Protecting Your Deliverability with Honeypots
Written by Nick Schafer
Categories: Best Practices
3 minute read time
Dunno about you, but I find it oddly satisfying every time I flag a spammer and stop them in their tracks. It’s like I’m tag teaming with ISPs to police the interwebz, fighting the good ol’ fight. And there’s a lot that ISPs can learn from in-house efforts to stop spammers, especially from traps like honeypots that are meant to ban spammers from your email servers. Honeypots are a sticky topic (pun intended) because there’s a lot of upside to using them. That’s good news for you, but bad news for the unsuspecting target.
What is a honeypot, anyway? If done right, it’s a clever way to lure spammers into revealing their tricks. You’re basically setting a trap and using misleading information as bait to catch them in the act.
A good place to hide a honeypot is in plain sight. Not for your users to see, more for those pesky bots that are just looking to fill your forms with bad email addresses that kill your sending reputation. The reason collecting bad email addresses affects your reputation, is because they pollute your mailing lists. Now you have complete garbage that will tank your email delivery, and maybe get you blacklisted! Metrics you’re using to measure email performance (like bounce rate, open rates, and click through) will be impacted, too. You could be a form ninja and include a hidden honeypot field that’s invisible on the user interface thanks to CSS. But for email, it entails using some kind of email address that you can monitor. The more honeypot emails you have out there, the earlier spam attacks can be identified. So, by all means – go crazy!
Before creating your honeypot addresses, you want to consider using a different pattern so that they don’t match the one you actually use for legit email addresses. There’s also something to be said about using generic mailbox names that you don’t need like strong>info@</strong or role-based addresses like strong>sales@</strong that appear harmless but can trick a bot.
Want to level up? Use subdomains in your favor to create honeypot addresses and group them in a list. This will create a line of defense against Directory Harvest Attacks. Even if a spammer tries all possible combinations of an email address, they won’t be able to exploit the SMTP relay. This is because the harvested emails from your list will be ‘legitimate’, and so there’s no error message to identify the wrong addresses and pick them out to refine the list.
Are honeypots the same as spam traps?
Yes and no. You don’t actually have to create mailboxes for an email address to use it as a honeypot. The email address doesn’t have to exist: the spammer can try sending to a dud email address, and if you check your logs, you’ll see that an attempt was made. Using something sticky like a role-based email address – granted it needs to not be easily confused with an email you do use for business – and hiding it in your website HTML can also do the trick. Any bots that crawl your site to harvest email addresses will find them over time.
But honeypots can also be spamtraps when they leverage old email addresses that have been inactive for a long time. These ‘recycled’ addresses that have been abandoned or closed are reset by ISPs and monitored closely for activity. Whereas you might own traps you’ve created in-house, the identity and location of spam traps are hidden by ISPs and they go to great lengths to keep them unknown.
What else can I do to fight spam?
Before you bombard your friendly network administrator with changes to your production network, take stock of your current data collecting and email practices. In fact, we’ve got a webinar that covers this!