clever anti-spam trap that tricks spammers into revealing themselves by offering up tempting targets. These traps vary depending on the type of malicious actor the trap setter is trying to catch.

Honeypots can target bots that try to inject fake email addresses into an email collection form, hackers who try to scrape email addresses from a web page, or harvesters that collect personal data like bank account details. They can catch either human actors or malicious programs designed to act on behalf of human actors.

Let’s break this down and look at the honeypot operation needed to catch a harvester or bot that scrapes websites to collect email addresses.

The human actors behind these malicious programs can hit harvested emails with a malware attack or sell the email addresses to unsuspecting email marketers. In this case, the honeypot is a designated inactive email address that has never been used and has never opted into any email campaigns.

These honeypot email addresses are embedded within a webpage’s code. A trap setter can use CSS to hide this email address from human eyes while rendering it visible for harvesters and bots who programmatically crawl the web page. Trappers then make the honeypot email easier to lift than a legitimate email address, thus making the honeypot more appealing through built-in security vulnerabilities. The trap setter then monitors this email address to trap individuals who send messages to it.

You’re probably thinking, “Okay, but this doesn’t apply to me. I’m a legitimate email sender.” If anything, you might wonder how to implement honeypot systems on your business’ website or web app to prevent harvesters, bots, and spammers from injecting fake emails through your email collection forms or lifting your subscribers’ email addresses.

Actually, there’s a chance you might be at risk if you employ risky email collection strategies. Let’s talk about the dangers a legitimate email sender might face from honeypot operations in the following scenarios:

• You’ve purchased a mailing list.
• You have exchanged lists with another company.
• You crawl websites to scrape email addresses to build your mailing list.
• A legitimate subscriber or a bot entered a fake email address into your email collection form. This can either be malicious or unintentional.

We’ll go over each of these risks in more detail below.

We mentioned that hackers who harvest email addresses from web pages might sell these emails to email marketers. It’s bad practice to gain subscribers by purchasing mailing lists. If you buy a mailing list, your just purchasing a list of users who did not consent to receive email from your organization.

Building your subscriber base with purchased mailing lists may seem like the “easy” option, but this will be reflected in your email marketing metrics with lower engagement rates, lower open rates, and a higher spam complaint rate. All of these factors affect your IP address and domain reputation, which affects your inbox placement. If you have a bad IP and domain reputation, Internet Service Providers (ISPs) might decide not to deliver your message to a legitimate recipient’s inbox.

Overall, purchasing mailing lists is a bad idea. Another risk of using a bought mailing list is that it may contain honeypot email addresses. Instead of catching a spammer, the trap setter (often a blocklist like Spamhaus) will catch you Many honeypot traps are set by blocklists themselves, and if you fall into one they’ll add you on their blocklist, and it’s really hard to get off.

his one’s easy: scraping email addresses off websites is the exact behavior a honeypot email address is supposed to catch.

If your company does this – even if it’s for legitimate email marketing programs – you’re really no better than a spammer. The owners of the email addresses have not consented to being contacted, just as with a purchased list, and they will likely mark your emails as spam. As we mentioned above, this can land you on an ISP’s blocklist and damage your email marketing efforts.

Okay, this one’s a bit tricky. The basic scenario is as follows:

1. You have an email address collection form on your website.
2. An individual (like a legitimate sender or a spam bot) enters an email address.
3. The email address they’ve entered is not real. This can be because of user error or malicious intent.

The above scenario has a lot of moving parts. For instance, it can be a bot injecting a fake email address, a legitimate subscriber maliciously entering a fake email, or a legitimate subscriber mistyping their email address. The end result is the same: an invalid email has been added to your mailing list.

In the best-case scenario, your legitimate email message to this fake email address just hard bounces and can’t be delivered. This impacts your deliverability, but it isn’t particularly damaging if it’s a rare occurrence.

In the worst-case scenario, this fake email address is a honeypot, and you’ve signed yourself up for the blocklist. As we illustrated above, ending up on the blocklist damages your email marketing programs.

To avoid this, we recommend the following:

• Implement email verifications to ensure the email addresses your form collects are legitimate before sending out an email blast.
• Implement reCAPTCHA and double opt-ins to validate a subscriber intended to subscribe.
• Ensure that you’re staying compliant with applicable data protection laws when you collect emails.
• Maintain mailing list hygiene and clean your databases regularly.

This way, you might just avoid ending up on a blocklist.

Yes and no. Honeypots are a form of spam trap, but trappers don’t have to create mailboxes for an email address to use it as a honeypot. The email address doesn’t have to exist: The spammer can try sending to a dud email address, and if the trap setter checks their logs, they’ll see that an email attempt was made. Trappers can hide these emails within their web pages, and any bot that crawls their site to harvest email addresses will find them over time. Honeypots can also be spam traps when they leverage old email addresses that have been inactive for a long time. These “recycled” addresses that have been abandoned or closed are reset by ISPs and monitored closely for activity.

Despite everything we’ve said above, honeypots are not all bad. Honeypots are good at catching malicious actors to prevent cyberattacks. And, if your business behaves like a cyberattacker, you might just get caught in a honeypot.

Here’s why honeypots are a good thing:

• They capture malicious actors by creating attractive targets riddled with vulnerabilities.
• They enable threat detection in advance of potential attacks. By convincing hackers and bots to latch onto a fake target, trap setters can see the types of attacks cyberattackers might employ.
• They’re great intrusion detection systems.
• They enable a better understanding of cyberattackers. Honeypots allow trappers to “study” what a cybercriminal would do if they were to attack their webpage for real.

As we mentioned above, a legitimate sender like you might be caught in a honeypot. The best practice is not to act like a malicious actor so you won’t be caught in these traps.

There are two main categoriges of honeypots: production honeypots and research honeypots. Production honeypots collect cybersecurity-related information within a company’s or organization’s production network. On the other hand, a research honeypot gathers information about a hacker’s methods and tactics. These are usually used by governments and research organizations.

Let’s look at some of these honeypot varieties:

• Pure honeypots: These are full-scale computer systems that mimic the production system. The data in pure honeypots “look” confidential but actually contain vulnerabilities to attract hackers and also sensors to monitor cyberattackers once they’re in.
• High-interaction honeypots: These are complex honeypots designed to waste a cyberattacker’s time to give the security team enough time to observe the attacker and explore other vulnerabilities within the system.
• Mid-interaction honeypots: These are less complex systems that imitate some elements of the application layer. However, these don’t have an operating system (OS). The goal of a mid-interaction honeypot is to confuse an attacker or stall them, so the infosec team has time to evaluate and coordinate a response.
• Low-interaction honeypots: These are the least complex honeypots that gather rudimentary information about the kind of cybersecurity threat and where it comes from. They use Transmission Control Protocol (TCP), Internet Protocol (IP), and network services.
• Spam honeypot: These are the main focus of this article. Spam honeypots attract spammers by creating vulnerabilities related to emails. They trap these spammers before they can do actual harm.
• Malware honeypot: These honeypots employ attack vectors proven to lure in malware.
• Client honeypot: These honeypots draw in malicious servers that attackers use while hacking clients. They pose as clients to observe how an attacker makes modifications to a server during the attack.
• Database honeypot: These honeypots use decoy databases to attract attacks like SQL injections.

The best way to prevent falling into a honeypot trap is to ensure your email address collection practices are compliant and legitimate. Create a custom signup form with Mailgun. Or, check out our webinar covering some best practices for growing and maintaining your email lists.

Author: Nick Lafferty Nick Lafferty was a Team Lead for our Growth team at Sinch Mailgun. An avid blogger himself, he focused on sharing strategies and initiatives to help businesses grow their reach and make the most of their email program.