Has anyone set-up a generic web-page, not linked from anywhere useful, which autogenerates a "contact e-mail" address (like deadbeef@example.com) and logs which IP reads what address (even using the remote IP as the username to provide) and then waits for the address to be used for SPAM ?
I've been running something that does pretty much exactly this since 1997.
Is there any use in doing this (to try to identify who is harvesting) ?
It turns out that the number of people harvesting from web pages is pretty low. I could never identify more than a few hundred IPs as the source for more than a few messages. The bulk of my spamtrap e-mail appears to come from people who harvest, sell the lists to a few layers of list maintainers, who sell the lists to spammers. This seeding technique stopped working interestingly a few years ago, though. One of the current harvesting techniques appears to indirectly use Windows or Outlook worms. It is pretty simple: - Send out a bunch of spam containing e-mail addresses that you can read to other addresses you know might be valid. - Wait for worms to spoof mail back to you. Collect those spoofed addresses. As the worms spoof addresses from Outlook address books and by harvesting local mail spools, you just collected a bunch of other valid e-mail addresses directly off of end-users machines. Supposedly if you put a newly installed, unpatched Windows box on the 'net, with an Outlook address book full of fresh spamtrap addresses, you'll start getting spam to those addresses in something like 3 hours. I've been meaning to test this myself. -- Aaron