Slashdot Mirror
Where Is Spam When You Want It?
Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"
I ran an experiment to do just this... Originally USENET (a decade ago I did that one), web pages, etc... Hundreds of trap address' across many of the domains in my control -- harvest and block 'em early has been my general method... :)
I recently took 1 Windows 2K box (SP2) and put it directly online in the DMZ type zone. Do NOT patch it and add no virus software. Load some trap address' (never used before) into the Outlook address book.
It took twelve (12) minutes from plugging it in to getting many, many infections, to the final spam. Typical time is 3-4 hours usually and I've seen the test go for as long as 8 hours.
How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter? No Windows here anywhere, well, except for VirtualPC which makes such tests so damn easy -- too bad Microsoft had to buy them up too...
Sign up for an account there, forward the spam to your new mailbox and start following links to advertisements and such. If they ask for your email address, give it to them. Won't take long.
Register with every "reputable" company with a "privacy policy" you can find, and make purchases with them. Register a domain with the addy. Put the addy on tons of those little fill out cards that you have to mail in from magazines for free this, free that. Buy subscriptions to tons of Pr0n sites with the addy. Instead of usenet, post on several pay or exclusive product-support forums, where spam-runners can be assured of sure-fire hits. Damn! It's expensive to acquire SPAM!
Me as well as other slashdotters will send you some of ours. We don't want it (I hope).
Try signing up for a few mailing lists for marketers. Usually they will sell these to other companies who will in turn sell it to other companies and so on. Most email addresses are not spammed by having it available on google but rather giving it to the companies that do the spamming.
I get spam from my domain registry, which has an email associated with it. I get the Nigerian stuff this way.
You want spam? You should have put in your email address into the submitted article...
I had to get on some spam lists for an experiment as well. I signed up for everything you could imagine and recieve less spam on that account than my other accounts.
Just put your email adress in a lot of those 'get free pr0n pictures every day!' Works wonders. I heard.
If Murphy's Law can go wrong, it will.
We all know that the Spam won't show up if you want it. That's against the very nature of spam.
All annoying things always happen every time except for the one time you try and prove the phenomenon to a non-beliver. Well known fact.
Good luck at finding the spam (wow, I never thought I'd have say that.)
Make an ebay account with your email address in it and just start bidding. This is an excellent way to ruin an otherwise perfectly good email address. I was doing all right on the spam front until I did this. Big whoops. *hits head on desk* Yeah, stupid me.
You'll quickly become inundated with "How-tos" to Ebay, "official" emails from Ubid by people attempting to fraudulently gain access to your personal information, more tips-and-tricks, more offers from uBid, and of course a plethora of marvelous online drugstore advertisements.
Enjoy.
Seems like there's more than a few people suggesting signing up with free porn sites to get spam.
Personal experience?
also try porn sites, gambling sites, and more importantly, paste it on slashdot. My spam trap address here gets hit ALL the time, usually several times a day, which has helped me greatly in tuning my firewall.
Lawyers, MBA's, RIAA? A jedi fears not these things!
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
Want to survey spam as it effects a normal, real-life, daily-use e-mail address? Get a new address and starting using it as your primary account. Anything less will be irrelevant statistics.
Give it to some of your friends and relatives, soon you'll recieve 20 or so joke chain letters every day...
In your own inbox, get a couple of hundreds of spam.
.....
Take the urls (DO NOT CLICK ON THEM) and strip them of the stuff after the '?'
Go to each of those 'unsibscribe' pages and put the test account in the email to be removed box.
Its the best way to get spam. The spammers will generally use it as confirmation that your address does indeed exist, and theyll happily put you in their alive list, where you are shure to get everything they are selling.
I was in the exact same situation, actually, and found spamarchive.org to be very helpful. Any one of the files on their ftp site should have enough spam to keep you busy for a while.
"(Man) tries to live his own life as if he were telling a story. But you have to choose: live or tell." --Sartre
Why not just download some from spam archive?
Based on a friend's suggestion, I created an alternate e-mail address and used it to create user IDs on classmates.com and match.com and, sure enough, until I kill the ID months later, I was getting 30+ spams a day after my ISP was done with its own filtering. I wasn't being very scientific and I don't know if it was one or the other or both, but it's a place to start...
"I'm a scientist! I don't think, I observe!" - Dr. Clayton Forrester
- Post a comment on Slashdot with the e-mail address visible
- If on a popular e-mail provider such as AOL, Hotmail, or Yahoo, put up a profile and go to a chat room.
- Allow your e-mail address to be listed on any of the directories.
- Put your e-mail on a Geocities website.
New research shows spam no longer a problem!
I think your best bet for simulating spam would be to give the account to a 14-16 year old kid for a week or two. One of the types that plays stupid games and talks to their friends on messaging programs all the time. They drop their email addresses all the time without really thinking about it.
Put it on a web page which gets any moderate amount of traffic. I did that with some spam-bait addresses, and it's amazing how much they generate. In a few months, they've identified over 22,000 unique servers sending spam.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
"Research Survey" = getting back at evil ex-girlfriend.
Some links of the sweet, sweet google:
Here
Again
And Again
If you search for 'contests' and click on the sponsored link then you should have an abundant source. Also, if you sign up for a few of those "Free" trials at porno websites, you should start to get some serious spam.
That and better yet the sites that will submit your web site to hundreds of search engines. That will get you to the FFA style sites quick. I did this when I needed an account to test SpamAssassin on. Worked like a charm. Better yet, give /. ers an Email and we can set a forward to you of some junk.
Hey I got plenty!
Post to Google Groups on many well-frequented lists (don't cross-post!) with the address. Sign up for a Slashdot account and write generally informative (+5! +5! +5!) tripe with your real email address tied to it.
You also should've specified the test email in your story submission (i.e. Sean writes:) -- too late for that now, of course. In the slashdot@myname.endjunk.com emails I've provided, I've easily gotten 10+/day within a few hours of first posting. Neat.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
I made up a semi-bogus email addy, it's real in that mail sent to it gets to me, but when I'm done, I'll flush it down the tubes.
I used it to attract spam so that I could train spamassassin for my use and for a few friends and family.
I went and dropped it all over usenet in the pr0n groups, went to every viagra site I could find, clicked on every banner add I saw.
It took a few weeks but I finally got the desired results. You'll have to put up with some extremely offensive email for awhile so make sure the wife and kids can't get to it during this phase.
After doing this for a few weeks I was getting 50+ spams a day. Now that I have spamassassin all tuned up I just don't check mail on that account. Once I feel that I no longer have the need to tweak SA, I'll just dump the account..
Too bad this doesn't work for TV commercials...
HEY! How about an app that, er, nevermind...
Buy a throw-away domain name and post an index page with a email address. you could also use the method where you record the IP address of the spider by generating the email address on the fly. with [IP of spider]@domain.com and then set up a catch all email box. then you are monitoring the spiders ips and the mail servers ips. this idea was posted on /. a few months back but I couldnt find the link.
pretzel_logic
Simply respond to your own post here on /. with your e-mail address. /. is a spam magnet. The majority of spam I receive is from an e-mail address I used to use here that I quit using over a year ago.
Hi, I'm pissed off at someone and would love to get them bombarded with spam. No, I don't think that'll work on slashdot. Better say "research" instead of "pissed off". Yeah, that should work.
riding round the world on an old motorcycle
"My deadbeat roommate has pissed me off once too often. On a completely unrelated note, I'm looking for ways to attract lots of spam to an email address for... er... research. Yes, research sounds plausible."
spamthistohelpusout@someresearchcompany.com
You can't judge a book by the way it wears its hair.
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.
Where should I post my address so that it attracts spam?
/me shakes his head.
How about the front page of Slashdot?!? That ought to help you out a bit.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Looks like....
I have been collecting them as I spot them, when I have enough samples and enough time I will have a bash at decrypting them.
So if you want to add a flourish to your thesis, you can also figure out what they are using the encrypted text for. (Probably some sort of tracking to measure success of campaigns.) I will happily send you my collection of spam + encrypted messages.
It did occurred to me that if you were a distributed illegal group that wanted to communicate in a way that was untracable from you to the component cells, you could do worse than sending out spam + encrypted message to millions of random addresses, some of which are your cells.
For the past couple years I've forwarded all emails for a domain to one account. Whenever I give out my email, I give their website/company@my-domain.com and try to insure they will not spam by doing the usual unsubscribing. Classmates was a violator, however I went back through and reunsubscribed and rarely get anything. The worst offenders I found were morpheus-musiccity, iseekyou(icq), and my-domain. Hotmail was pretty bad when I originally signed up because I didn't unsubscribe at passport.net.
I happen to have several email addresses that are like my username here. I get spam for willy001 willy002...willy134...willy156.... If you set up an email address on a domain that is very well spammed (hotmail excite yahoo...) with a name like john12345 and that might induce spam.
Can you ping me now?... Good!
The best way to get spam? Put your email address into a popular HOWTO, or run a 3-letter domain (a friend of mine gets about 2/second to his three-letter domain). And be patient.
But if you want some of mine, I'm happy to get rid of it. ;)
Do you really need reason for beer? Wingman Brewers
You have to make sure you click the opt-out check boxes if you're signing up places. If you go to a porn site and sign up to recieve mail from them it's hardly spam. Yes, I know you'll still get a lot of stuff you didn't ask for. But since this is for research, it seems like the distinction ought to matter.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It's not encrypted data - it's merely random text intended to throw off spam filters.
Specifically, not one that's from an actual brick and mortar greeting card maker. 9 times out of 10, you'll be sure to be not only adding YOURSELF (the sender) as a future spam victim, but whoever you entered as a recipient for the e-greeting card.
All I know about Bush is I had a good job when Clinton was president.
Create Several Email Addresses - Be scientific ...
.....
Address 1 - (Control Address) Post No Where and read no messages until the testing time is over
Address 2 - Post On Usenet (Deja.com)
Address 3 - Post In Public ICQ program
Address 4 - Porn Sites
Address 5 - IRC
etc
I have an address I used for about three months on usenet, only in the comp.lang hierarchy.
I may have used it for a few web sites, but the only one I recall is a local political organization which I doubt would have sold, or had the expertise to sell, its list. Still, the data is tainted, and I can't say it all comes from usenet.
According to DejaGoogle, I last used it 18 April 2002, and it was last referenced in a follow-up message 5 May 2002. I first used it 15 February 2002.
For a while I had my ISP forward mail to that address to "nothing" until I worried it might be piling up on the server somewhere (I don't know what forwarding to "nothing" means in the ISP's web control panel). So there are no messages for most of the month of May 2003.
Disregarding the emails from the political organization, there are 1733 emails; the earliest is dated 16 July 2002, the lastest today 21 Sep 2003. (There are probably earlier emails to this address which have been archived.)
So that's a span of 432 days, not subtracting the period when I wasn't having the email forwarded. Again not subtracting the un-forwarded days, that's ~4 per day.
Note that this is only spam to this particular "sacrificial" address; it does not count the large amount of spam that, thanks to having some idiots as "friends", hits my "real" address.
I have not been subject to any dictionary attacks on my domain name, but I have gotten about 105 spams to admin@mydomain in the same time period. This pushes the daily average to ~4.25/day.
Since I started getting a lot of spam, I've made a practice of assigning each commerical contact or mailing list a different address (theirdomain.tld@mydomain.tld generally); surprisingly, these get very little spam, despite getting large volumes of legitimate mail each day.
Opinions on the Twiddler2 hand-held keyboard?
That's what they want you to think!
*looks left, looks right*
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
I think you have to wait, as from what I understand most of the people who spam actually buy spam lists from other people. The spam lists seem to be compiled like phone books, so they send out batches of addresses like every month or so. I'm sure your mailbox will be stuffed to the breaking point about two months from now.
Your first 30 minutes alone on the Internet should tell anyone that.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Is the account you want spammed provided by the same ISP as your personal account? It sounds like the ISP you are using for the research account might be doing a really good job killing off the spam before it ever gets to you. In order for the research to be uncorrupted you need to verify that your ISP passes all e-mails through to you, rather than spam filtering.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Also they break up words to avoid spam filters, like the following spam I recieved:
"Ge ni tal Enl arge ment - Me dic al Bre akth rou gh F or Me n ! 2 a m azi ng wa ys to e nl ar ge y our man h ood - re ad bel ow..
D oct ors work ed for ye ars crea ting a p il l to en lar ge t he ma le ge nit al ia b y len gt h a nd wi dt h. .
T he ye ars of wo rk p rodu ced a pi l l c al led "V P R X", - V P R X P i l l s inf o c li ck her e
a nd al so a pa tch simi lair to the qu it sm o king pat ch . - P e n i s P a t che s i nf o cl ic k her e . "
I just hope they don't discover this, which is much more readable and still produces the same filter avoiding results. Fortunatly Bayesian filters learn these tactics and significantly reduce their useable lifespan. Expect to see the face of spam change more often and more dramticly with the widespread adoption of such filters by AOL and others.
I recommend NewFunPages for getting lots of spam to an account that never used to get spam.
Then start clicking on the Unsubscribe links.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
That isn't any sort of encrypted text. It is simply a (pathetic) attempt of evading filters...
You insensitive clod!
You've ruined the poor boy's dream!
Just think of the hours of fun he could have had "cracking" the "code".
Just think of the elaborate code -- and equally elaborate conspiracy behind it -- he might have created in a desperate obsession to make his data fit his theory!
It could have been a new formularization to rival the Illuminati, Ancient Astronauts, secret codes in the Bible, or some other tortuous, contrived theory! Why, he might even have constructed the ultimate conspirarcy theory, a religion!
But no! You had to cruelly disillusion him. And rob us of the fruit(iness) of his labors.
For shame!
Opinions on the Twiddler2 hand-held keyboard?
So you want a lot of spam, do ya?
p e= www
http://www.spamcop.net/w3m?action=inprogress&ty
That's Spamcop's list of spam-vertised web sites. All of those sites have submission forms; just put the email address in there and you'll be rockin' and rollin' within a few hours. I got into a 'spam war' with one of my roommates back in college, and with that Spamcop list I was able to render his email account COMPLETELY useless within a couple of hours (If you're reading this, sorry 'bout that Brian... )
Speaking of spam, on a random side note, I've recently started checking all of my email accounts with Shadango.com. Anybody else tried that yet? Shadango allows you to have advanced filtering applied to ALL of your existing accounts (both POP and IMAP). It's frickin' great. So now I don't get any more spam, plus I can check all 5 of my email accounts from one place. They've also got file storage, a calendar, etc. It's money. Check it out.
-Nate
Yeah, I got an account on there a couple of months ago. It's definitely very cool.. it can even check Yahoo/Hotmail accounts.
I always just used my Yahoo account to get spam when I signed up for stuff online. BUT, just today I found out that Shadango allows you to generate temporary, 'disposable' email accounts. See, you generate a random email account, sign up for whatever online (using that new account), and all the crap goes to the temporary account, which you can delete/change at will.
It has definitely helped to cut down on the amount of spam I get. Kevin Hanson recommends it highly.
-Kevin
Yo, I was involved in the alpha testing of shadango awhile ago. When I signed up I used the word "alphabase" in the promotional code box. It got me a paid tester account...i think it might still work. From my experience Shadango is definitely worth the try. Ian Welsh
Look up FFA on google and submit your E-Mail to thier forms. You should within minutes get a constant stream of spam that will never ever end.
Register a domain with Verisign, and put your target address as a contact for that domain.
-----
PGP Key ID 0xCB8FF658
1. news.admin.net-abuse.sightings
2. spamarchive.org
3. Build a Spam Honeypot
hth
pete
"The cup... the drop... it's a YES!"
And while we're at it, it's semantic ;)
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
BlueCat Networks www.bluecatnetworks.com have this really cool product called Meridius. It's an anti-SPAM Mail Relay appliance. Typically sits in the DMZ. Why don't you contact them and ask them about SPAM?
pi=sigma{n:0-infinity}[(1/16)^n][(4/(8n+1))-(2/(8n +4))-(1/ (8n+5))-(1/(8n+6))]
What you're describing is called the attractive nuisance doctrine , and really only applies to the situation with the neighborhood kid, not to an adult upon whom different expectations are placed.
One could argue that the real issue is negligence , but proving negligence turns on the phrase (from the referenced definition) "the care of a reasonably prudent or ordinarily careful person in the circumstances".
It's unclear whether or not you'd be able to point to an "average user" and call them "ordinarily careful", in which case you'd definitely be doing about what's average. It might, instead, turn out that the court would say "you're a professional, a sysadmin, and we hold you to a higher standard of "reasonable prudence" by virtue of your knowledge of the consequences. This would be analogous to the trained fighter or black belt getting into a fistfight and whaling on some poor schmoe. Regardless of who "started it", the fighter is going to be held to a higher standard of control and "carefulness".
Of course, that said, you could also use a defense based on trespass, in which you argue that, because the attacker was not authorized to use your system, as long as you weren't specifically stockpiling "munitions" there :-), you're not liable for the attacks based out of your system. I'm not sure what case law in the real world says about this. If you left your front door open and a sniper walked in, sat down in your living room, and started taking potshots at passers-by, would you be liable? Would the court say that, because you failed to lock your door, or deadbolt it, or whatever, you were negligent?
Tough to say, these days.
Thankfully, I'm not a lawyer, so I don't have to worry about such weighty theoretical issues :-)
I agree with you, but at the same time I also believe the issue is not the same. The machine with Outlook installed is what Microsoft provided. Using your arguments you could argue that installing Outlook on a machine is the same thing as putting a destructive virus on a floppy and leaving it in public place. Wouldn't the creator of the software/virus be held liable?
and see who it's to :)
It's nothing but crumpled porno and Ayn Rand.
I don't have a girlfriend, YIC.
Every time? how often do you do this, anyway?
It wouldn't stop any spam filter I have seen.
Ah well, probably some ISP out there has such a silly filter.
I was envisioning something smarter along the lines of hidden fields (have a look at ye average web form , a lot of them have hidden fields to hold state and tracking info).
For example as I type this, let me look at the "Page Source". Ooo lookee, on slashdot itself....
I'm thinking along the lines of...
ie. Workout the encoding for the hidden fields and tweak them to freak out any automated processing software the spammers use.
A similar idea is to feed carefully crafted cookies to web servers to crack them.
For example, I would guess that the spammers spam each newsgroup / discussion list with a slightly different URL, the URL goes exactly the same place but records which spam campaign produced the best results.
Now tweak that URL in crafty ways and you may DoS their server.
... 22Megs, because I've been saving it to train Spamoricle.
Post your e-mail address here and I'll send the spam.tar.bz2 file to it.
There, what could be more helpful?
The best (worse?) way to get spammed is to fill out online survey. You know those free online IQ tests with the inflated scores (I scored 182 and I have problems doing my taxes ;))? If you use your real email address you will feel very dumb about a week later when your mailbox fills up with "Get a collAge degree at home!!" mails. ;)
Also start sending those cute greeting card emails to yourself. Most of those are just collectors for emails.
I think they stopped cruising USENET for emails. To few people use their actual emails there anymore...
Spell cheek you've failed me four the last thyme!
I'm sure your now addresses have been harvested by a number of systems already. You'll have to wait, though for a client to buy a list, or another wave of mailings to go out before one is sent to you.
Too big to fail? Does that make me to small to succeed?
I tried to put up what looked like an open proxy on port 8080, which simulated the right error codes in in case people connected to port 25 out in town.
Within a week I was getting 100.000 spam mails a day. Within 2 weeks I was over 1 million spam mails a day.
So just pretend to have an open mail server, and you can get all the spam you want, and harvest all the addresses you care about.
Here's a neat trick that I figured out for building a "honeypot filter" that identifies and blocks all incoming mail that matches the spam harvested in a honeypot e-mail address before any e-mail is delivered to personal mail accounts. Since the honeypot address is used for nothing else but harvesting spam, using the spam received in the honeypot to identify and block incoming spam guarantees that there will be never be false positives (which is more than most filters can say). If the honeypot is being spammed by the worst offenders, you can be sure the spam that is being received there is being sent to millions of others. This honeypot technique is one of the simplest solutions for reliably blocking spam, but it is contingent on having the honeypot being very thoroughly spammed.
So, here's the hack for getting a honeypot address into the databases of real spammers.
First, you need an existing address that is thoroughly infested with spam. If you look at most spams, they usually have some thing at the bottom that says something to the effect of "click here to be removed from our mailing list."
In some of the spams that I've looked at, the link has CGI script variables in the URL. You'll probably see the e-mail address in one of the fields. Replace this e-mail address with the address of the honeypot address, and go to that site.
The page you go to will usually have two options: "remove me from your list" and "Please continue to alert me of special offers". Select the latter, and submit the form. The e-mail address you substituted into the CGI script will probably start receiving spam real soon.
Some spammers will spam you even more if you click on the "remove me" list, because it just proves that the address is live. Before you click on the link, copy it, and edit the field in the CGI script that looks like an e-mail address, substituting the honeypot address for the one in the link. Then, go to the URL and "remove" yourself. You are likely to just start getting spam in the honeypot, especially from unscrupulous spammers.
hmmmm... this must do something really interesting to the computer or disk to have a warning like that...
Next step would be to see if I could induce what the intent behind the restriction would be. If I couldn't reason it out, then I might be tempted to try to dupe the disc and put it in another computer (*Always* mount a scratch monkey.)
In fact, putting an admonition involving tech in front of a geek is like putting something bright and shinny in front of some people.
but on the other hand you just found a way to physically "tar pit" a geek for a better part of an hour....
______
Once: you're a philosopher. Twice: a pervert.
Much harder than it seems. A spam trap address can take months or even years to get up to the same levels of spam as other addresses.
Some techniques;
Unsubscribe the address.
Apart from proving that some spammers actually do harvest from unsubscribes, this method isn't very effective, because some spammers actually do remove you from their lists.
(of course, if you only unsubscribe addresses that don't get any spam, it can't get worse.)
Dictionary attacks. If you run a mail server, you will occasionally be attacked. Either pick easy to guess names, or accept any name that fits a rule. It's a good idea to always reject the first name (unless it's already in your lists) since some spammers start with a 'test' name.
Also, there will be plenty of names tried, so there's no need to accept a suspiciously high percentage. Choose a simple rule that rejects a fair percentage of the names.
For example, accept any name which has a '5b' as the last hex character when hashed.
If your server has any extra delays after a bad name, remove them.
Buy expired domains.
Some of my best trap addresses are from previously owned domains.
Posting to usenet.
I've not had much luck with this.
Posting to mailing lists.
This also seems fairly hit or miss.
Posting to websites.
Works eventually, but it can take a long time.
Setting them in Ineternet Explorer.
Some web sites have javascript that can grab your email address from your browser.
(bonus points if you write this up in a proposal)
When you get spam...
Read the web pages. Once you actually get spam, either read it in a browser, or download all the links with wget. Some spammers are paying attention, in particular it seems, the ones who sell addresses to other spammers.
Respond. When you get one of those weird messages like "Are you the same noc-staff I went to school with?" Respond with a simple "sorry, wrong guy."
-- this is not a
Online sweepstakes are a great spam generator. Sign up for Publisher's Clearing House and opt-in to everything.
Your fantasies contain the seeds of important concepts.
Easily the three best ways to collect spam are to create a hotmail account. Then register a brand new domain with that address publicly available. Then join match.com (I think they still offer a free trial of some kind) and watch the spam pour in.
My wife created a unique (with numbers) hotmail account when she joined match.com (we met on matchmaker.com) and used it only for that purpose. Today she gets hundreds and hundreds of spam on it even though it's been entirely inactive for 3.5 years!
Match customer service claims they don't sell addresses and that it's hotmail's fault. Either way, the two together seem to be a quite effective spam trap
Of course, if you're just looking for a corpus of spam to test against, there's plenty out there. Google for +"spam corpus" to find several good sites.
Hope that helps....
--D
Seriously, I ran in 2002 and made the mistake of giving my prefered email address to anyone who wanted to contact me, of course, every newspaper in my district posted it on their website, leagues of voters same, etc.
I now get about 50+ spams a day... nicely controlled with spamassasin.
Here are two controlled studies of which activities attract spam, and how much:
"Why Am I Getting All This Spam? Unsolicited Email Six-month Report"
"The Great CNET Spam-off"