Hello, On Thu, Feb 23, 2012, at 04:11 PM, Stan Hoeppner wrote: > > Prior to its compromise, it was verifiable as an existing & valid > > "user@domain" in the virtual user/domain (sql) lookup tables. > > If this was at one time an actual address to a mailbox in which someone > received legit mail
It was > and other persons corresponded with said person, possessed this email > address, They did > then there are some BCPs regarding turning such addresses into traps: Assuming BCP == Best Current Practice (?), these > 1. Mailbox must be disabled > 2. 5xx "unknown user" must be returned for at least 2 years, > 5 years if the mailbox has existed for more than 5 years > 3. Monitor mailbox for this 2 years for legit mail > 4. If the mailbox received legit mail in the last 6 months, > extend period another year, repeat as necessary > 5. When you reach no legit mail in the last 6 months, turn > mailbox back on for spamtrap use > 6. Collect and analyze the spam, use the data as you wish are useful & generally followed in the actionable cases I'm considering, the spamtrap addressed -- yes, they're 'converted' from prior valid usage -- were unique, singly-purposed addresses, given to single vendors for sole usage by them. in all cases of documented compromise, I contacted the vendor, change my working, unique email to something else, and then and ONLY then, converted the compromised address for spamtrap usage. > I get the impression that what you've done is taken mailboxes that were > phished or password cracked no. accounts that vendors had for business transaction with me, that were compromised on THEIR end. e.g., data breach. no shortage of those ... > used by spammers to SEND spam, and have used these addresses in a filter > scheme. as was the object of the compromise, they're now used by spammers to send spam TO ... > This is NOT the same as a spamtrap. I don't even know if there's been a term > coined for such a thing. Is this indeed what you're doing? Per above, not really. Thanks for the info. Cheers, Roger
