Honeypots (decoy email addresses) are used for collecting large amounts of spam. These decoy email addresses do not belong to actual end users, but are made public to attract spammers who will think the address is legitimate. Once the spam is collected, identification techniques, such as hashing systems or fingerprinting, are used to process the spam and create a database of known spam. Let’s take a closer look at hashing systems and fingerprinting.
HASHING SYSTEMS: With hashing systems, each spam email receives an identification number,or “hash,” that corresponds to the contents of the spam. A list of known spam emails and their corresponding hash is then created. All incoming email is compared to this list of known spam. If the hashing system determines that an incoming email matches an email in the spam list, then the email is rejected. This technique works as long as spammers send the same or nearly the same email repeatedly. One of the original implementations of this technique was called Razor.
FINGERPRINTING: Fingerprinting techniques examine the characteristics, or fingerprint, of emails previously identified as spam and use this information to identify the same or similar email each time one is intercepted. These real time fingerprint checks are continuously updated and provide a method of identifying spam with nearly zero false positives. Fingerprinting techniques can also look specifically at the URLs contained in a message and compare them against URLs of previously identified as spam propagators.
Honeypots with hashing or fingerprinting can be effective provided similar spam emails are widely sent. If each spam is made unique, these techniques can run into difficulties and fail.