Spamtraps need to be Retired

Spamtraps need to be Retired

Spamtraps are considered by many as the gold standard in proving that someone is a spammer. Secret emails/honeypots/blackholes are the canary in the email coal mine- heretofore absolute proof that you’re a bad actor in the war against spam. We’ve all been taught to believe that spam traps can only end up on your list if you’re mailing old/dead addresses and/or purchasing lists.

The problem is…what happens if neither of those is true? What’s the explanation for hitting a spamtrap when you’re NOT buying a list and NOT bringing back old names? According to some, this is impossible - there’s no way a spam trap address can end up on your list unless you’re engaging in bad practices.

Here’s a quote from an article I recently read talking about spam trap list operators- “For example, often a blacklisted marketer will claim their list is 100 percent opted in when the DNSBL operator has irrefutable evidence in the form of spam traps that it’s not.”

But guess what…”spam traps” can actually open. And even click. How do I know this?

  1. I looked at the results of our own data.

We run a site that is fortunate enough to get between 20,000 and 50,000 new users per day. They sign up, we validate the address as best we can using a third party. We keep non-responding sign ups on our list for up to 5 days, then stop if they haven’t opened or clicked. We only mail opens/click inside of a 45 day time window. Once a month we send to our full 12 month file because, hey, people actually did sign up for our emails.

Why do we go to all this trouble? Because we keep hitting “spamtraps.” That’s right, we only send to openers and clickers to people who actually signed up for our email yet still hit “spamtrap” addresses that are not supposed to open and/or click…but they do.

I thought…I must be crazy. There’s no way a spam trap – by definition – should be able to open and/or click. The truth is, spamtraps can - and do - open and click.

For example, yesterday we sent just over 107,000 emails to Hotmail. Unfortunately, we had three “trap hits” at Hotmail. On our last monthly send to Hotmail, we attempted to send 723,000 emails and recorded 65 “trap hits” even though – according to the SNDS web site FAQs, “Trap accounts are accounts maintained by Windows Live Hotmail that don't solicit any mail. Thus any messages sent to trap accounts are very likely to be spam. Well-behaved senders will hit very few such accounts because they're generally sending to people who give them their address and because they collect and process their NDRs. Spammers have a much harder time avoiding them because, in general, they can't and don't do either of those good practices.”

The usual response from the deliverability community is “well, you must be buying a list and/or mailing to really, really old addresses.” This sort of victim-blaming is not at all unusual and relies on a questionable logic path of “spammers wear jeans. You wear jeans. Therefore you must be a spammer.”

Here’s the thing…the internet is lot fuller than it used it be. Sometimes people enter in bad information because they don’t really want to hear from you…but they want your data. It might simply be old information in the form or their old email address. It might be a typo. It might be something random a person enters because they don’t want to give their real address (if is a spam trap…guilty.) It might even be maliciously planted by people looking to either hurt your company or make a quick buck. In all of these cases, someone has to fill out our form. Even though we send every email to a validation service, we still get far too many “spam” hits that open and/or click our emails. It’s massively frustrating.

Spamtraps were once a great idea to combat spam. Then again, phones the size of a brick were once the gold standard for mobile communications. The question is, are spamtraps becoming the cassette tape of the email industry – a once popular technology rendered almost irrelevant by better, more accurate technologies? With the advent of DKIM, DMARC and other authentication tools – along with engagement filtering by ISPs – has the relevance of the spamtrap massively deflated? Do we even need to rely on a tool that has seemed to outlive its usefulness?

I’m all for tools that help to separate the good players from the bad. But spamtraps that click and open don’t really seem to do anything to advance that cause.