Where Is Spam When You Want It?

Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"

Hotmail.

[pi_rules]

Sign up for an account there, forward the spam to your new mailbox and start following links to advertisements and such. If they ask for your email address, give it to them. Won't take long.

usenet isnt that great

[Shaklee39]

Try signing up for a few mailing lists for marketers. Usually they will sell these to other companies who will in turn sell it to other companies and so on. Most email addresses are not spammed by having it available on google but rather giving it to the companies that do the spamming.

Domain registry

[jhines]

I get spam from my domain registry, which has an email associated with it. I get the Nigerian stuff this way.

FREE pr0n

[Anonymous Coward]

sign up for those "free porn in your email" things.
works every time.

Ebay

[NetDrain]

Make an ebay account with your email address in it and just start bidding. This is an excellent way to ruin an otherwise perfectly good email address. I was doing all right on the spam front until I did this. Big whoops. *hits head on desk* Yeah, stupid me.

You'll quickly become inundated with "How-tos" to Ebay, "official" emails from Ubid by people attempting to fraudulently gain access to your personal information, more tips-and-tricks, more offers from uBid, and of course a plethora of marvelous online drugstore advertisements.

Enjoy.

use online greeting card companies

[Indy1]

also try porn sites, gambling sites, and more importantly, paste it on slashdot. My spam trap address here gets hit ALL the time, usually several times a day, which has helped me greatly in tuning my firewall.

'Unsubscribe'

[Anonymous Coward]

In your own inbox, get a couple of hundreds of spam.

Take the urls (DO NOT CLICK ON THEM) and strip them of the stuff after the '?' .....

Go to each of those 'unsibscribe' pages and put the test account in the email to be removed box.

Its the best way to get spam. The spammers will generally use it as confirmation that your address does indeed exist, and theyll happily put you in their alive list, where you are shure to get everything they are selling.

http://www.spamarchive.org/

[foonf]

I was in the exact same situation, actually, and found spamarchive.org [spamarchive.org] to be very helpful. Any one of the files on their ftp site should have enough spam to keep you busy for a while.

Spamarchive

[endquotedotcom]

Why not just download some from spam archive [spamarchive.org]?

What's worked for me...

[Dinosaur Neil]

Based on a friend's suggestion, I created an alternate e-mail address and used it to create user IDs on classmates.com [classmates.com] and match.com [match.com] and, sure enough, until I kill the ID months later, I was getting 30+ spams a day after my ISP was done with its own filtering. I wasn't being very scientific and I don't know if it was one or the other or both, but it's a place to start...

A few thoughts

[rdean400]

- Post a comment on Slashdot with the e-mail address visible
- If on a popular e-mail provider such as AOL, Hotmail, or Yahoo, put up a profile and go to a chat room.
- Allow your e-mail address to be listed on any of the directories.
- Put your e-mail on a Geocities website.

It's easy.

[NerveGas]

Put it on a web page which gets any moderate amount of traffic. I did that with some spam-bait addresses, and it's amazing how much they generate. In a few months, they've identified over 22,000 unique servers sending spam.

steve

Lots of Contests

[jarito030507]

Enter your email address into as many contests as you can. Those things have absolutely no reason to exist except to farm email addresses.

Some links of the sweet, sweet google:
Here [sweepstakes-contests.com]
Again [about.com]
And Again [acuwin.com]

If you search for 'contests' and click on the sponsored link then you should have an abundant source. Also, if you sign up for a few of those "Free" trials at porno websites, you should start to get some serious spam.

Try Free For All Links style sites..

[i_want_you_to_throw_]

That and better yet the sites that will submit your web site to hundreds of search engines [google.com]. That will get you to the FFA style sites quick. I did this when I needed an account to test SpamAssassin on. Worked like a charm. Better yet, give /. ers an Email and we can set a forward to you of some junk.

Hey I got plenty!

Posting in public forums

[AEton]

Post to Google Groups [google.com] on many well-frequented lists (don't cross-post!) with the address. Sign up for a Slashdot account and write generally informative (+5! +5! +5!) tripe with your real email address tied to it.

You also should've specified the test email in your story submission (i.e. Sean [mailto] writes:) -- too late for that now, of course. In the slashdot@myname.endjunk.com emails I've provided, I've easily gotten 10+/day within a few hours of first posting. Neat.

Look at my email addy...

[pair-a-noyd]

I made up a semi-bogus email addy, it's real in that mail sent to it gets to me, but when I'm done, I'll flush it down the tubes.

I used it to attract spam so that I could train spamassassin for my use and for a few friends and family.

I went and dropped it all over usenet in the pr0n groups, went to every viagra site I could find, clicked on every banner add I saw.

It took a few weeks but I finally got the desired results. You'll have to put up with some extremely offensive email for awhile so make sure the wife and kids can't get to it during this phase.

After doing this for a few weeks I was getting 50+ spams a day. Now that I have spamassassin all tuned up I just don't check mail on that account. Once I feel that I no longer have the need to tweak SA, I'll just dump the account..

Too bad this doesn't work for TV commercials...
HEY! How about an app that, er, nevermind...

Re:Ebay

[djrogers]

Well, I can't speak to your specific circumstances, but I've been using a specific ebay-only email address for 3 years now, and have not had one single spam sent to it. Bought and sold plenty of stuff too... Perhaps you need to re-check what little information sharing checkboxes you forgot to uncheck with ebay?

Re:Ebay

[Lost Race]

Same here. I had one seller decide that my transaction with him was an "opt-in" for his monthly advert spam, but he LARTed easily enough. I've never gotten any random MakePenisFast or WindowsInfectionDuJour spam on my Ebay-only address.

Re:Outlook...

[Anonymous Coward]

What in the blue hell is "address'" supposed to mean? If you are trying to pluralize the word "address" then you want to use the word "addresses." Christ Almighty, where the fuck did you go to school?

Re:Outlook...

[KrispyKringle]

Isn't this (more or less) the point of a honeypot? Granted, the owners would presumably step in if they saw anything extremely dangerous going on, but this is fairly common,tried-and-true practice. Ever read _The Cuckoo's Egg_?

How about a dictionary lookup

[willy134]

I happen to have several email addresses that are like my username here. I get spam for willy001 willy002...willy134...willy156.... If you set up an email address on a domain that is very well spammed (hotmail excite yahoo...) with a name like john12345 and that might induce spam.

wait longer?

[forevermore]

How long have you waited? Though some people here talk about getting their honeypot addresses spidered in a matter of hours, you do have to rememeber that even if the spam spiders are running 24/7/365, it may take them awhile to get back to the pages and articles that you posted (my guess is that usenet groups are also prioritized pretty low, as I know people who post there often, and have for a long time, and never received spam to those addresses).

The best way to get spam? Put your email address into a popular HOWTO, or run a 3-letter domain (a friend of mine gets about 2/second to his three-letter domain). And be patient.

But if you want some of mine, I'm happy to get rid of it. ;)

Re:Yahoo Games

[rkz]

Thats not Yahoo's fault that hotmail autobot spammers who do dictionary spam attacks on hotmail servers. Because hotmail is so popular they get many valid hits.

just use mailinator.com for throw away email.

Re:Change your thesis - Decode the encryption.

[ceejayoz]

It's not encrypted data - it's merely random text intended to throw off spam filters.

Send one of those e-greeting cards

[DarkEdgeX]

Specifically, not one that's from an actual brick and mortar greeting card maker. 9 times out of 10, you'll be sure to be not only adding YOURSELF (the sender) as a future spam victim, but whoever you entered as a recipient for the e-greeting card.

My Spam corpus

[orthogonal]

I have an address I used for about three months on usenet, only in the comp.lang hierarchy.

I may have used it for a few web sites, but the only one I recall is a local political organization which I doubt would have sold, or had the expertise to sell, its list. Still, the data is tainted, and I can't say it all comes from usenet.

According to DejaGoogle, I last used it 18 April 2002, and it was last referenced in a follow-up message 5 May 2002. I first used it 15 February 2002.

For a while I had my ISP forward mail to that address to "nothing" until I worried it might be piling up on the server somewhere (I don't know what forwarding to "nothing" means in the ISP's web control panel). So there are no messages for most of the month of May 2003.

Disregarding the emails from the political organization, there are 1733 emails; the earliest is dated 16 July 2002, the lastest today 21 Sep 2003. (There are probably earlier emails to this address which have been archived.)

So that's a span of 432 days, not subtracting the period when I wasn't having the email forwarded. Again not subtracting the un-forwarded days, that's ~4 per day.

Note that this is only spam to this particular "sacrificial" address; it does not count the large amount of spam that, thanks to having some idiots as "friends", hits my "real" address.

I have not been subject to any dictionary attacks on my domain name, but I have gotten about 105 spams to admin@mydomain in the same time period. This pushes the daily average to ~4.25/day.

Since I started getting a lot of spam, I've made a practice of assigning each commerical contact or mailing list a different address (theirdomain.tld@mydomain.tld generally); surprisingly, these get very little spam, despite getting large volumes of legitimate mail each day.

Wait.

[MisterFancypants]

I think you have to wait, as from what I understand most of the people who spam actually buy spam lists from other people. The spam lists seem to be compiled like phone books, so they send out batches of addresses like every month or so. I'm sure your mailbox will be stuffed to the breaking point about two months from now.

Send yourself a Free!! E-Greeting!!!

[perp]

I recommend NewFunPages [newfunpages.com] for getting lots of spam to an account that never used to get spam.

Then start clicking on the Unsubscribe links.

Re:worked for me

[seizer]

Not a throwaway domain, but:

http://xult.org/email.html [xult.org]

Surprisingly few spams have arrived. I suppose the page isn't that high traffic.... yet ;-)

SpamCop's list of websites == Game Over

[Nat3d066y]

So you want a lot of spam, do ya?

http://www.spamcop.net/w3m?action=inprogress&typ e= www

That's Spamcop's list of spam-vertised web sites. All of those sites have submission forms; just put the email address in there and you'll be rockin' and rollin' within a few hours. I got into a 'spam war' with one of my roommates back in college, and with that Spamcop list I was able to render his email account COMPLETELY useless within a couple of hours (If you're reading this, sorry 'bout that Brian... )

Speaking of spam, on a random side note, I've recently started checking all of my email accounts with Shadango.com. Anybody else tried that yet? Shadango allows you to have advanced filtering applied to ALL of your existing accounts (both POP and IMAP). It's frickin' great. So now I don't get any more spam, plus I can check all 5 of my email accounts from one place. They've also got file storage, a calendar, etc. It's money. Check it out.

-Nate

Re:Murphy's Law part2...

[theonetruekeebler]

It's called the Law of Non-Reciprocal expectations:

• Positive expectations yield negative results.
• Negative expectations yield negative results.

A special case of this is the demo effect: The best way to make your pride-and-joy crash on the first keypress is to invite your boss's boss in to watch it run.

Likewise, the only way to attract spam is by trying to avoid it.

Re:http://www.spamarchive.org/

[whizkid042]

spamarchive.org is nice, however if you take a look at their stuff you will notice that all of the headers are messed up (because folks forward the spams to spamarchive). I was looking for a large collection of SPAM to train spamassassin with and found spamarchive.org to be unacceptable because the email headers were tampered with.

free shadango account?

[Brainiac252]

Yo, I was involved in the alpha testing of shadango awhile ago. When I signed up I used the word "alphabase" in the promotional code box. It got me a paid tester account...i think it might still work. From my experience Shadango is definitely worth the try. Ian Welsh

Re:Hotmail.

[jonadab]

> Maybe I'm paranoid, but I can't stop thinking that's MS fault!

It's been a couple of years, and their EULA has probably changed two
dozen times ad interim, but when I actually read Microsoft's privacy
policy, it essentially said, in heavy verbiage, "we will sell your
address to whomever will pay for it". By heavy verbiage, I mean
something of the form, "may share said contact information with
select business partners in order to provide value-added services"
or some such rot. If your eyes glaze over at the first hint of
weaselese, you wouldn't catch it, but it seemed pretty clear to me
that they were saying they would sell my address. Maybe I'm just
paranoid, though. After all, Microsoft is a very reputable company,
as everyone here knows, and so maybe I'm just not giving them enough
benefit of the doubt in my poor understanding of EULA verbiage.

Some solutions

[nuwayser]

1. news.admin.net-abuse.sightings [google.com]

2. spamarchive.org [spamarchive.org]

3. Build a Spam Honeypot [google.com]

hth
pete

BlueCat Networks....masters at combatting SPAM

[RazorJ_2000]

BlueCat Networks www.bluecatnetworks.com have this really cool product called Meridius. It's an anti-SPAM Mail Relay appliance. Typically sits in the DMZ. Why don't you contact them and ask them about SPAM?

click on it...

[IthnkImParanoid]

and see who it's to :)

Re:Outlook...

[Ymerej]

Okay, let's talk about the box of goodies. Let's say you leave a box of weapons outside with full knowledge that a neighborhood kid will probably find it and will likely use the contents for something illegal. If that happens, do you think you are partially responsible for whatever happens?

...

You're exactly right - you aren't responsible for others' actions. In this case, you'd be liable for your irresponsible action.

Yes, that's exactly right. This is what's known as an attractive nuisance [nolo.com]

Re:Outlook...

[zbuffered]

"How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter?"
There is an easy defence against this: ... bla bla sneakemail bla bla

That works just fine, but it gets even easier:
Own your own domain.
Have your e-mail setup to forward *@yourdomain.com to your actual e-mail address.
Never give anyone your e-mail address. Give everybody different e-mail addresses to e-mail you at. Your friend jenny can e-mail you at jenny@yourdomain or whatever she'd like.
When you sign up for something, use an e-mail address like theirproduct@yourdomain or theirdomain.com@yourdomain.
Then you always know who's sending you what e-mail, and if one of the aliases gets bogged down with spam, flag it, bounce it, do as you will.

I bought my domain for $30 for 2 years, including the mail service (I don't have the resources to set up my own mail server). It works great and I don't get any spam.

Re:Outlook...

[amRadioHed]

The creator of the nuclear weapon didn't pull the trigger, but by your argument is somewhat liable for killing millions of Japanese. Aren't we, the scientists, just doing experiments?

Einstein didn't think so. He was a major influence in the creation of the nuclear bomb, and he did take responsibility for it, calling it the greatest mistake of his life.

http://hypertextbook.com/eworld/einstein.shtml#fir st [hypertextbook.com]

Got Spam?

[AnotherBlackHat]

"In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address...

Much harder than it seems. A spam trap address can take months or even years to get up to the same levels of spam as other addresses.

Some techniques;
Unsubscribe the address.
Apart from proving that some spammers actually do harvest from unsubscribes, this method isn't very effective, because some spammers actually do remove you from their lists.
(of course, if you only unsubscribe addresses that don't get any spam, it can't get worse.)

Dictionary attacks. If you run a mail server, you will occasionally be attacked. Either pick easy to guess names, or accept any name that fits a rule. It's a good idea to always reject the first name (unless it's already in your lists) since some spammers start with a 'test' name.
Also, there will be plenty of names tried, so there's no need to accept a suspiciously high percentage. Choose a simple rule that rejects a fair percentage of the names.
For example, accept any name which has a '5b' as the last hex character when hashed.
If your server has any extra delays after a bad name, remove them.

Buy expired domains.
Some of my best trap addresses are from previously owned domains.

Posting to usenet.
I've not had much luck with this.

Posting to mailing lists.
This also seems fairly hit or miss.

Posting to websites.
Works eventually, but it can take a long time.

Setting them in Ineternet Explorer.
Some web sites have javascript that can grab your email address from your browser.
(bonus points if you write this up in a proposal)

When you get spam...

Read the web pages. Once you actually get spam, either read it in a browser, or download all the links with wget. Some spammers are paying attention, in particular it seems, the ones who sell addresses to other spammers.

Respond. When you get one of those weird messages like "Are you the same noc-staff I went to school with?" Respond with a simple "sorry, wrong guy."

-- this is not a .sig