Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts

Search EarthWeb Network

Be a Commerce Partner
Imprinted Promotions
Corporate Awards
Server Racks
Promos and Premiums
Calling Cards
Find Software
Promote Your Website
Online Universities
Web Design
Send Text Messages
Car Donations
Compare Prices
Logo Design

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Don't Get Killed by 'Spam Trap Poisoning'

Heroes Happen Here Launch Events
Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »

Install What You Need with Windows Server 2008
Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »

Simplify Big Business IT for Small and Midsize Companies
Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »

Q&A with Bob Muglia: Senior VP, Server and Tools Division
Bob Muglia, senior vice president, Server and Tools Division, discusses Microsoft's new interoperability principles and the steps the company is taking to increase the openness of its products. »

Q&A with Lutz Ziob, GM of Microsoft Learning
Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

Related Articles
Has Julian Haight Gone Straight?
Whitelists Battle for Market Share
Proposals Offer Small Steps to Stop Spam
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities
USSD Series - SDRAM-Based Solid State Drives to 256 GB
UltraSMS - Send SMS From Your PC
Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage

more products >>

Datamation Definitions
data mining
grid computing
network appliance
FREE Tech Newsletters

Tips for Operating System Deployments. Listen to an audio cast about operating system deployment.

Don't Get Killed by 'Spam Trap Poisoning'
June 22, 2004
By Brian Livingston

Brian Livingston If your company sends out an e-mail newsletter to customers, you may find yourself suffering from a new problem I call "spam trap poisoning."

Spam traps are e-mail addresses that antispam groups post on the Web but don't use for sending e-mail. Instead, these addresses lie in wait until they're found by "harvester" programs. These harvesters are key tools for spammers: they scan millions of Web pages, scooping up every e-mail address that's visible.

If a spam trap receives any e-mail, therefore, antispam groups assume the message must be spam. This can automatically put the IP address on a "blocklist" that keeps the sender's messages from getting through to some mail servers.

Unfortunately, spam traps are starting to bite legitimate businesses. I'll explain how and what you can do about it.

How Spammers Can Poison Spam Traps

I discussed spam trap poisoning with Julian Haight, the director of a controversial blocklist called In an interview, which formed the basis for my column last week on SpamCop, Haight said he's reduced his reliance on human spam complainers and has dramatically increased his use of spam traps. "80 to 90 percent" of the reports he receives are now generated by such bots, he explains.

Spammers, however, are learning how to discover which e-mail addresses are spam traps. How can this injure your company's reputation and e-mail deliverability?

Spam Traps Lead To Swift Blocklisting. Because spam-trap addresses can react immediately to any e-mail they receive, as little as a single message can add a sender to a blocklist within minutes. Spammers don't much care about one individual source of spam being blocked, of course. The top professionals in the spam business use a massive network of hundreds of thousands of PCs they've infected with Trojan horse programs that actually send the spam. Some infected PCs may be blocked, but spammers have many others that aren't.

A Process of Elimination. Because the biggest pros send millions of junk e-mails a day, they can segment their lists and send messages through different computers to try to identify spam traps. If one sender was added to a particular blocklist at 10:00 a.m., for example, it was probably due to a spam-trap address that received a piece of spam after 9:30 that same morning.

Poisoning the Spam Traps and Your Company's Good Name. By watching mailings that are sent out on subsequent days, spammers can soon isolate a few addresses that are almost certainly spam traps. The spammers then sign those addresses up for legitimate e-mail newsletters to ruin the effectiveness of the spam traps. Now the addresses are receiving legitimate e-mail, not just spam.

Reliance on Spam Traps Backfires on Blocklists. To best "poison" the spam traps, spammers use the newsletters of the most respectable companies possible. When mail servers that use blocklists start to reject mail from these large, respected brand names, the blocking services lose credibility. Many end users had wanted to receive those company's mailings and blame the blocklists for being wildly inaccurate.

If your company's newsletter is used in these exploits, the pain can be severe. Your routine e-mail messages can suddenly start to bounce — or simply disappear, deleted forever by mail servers that blindly relied on the blocklists.

Choose One: A Terrible Problem or a Horrible Problem

Haight is adamant that companies can avoid damage to their reputations by requiring all newsletter subscribers to "double opt-in" as opposed to "single opt-in." He also considers double opt-in to be a requirement because it prevents one person from signing up another person's e-mail address to an unwanted list.

Let's take a closer look at what single and double opt-in mean:

Single Opt-In. A single opt-in newsletter allow customers to sign up by entering their e-mail address in a Web form and clicking "Subscribe." The publisher usually sends an immediate message welcoming subscribers and telling them how to unsubscribe if a mistake has been made.

Double Opt-In. This method, also called "confirmed opt-in" or "verified opt-in," doesn't initially send any newsletter to customers who subscribe. Instead, the subscribers receive a message saying they must "verify" their e-mail address. The message usually instructs the recipient to click a hyperlink or generate some kind of e-mail response.

There's a big problem with double opt-in, however. The newsletters of most Fortune 500 companies don't require it, because a huge number of customers simply don't understand why they have to verify their address — "I just gave it to you, it's valid, you idiots." Other consumers don't respond because they've been told never to follow any instructions that an e-mail requests, as a precaution against "phishing."

"I've seen the rate as low as 40% confirmation," says Paul Myers, publisher and editor of TalkBiz News, a newsletter for business owners. His own publication, which uses double opt-in, has a very targeted audience and gets almost 100% confirmation, he says. But he doesn't believe double opt-in should be a requirement for every company. "There shouldn't be any reason why people miss the mail they want because they didn't understand the confirmation process — or that one was required."

The Battle Over Opting-In

Anne Mitchell is CEO of ISIPP (the Institute for Spam and Internet Public Policy), a whitelist organization that works with Internet service providers and spam filtering companies. "The push for double opt-in was really by the antispammers, not the ISPs," she says. "They [the ISPs] don't care how you build your list, as long as you don't send spam."

ISIPP maintains online scoring systems that are used by SpamBouncer and other antispam filters. One ISIPP scoring formula for trusted senders gives a maximum of 90 points to those who require double opt-in. But single opt-in newsletters can still achieve 80 points. The difference is small — because single opt-in newsletters aren't spam.

As far as the percentage of cases in which one person is subscribed by another person to a single opt-in newsletter, the number is "miniscule," Mitchell says.

How Many Mistakes Are Made, and Who Makes Them?

AWeber Communications is one of the world's largest e-mail service providers. Literally thousands of different customers use the firm's technology to send opt-in e-mail newsletters, according to company CEO Tom Kulzer.

AWeber requires the double opt-in method for new subscribers to get its own newsletter, Kulzer says. But his firm allows its individual publishers to choose to use either double opt-in or single opt-in. "More of our customers use single opt-in, fewer use double opt-in," he explained in a telephone interview.

Confirmation rates for the double opt-in newsletters he's monitored range from "nearly 100%" to "as low as 20%." Meanwhile, cases in which an innocent person has been signed up to a single opt-in newsletter without consent are very rare, in his experience. "We see that maybe once a month," Kulzer says.

"Usually the only time we see problems with somebody maliciously typing in someone else's address is vehement antispammers who are signing people up to a list," he continues. "When we track that down, the newsletter's been sent to a 'postmaster' account that only these [extreme] antispammers would know about."


You're caught between two awful choices. If you require a double opt-in policy for people to subscribe to your company's newsletter, you may lose half of more of the people who want to sign up for it. That's bad customer service. On the other hand, if you use single opt-in, as most companies do, anyone can add spam-trap addresses to your database of subscribers. Your company could suffer e-mail deliverability problems for days after every issue of your publication goes out — activating the blocklists each time.

The answer is to carefully monitor which blocklists point to or don't point to the IP addresses that your company uses to send mail. is one free service that allows you to enter any IP address or domain name to see whether it's on any of 30-some real-time blocklists.

If your company does get whacked by a blocklist for a few hours or days after your newsletter goes out, use some of the same tricks that spammers use to identify spam traps. Segment your e-mail list into 24 groups at random. Send mail to each group, one hour apart throughout the day. If one group triggers a blocklist, segment it even further until you've isolated the potential problem addresses.

Finally, consider dropping subscribers who, according to your server logs, haven't clicked a hyperlink in months — they could be robots disguised as ordinary newsletter readers.

Brian Livingston is the editor of Brian's Buzz on Windows and the co-author of "Windows Me Secrets" and nine other books. Send story ideas to him via his contact page.

Brian Livingston is the editor of and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Add to your favorites
Add to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live