Where Is Spam When You Want It?

Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"

Outlook...

[krray]

I ran an experiment to do just this... Originally USENET (a decade ago I did that one), web pages, etc... Hundreds of trap address' across many of the domains in my control -- harvest and block 'em early has been my general method... :)

I recently took 1 Windows 2K box (SP2) and put it directly online in the DMZ type zone. Do NOT patch it and add no virus software. Load some trap address' (never used before) into the Outlook address book.

It took twelve (12) minutes from plugging it in to getting many, many infections, to the final spam. Typical time is 3-4 hours usually and I've seen the test go for as long as 8 hours.

How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter? No Windows here anywhere, well, except for VirtualPC which makes such tests so damn easy -- too bad Microsoft had to buy them up too...

Re:Outlook...

[dboyles]

Don't think I'm calling for honeypot operators to be arrested for setting out some bait. I think it's fine. In fact, I think it's a good addition to a security infrastructure. But dropping something insecure out in the open with full knowledge that it will probably be compromised and then likely used for undesireable activities isn't responsible.

Perhaps I should have made that point more clear initially.

Re:Outlook...

[dboyles]

If you leave a box of goodies outside your house, you may be asking for trouble, but you're not accepting responsibility for someone stealing it.

Okay, let's talk about the box of goodies. Let's say you leave a box of weapons outside with full knowledge that a neighborhood kid will probably find it and will likely use the contents for something illegal. If that happens, do you think you are partially responsible for whatever happens?

Before you jump all over me for such a hyperbole of an analogy, no, I don't equate running an insecure machine with handing out a small arsenal to the neighborhood kids. But I think you might be able to see my point given so many peoples' reactions of "What kind of parent leaves a gun where a kid can get it?" seemingly whenever a video game violence article is posted.

Take note of the bold text in the first paragraph. It's key to my point. If that box of weapons was in a place that you could reasonably assume wouldn't be accessible by the hypothetical gunman, I wouldn't place any blame on you, the owner.

So no, you're not responsible for other's actions, they are, don't be stupid.

You're exactly right - you aren't responsible for others' actions. In this case, you'd be liable for your irresponsible action.

If you want to be scientific, don't

[gunner800]

If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.

Want to survey spam as it effects a normal, real-life, daily-use e-mail address? Get a new address and starting using it as your primary account. Anything less will be irrelevant statistics.

worked for me

[pretzel_logic]

Buy a throw-away domain name and post an index page with a email address. you could also use the method where you record the IP address of the spider by generating the email address on the fly. with [IP of spider]@domain.com and then set up a catch all email box. then you are monitoring the spiders ips and the mail servers ips. this idea was posted on /. a few months back but I couldnt find the link.

That depends

[dmiller]

If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.

The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.

Re:'Unsubscribe'

[Anonymous+Freak]

I actually tested that not too long ago. I made a hotmail account, did not use it, or publish the address anywhere. After two months, I found I was getting 10-15 spams a day. So, I started using the 'unsubscribe' links in all of them. In two weeks, I was down to 1-2 spams a day.

Finally, after another two months, it was back up to 8-12 a day. So unsubscribing did seem to work, rather than hurt.

Who you use as an ISP is important

[Zero__Kelvin]

Is the account you want spammed provided by the same ISP as your personal account? It sounds like the ISP you are using for the research account might be doing a really good job killing off the spam before it ever gets to you. In order for the research to be uncorrupted you need to verify that your ISP passes all e-mails through to you, rather than spam filtering.