What is a “spam honeypot” or Spamtrap?

ISPs and spam tracking services like Spamhaus and SORBS rely on spamtraps or 'honeypots' to catch spammers – but what exactly is a 'spam honeypot' and how do you avoid hitting them?

The bulk of the spamtraps and honeypots today are from dormant email accounts and/or closed domains.  The logic is simple: a 'dead email inbox can't opt-in to receive email', so anyone sending email to one of these spamtrap addresses is likely sending unsolicited email.

ISPs (Yahoo.com, msn.com, gmail.com for example) review their list of email boxes regularly and disable accounts that have been inactive for a long period of time. They allow the addresses to sit disabled for six to 12 months – during which time any legitimate email marketer should notice the hard bounces to the spamtraps and remove them from their lists.  After a period of inactivity, ISPs re-activate these addresses and convert them into spamtraps/honeypots in an attempt to catch spammers, since anyone sending emails to them after a long period of time either purchased an old list, used software to pull email addresses from web sites (also known as scraping) or has not been performing basic email list hygiene.

Similarly, when a domain becomes inactive and is not renewed, after a holding period of 6-12 months, hosting companies (godaddy.com for example) will disable the domain's email services, and forward any email to these domains to blacklists such spamhaus.com or SORBS.  These honeypots are a bit more tricky however, as many of them will quietly accept your email without reporting back to your email server that the email address is defunct- so you'll never know you've hit a spamtrap until after you've been blacklisted.

Some spam tracking services (SORBs, 5-10) use fake websites to capture spammers.  They create bogus websites and place hundreds of email addresses on the sites,  or on pages hidden within websites or even in files called ‘email-addresses.txt’.  When spammers scan the siets (using site scrapers) for email addresses, they find the addresses and download them to build their lists.  Blacklists know that emails sent to these honeypots/spamtraps are from “scraped” or purchased non-opt in lists. This is how the term “spamtrap” was created.  (By the way, site scraping is illegal in the US and in many other countries.)

So how can senders best avoid spam traps and optimize email marketing results?

Simple – follow good list hygiene practices and don’t buy lists:

  • Use a real-time email correction service to help keep problematic email addresses from ever entering your marketing database.
  • Remove any hard bounces immediately.  Any viable email service provider will automatically remove hard bounces.
  • Update your opt-out file on a regular basis and always honor your subscribers’ wishes.
  • Clean your file on a quarterly basis to remove dormant email accounts and closed domains, suspect and malicious addresses, and possible spam traps.

You should also measure email engagement with your email subscribers.  This means identifying subscribers who open or click on your emails, and focusing your campaigns on them. The rest of your file should be segmented for fewer mailings, and eventually removed from your marketing database.  Anybody who has not opened your emails in six months to a year should be sent a request to re-engage, and be removed from your list if they don’t respond.

Can I buy / acquire a list of known spamtraps?

Not really – making a list of known spamtraps/honeypots available would defeat the purpose as spammers could easily then avoid sending to them.