How-To Implement and Monitor Sacrificial Lamb Spam Traps

Background

Spammers are so effective at harvesting e-mail addresses from websites that some people report receiving spam (on their website published e-mail address) in as little as 8hrs from the time the e-mail address is first posted to the site. It is because of aggressive website e-mail harvesting that many people believe that it is no longer practical to publish your e-mail address on your company or personal website.

Note: PerfectMail is so effective, you can safely publish you e-mail address on your web site. Follow this link to find my full contact info.

Sacrificial Lambs

SacLamb strategy is simple; create a bogus e-mail account, hide that account on your website, let Spammers harvest the bogus address from your website and then block all e-mail traffic that includes SacLamb e-mail addresses in a messages recipient lists.

If Spammers simply e-mailed the SacLamb account, this strategy wouldn’t get us very far. However, spamming is a volume game, so most Spammers organize their mailing lists by target domain. Then, for efficiency, Spammers instruct their mail server to deliver a single message to all of the valid e-mail addresses they know in the target domain. If a SacLamb account is included in the recipient list, then the Spammer is caught and we can safely block their message.

PerfectMail’s SacLamb feature looks for pre-defined SacLamb e-mail addresses in the recipient list of every in-bound message. If a SacLamb e-mail address is found in the recipient list, PerfectMail:

1. Quietly removes all legitimate e-mail addresses from the recipient list (so legitimate users don't receive spam)
2. Adds or updates its reputation system to mark sender as a SacLamb spammer
3. Returns a standard e-mail success code so that the Spammer is lead to believe that all recipients received their trash
4. Silently discards the message

This strategy is effective because:

1. Virtual SacLamb accounts can be created in PerfectMail in just a few seconds
2. Adding SacLamb e-mail hyper-link references to your website is fast and easy
3. If implemented properly, no legitimate sender should ever discover or e-mail the SacLamb account
4. PerfectMail supports virtual e-mail accounts (accounts that exist on PerfectMail but not on the protected mail server) so there is no requirement to add the SacLamb account on the protected mail server(s).
5. Spammers are tricked into believing that their message was delivered. This encourages them to continue sending spam so they continue to identify themselves as a bulk Spammers.

Implementing SacLambs

1. Add the SacLamb e-mail address to PerfectMail’s SacLamb list
2. Add a camouflaged e-mail hyperlink or an HTML comment to your website that refers the SacLamb account

Adding a SacLamb Account to PerfectMail

1. Log onto PerfectMail with a privileged account. admin is one possible account name but you may have set up others.
2. Click Domain Config → SacLamb
3. Add the full SacLamb e-mail account to the text box that lists all defined SacLamb accounts
4. Click Update.

Adding a SacLamb Account to your Web Site

Here is an example of HTML code that would camouflage your SacLamb link by creating white text. The white background would have to be defined earlier in your HTML code:

<style type="text/css">
<!-- A.hide:link{color:white}A.hide:active{color:white}A.hide:visited{color:white} --> </style>

<A class="hide" href="mailto:saclamb@yourDomain.com">anything</a>

It is best to place this link in some out-of-the-way place on your website. Toward the bottom right of the page is a good choice if there are no other active hyperlinks in that location.

You should try to use a very small amount of linked text (the word anything in the example) so that users are less likely accidentally hover over the link and discover it. A single character is sufficient. Note that a blank or a no break space (HTML &nbsp;) does not work.

A potentially less effective but safer alternative is to put your SacLamb e-mail address in an HTML comment. It might look something like this:

<!-- for more information e-mail mailto:saclamb@yourDomain.com -->

This approach is advantageous because no mysterious hyperlinks are created on your web site and your hyperlink properties are not redefined.

When using HTML comments, be sure to include the mailto: reference. This is an HTML directive that indicates that the text that follows is a valid e-mail address.

Monitoring SacLamb Activity

You can review the SacLamb log file by:

1. Logging into PerfectMail
2. Click Logs
3. Click SacLamb
4. Review the most recent SacLamb activity by scrolling the text window. Note that the most recent activity is at the end (bottom of the SacLamb log).

Don't worry if you don’t see immediate results. Give Spammers a few days to a week to find your SacLamb and add it to their spam lists. You should see the effect of your work shortly.

Selecting SacLamb Account Names

1. Make up something completely new that will not conflict with any existing e-mail account
2. Use a very old e-mail account, perhaps one belonging to an employee or customer (if you are an ISP) who is no longer associated with your organization.

The safest approach is to use a completely new e-mail name. Create a name that is different from all valid accounts so that people don't accidentally e-mail your SacLamb account if they mistype a valid user's e-mail address.

For example if msmith@yourDomain.com is a valid account, smithm@yourDomain.com would be a poor choice for a SacLamb e-mail name. A better choice might be dontEmailMe@yourDomain.com.

Be very careful if you are considering using old, stale e-mail addresses (that were once valid) as SacLamb addresses. Before you use the account, monitor it for a few weeks (months would be safer) to ensure that it only receives spam. Do not use the account if it receives any valid e-mail (even if you currently ignore that e-mail).

Warning: Using an account that receives valid e-mail as a SacLamb account will result in all senders (to that account) being identified as SacLamb Spammers. There is currently no facility in PerfectMail's web interface to manually reset a sender back to a valid sender (from a SacLamb sender). The result: no-one within your organization would be able to receive e-mails from that sender ever again.

If you do accidentally identify a valid sender as a SacLamb Spammer, call XPMsoftware support at (888) 451-3131. We can log into your appliance and make the appropriate fix (ssh access to your appliance must be available).

Summary

Implementing SacLamb accounts is gratifying for e-mail administrators because your work will play a significant part in reducing the amount of Spam your e-mail community receives.

Questions and Answers

Q. How many SacLamb accounts should I make?

A. One should be sufficient. If you host multiple domains, you should consider creating at least one SacLamb e-mail address for each domain you host. Be sure to add each SacLamb account to the domain's website or your SacLamb trap will be much less effective.

Q. Can't I use just one SacLamb account for all domains?

A. Yes, but one account per domain is more effective. Different Spam gangs may be spamming different domains on your mail server. If the gang targeting a domain doesn’t find your SacLamb account, then that domain won't be protected by the SacLamb account.

Q. Does SacLamb processing slow down PerfectMail?

A. Not at all. We’ve timed SacLamb processing and it takes an immeasurably small amount of time (less than 1/10,000 of a second on our lowest-cost appliance) to scan the recipient list for SacLambs.

Q. Is there any limit on the number of SacLamb accounts I can make?

A. No, but we don’t believe that there is much benefit to making more than one SacLamb account per domain.

Q. I made a SacLamb account and placed a link on my website and I’m not seeing any activity. Should I remove the SacLamb link?

A. No. Depending on the amount of attention your site receives from Spammers, it may take a month or more for your SacLamb account to produce results. Please be patient, they will find you.

Q. Which strategy is better, e-mail hyper-links or HTML comments?

A. E-mail hyper-links are best because they clearly identify e-mail accounts in a way that attracts spammers. The down side is that you may have unwanted links on your site. Use HTML comments only if the unwanted links (to the SacLamb account) on your web site are undesirable.

Q. Do you have a SacLamb link on this site?

A. Yes. Check directly under the XPMsoftware (Antispam and Anti-virus solutions that work) image on the bottom left of this page.