Showing trap hits on SNDS, how bad is it?

Discussion in 'Noob Central' started by datamon, Jun 16, 2011.

  1. datamon

    datamon VIP

    Joined:
    Apr 17, 2011
    Messages:
    25
    Likes Received:
    2
    Trophy Points:
    0
    I have a class C that has been sending for over a month with no problems. Was about to apply for mitigation of the whole range but in the last few days the SNDS report has been showing 5 to 6 trap hits a day. Once we suppress the traps should I wait a few weeks before going through the mitigation app or is it safe to go for it after a few days of not hitting a trap?

    Some history of the range.
    1 The whole class C is in the JMRP under one account
    2 Been sending about 500 emails a day per IP to actual address, very low complaint rate.
    3 It's been the same data set the whole time
    4 The IP status in SNDS now has a note saying "Bot-like behavior"
    5 We re-scrubbed the data on IW but still are showing trap hits, are now breaking it down to small file sizes to identify the traps.

    This is my first attempt at Hotmail mitigation, any advice suggestions would be appreciated, thanks in advance.
     
  2. PushSend

    PushSend VIP

    Joined:
    Apr 12, 2011
    Messages:
    1,927
    Likes Received:
    141
    Trophy Points:
    63
    Location:
    Paradise
    If you can block sending mail to IPs, I'd suggest you block anything in this range as I've seen nothing but bots from it.

    131.107.0.xxx
     
  3. datamon

    datamon VIP

    Joined:
    Apr 17, 2011
    Messages:
    25
    Likes Received:
    2
    Trophy Points:
    0
    Thanks, are you saying to block email address that we see opening from that IP range?
     
  4. DAgent

    DAgent Moderator

    Joined:
    Mar 14, 2011
    Messages:
    452
    Likes Received:
    115
    Trophy Points:
    43
    Home Page:
    Dear datamon / PushSend,

    Let me jump into this real quick since it's a good tip, yet not elaborated enough and I've seen interesting things from those networks as well.

    131.107.0.0/24
    12.190.158.0/25

    These IP addresses go through your links once you send mail to the live.com mole. They don't land in your page, but they do follow the link with the querystring to check what your masked links ultimately redirect to.

    There is no proven relationship between a spamtrap and addresses that show this behavior. I was lucky enough to see 'clicks' (botclicks in your platform, datamon) from these IPs, and this addresses are only checked / read using their web interface.

    PushSend,

    Have you seen / scanned for MX servers in that range?

    Thanks and I hope it contributes to the thread.
     
  5. roundabout

    roundabout VIP

    Joined:
    Feb 17, 2011
    Messages:
    2,713
    Likes Received:
    154
    Trophy Points:
    63
    I dont think a hotmail trap would exhibit the behavior of scanning your redirects but I could be wrong.

    You would be very surprised how many traps lie in hotmail, mostly from older accounts turned into honeypots, so the mx records won't particularly show anything groovy for IW (or anybody) to catch.

    One of the things you need to consider when really bearing down on locating traps is looking/seeking for active users, so you know it's a real person. I'll move this thought over to the Penthouse at this point, see you there.
     
  6. mx10

    mx10 VIP

    Joined:
    Mar 30, 2011
    Messages:
    535
    Likes Received:
    18
    Trophy Points:
    18
    this is very interesting... i have 92 clicks from 131.107.0.x/24

    some are on offer links, some on unsubs

    nothing about the clicks looks fishy to me... really curious what that range is now

    how did you guys notice this range and what made you think it was a mole?
     
  7. DKPMO

    DKPMO VIP

    Joined:
    Mar 31, 2011
    Messages:
    1,452
    Likes Received:
    68
    Trophy Points:
    48
    Location:
    Elaborate Underground Base
    The real question to me is why would Microsoft report "trap hits". Who would own these traps? Microsoft itself? Others feeding them their traps? Who?

    That is the real question to me. Whose traps could be reported in SNDS?
     
  8. mx10

    mx10 VIP

    Joined:
    Mar 30, 2011
    Messages:
    535
    Likes Received:
    18
    Trophy Points:
    18
    they're expired accounts, some % of expired accounts turn into trap accounts at random

    the premise is if those accounts are receiving mail, it must be advertisements, because anyone paying attention who actually knew the person they're emailing would figure out it's not that persons email anymore
     
  9. DAgent

    DAgent Moderator

    Joined:
    Mar 14, 2011
    Messages:
    452
    Likes Received:
    115
    Trophy Points:
    43
    Home Page:
    Specifically when you see the clicks never triggering your landing page tracking pixels, meaning that once the final location was exposed, the HTML was never rendered and if you add multiple IPs from those two moles under the control of microsoft (as seen in ARIN), they definitely turn into phishy behavior.

    Again, this behavior is not isolated to traps only. I've seen clicks from these IPs on my personal hotmail address, on emails that I've never opened / clicked, hence this is not a way to detect traps.

    Another note to bring into this discussion is that if you connect to hotmail servers and try to deliver an email to a non hotmail recipient (i.e.: yahoo recipient) sometimes this email gets accepted and shown as a trap hit. I know this concept must be hard to digest at a glance, yet it is a behavior that we have solid proof of it happening. We've seen with bogus MTAs that in some cases their delivery logics from time to time mix up their threads and end up trying to deliver other domain's email to the wrong MX server.

    So far the most effective tecnique is to segment data and mail it through different IPs until you end up killing 100 (or less) recipients from your list, but eventually some of your data will turn into traps since they become traps due login inactivity. To prevent this last scenario, the best practice is to remove inactives from 180 days.

    I hope it helps.
     
  10. JohnFarrell

    JohnFarrell VIP

    Joined:
    Apr 13, 2011
    Messages:
    828
    Likes Received:
    35
    Trophy Points:
    0
    I recently started trying to hit hotmail again and I noticed clicks / opens from the first range. The opens were old and went to a yahoo address, but the clicks came from the drop on a hotmail address. I did hit 59 freaking traps according to snds.
     
  11. DKPMO

    DKPMO VIP

    Joined:
    Mar 31, 2011
    Messages:
    1,452
    Likes Received:
    68
    Trophy Points:
    48
    Location:
    Elaborate Underground Base
    What do you recommend doing with traffic from these IPs? Dropping completely or redirecting? Would you still get trap hits if you block it?
     
  12. DAgent

    DAgent Moderator

    Joined:
    Mar 14, 2011
    Messages:
    452
    Likes Received:
    115
    Trophy Points:
    43
    Home Page:
    DKPMO,

    Depending on the segment you're mailing to (i.e.: actives, bulk, etc) you want to make a decision. What these bots will do is to check whether you're mailing an offer from a network based on the IP the landing page is hosted at or some offer you own.

    They match what you are mailing against what other people is mailing and then profile you.

    Automatic redirects to a google / youtube search results page with words included in the message body makes a lot of "sense" to this sort of semi-conscient algorithms.

    If you have a JMRP enrollment completed and a mitigation already done, the pages you used as your opt-in pages on their forms will be a good destination as well.

    You will still get traps, since there's no direct relationship between traps and these bots clicking on your emails.
     
  13. DKPMO

    DKPMO VIP

    Joined:
    Mar 31, 2011
    Messages:
    1,452
    Likes Received:
    68
    Trophy Points:
    48
    Location:
    Elaborate Underground Base
    How about just returning a 500 error? Seems to me redirects to searches could be profiled too, no?
     
  14. DAgent

    DAgent Moderator

    Joined:
    Mar 14, 2011
    Messages:
    452
    Likes Received:
    115
    Trophy Points:
    43
    Home Page:
    Correct -- either searches or plain links to a video will get profiled. It's depending on which profile you want your emails to fit in.

    A considerable ammount of email ending up in a 500 error will be something that hotmail wont be very interested in placing into their user's inbox. A link to a funny video is most likely something that millions of users are sending to their peers.

    It's the boundaries of relativity what helps making a decision to these subjective algorithms. Filters brag about intelligence this way
     

Share This Page