Spamfeed.me - Technical Information
Seed and Seeding
How Spamfeed.me does it:
We can assure 100% clean trap addresses. None of our trap domains or addresses had ever been registered before. We do not use refurbished addresses or addresses we do not have full control over. All our trap traffic is monitored and analyzed in realtime.
Seeding of our addresses is done in various ways. We seed addresses in well visited places all over the internet. We do not do any test-subscriptions with these addresses as this would attract a different kind of spam, which has to be handled differently.
Receiving
After a (spam-)mail has been accepted, it first needs to be determined whether it is spam or not. Delivery Status Notifications as well as bounce messages will not be considered spam even if hitting a spamtrap.
How Spamfeed.me does it:
We are receiving trap traffic on a number of dedicated systems at different locations. This guarantees a high level of failure safety and diversity.
After accepting the message, we are filtering for RFC 3464 compliant DSN (Delivery Status Notification) messages. In addition we implement a Hard Fail SPF record for our spamtrap domains. This helps MTAs to identify illegit traffic and prevents legit DSN messages hitting our spamtrap network.
Redacting
To prevent the spamtrap network from being revealed, all outgoing traffic (e.g. ARF reports) does not contain any information about the spamtrap itself. This process of camouflaging is called redacting. Both header and body-part(s) of the spam-mail are searched for spamtrap related data. This is then being rewritten (process: see below)
How Spamfeed.me does it:
The redacting process is applied on the full mailheader and -body. The system keeps the overall look of the address in order so as not to interfere with hash based filtering mechanisms.
As an example, the trap address Spam_2011@trap.TLD:
Step 1 - matching
If the addresses belong to our spamtrap network they are marked as “to be redacted”. These addresses are converted into a search pattern consisting of the domain part.
/trap.tld/i → matches the above domain part.
This pattern is executed on both header and body of the original mail.
Step 2 - rewriting
If there is a match, the mechanism starts to redact the matching pattern the following way:
Lower-case character → x
Upper-case character → X
Number → 1
The remainder of the mail remains untouched.
Example:
Spam_2011@trap.TLD → Spam_2011@xxxx.XXX
Dear Spam_2011 → Dear Spam_2011
http://example.com/unsubsribe.php?Spam_2011%40trap.TLD → ...php?Spam_2011%40xxx.XXX
Mails containing email-addresses not belonging to our spamtrap network are usually misdirected spam or spam directed to Open Relays. This traffic is most likely not intended for our MTA and therefore these addresses also remain untouched - there is no need to redact the receiving side of the spam mail in this case.
MARF'ing
MARF (Message Abuse Reporting Format) is a defined RFC Standard (RFC5965) for mail abuse reporting and based on DSN mails. It enables the reporting party to forward mails without loosing valuable data within the email.
Usually, forwarded or relayed emails tend to have the problem that the receiving party is unable to identify all necessary data at ease. Especially when it comes to meta data which is only visible within the original SMTP dialog, ARF gets necessary. Additional (meta)data can easily be attached to the 2nd MIME part of the ARF mail. ARF allows you to identify key information without a doubt.
MARF-Format:
- a human readable part,
- a machine readable part and
- the original mail
are assembled to a MARF report.
See https://tools.ietf.org/html/rfc5965 for in depth information.
MARF allows Spamfeed.me to offer key information of the original SMTP dialog which is not part of the original spam message to its customers. For example, we are able to provide you the connecting IP address and the original "mail from"-header which are usually difficult to parse out of common (forged) mail headers.
That's why Spamfeed.me uses MARF as the reporting format for the offered data feeds.
The result of the above process looks like this:
which is a standard-compliant MARF message.
For further questions please contact us at support@spamfeed.me
If you need assistance parsing and storing the received information in the feedback reports, have a look at the abusix.com website and let us know.
Feeding to you
After completing the subscription process we will provide you with the IP addresses which will send you the MARF email feed. The volume of your subscribed feed is evenly distributed over the day. We do not spool or queue any emails on our side, so therefore we drop all emails which cannot be delivered. This assures the least delay possible within our network. Usually, it takes between 2 and 20 seconds for a spam mail from being received at our spamtraps until being delivered to your feed mailbox.
Now and then the peak volume of the spamfeed can be quite high - our MTA does not have a problem with being rejected during delivery to you. Please adjust your receiving systems to handle this.
Ready to go!
If that is what you were looking for: Get in touch!
Some valued customers
Testimonials
"Abusix's spam feeds are a reliable, top-quality data source for our research. Their excellent support and unbureaucratic approach to helping researchers makes Abusix stand out among the rest." Read more...Galactic Spam Reporting Center
Think differently - Your unused domains are bored - use blackhole.mx and help reporting spam!
Abusix on the Internet
Visit the mothership of it all for further information about Abuse Handling and how we can help you in fighting spam and network abuse with AbuseHQ.
Follow Abusix on Twitter and Facebook: