logo The network should be invisible
The network should be noise free
Sandviksveien 32
NO-5036 Bergen
Tel: +47 9807 1263
Email - a traplist collected by Peter Hansteen

Did you think that you have been spammed by one of my users in the domain? Or for that matter, somebody from,,, or a few others?

More likely than not, what you have been seeing is that somebody spammed you, and they used a made up return address - where the domain (the part after the @ sign) happened to be equal to one of these domains. Make no mistake, we do not support such activities.

Take a look at this list of addresses I've collected, all in domains I admin. Not a single one of them were actually deliverable, and most of them appear to have made it into the log files where I found them as To: addresses for messages from mail servers about failed delivery to an address in their domain. At one point we realized that spammers use the same list of addresses as return addresses for the spam they send and as the addresses they send to while ripping off their unbelievably gullible customers. So we started collecting. The list, now at 198273 entries, is not a complete corpus of all faked From: addresses referencing those domains (we're bound to have missed an unknowable number), but it does seem to do the trick.

As time went by, we even scraped authentication logs for failed SSH and POP3 logins (see articles such as The Hail Mary Cloud And The Lessons Learned and Password Gropers Take The Spamtrap Bait for reference) and constructed fake addresses from the supposed usernames. A partial history (the log starts 2017-05-20) of when spamtraps were added and from which sources can be found in this log (or at this alternate location). Read on for a bit of information on the alternate sources.

If you have sent mail to any of these addresses in the last 24 hours, it will take a while more before you will be able to reach any real users in those domains. In the meantime, you can click the PF tutorial link on the left for one way to find out what happened. You could take some time out to have a look at one of several good tutorials on reading mail headers too.

If you like, you can view the list of currently trapped IP addresses at (at ten past the last full hour), by downloading this file.

Note: Since early 2018, http (port 80) requests to all resources are redirected to https (443). Most systems handle this correctly, but I see some failures in my logs.

At last count, Tue Jun 18 08:10:01 CEST 2019 , we had 6169 active spam senders trapped. You can download the most recent list of trapped hosts from here or from the mirror (copied at 15 minutes past every full hour).

For a rundown of the principles and ethics of how this list is run, see the How I Run This List, Or The Ethics of Running a Greytrapping Based Blacklist page.

Yours sincerely,
Peter N. M. Hansteen

PS: I've written a blog entry about this too, with some further info. Later blog entries (most recently Maintaining A Publicly Available Blacklist - Mechanisms And Principles, dated April 14, 2013) have some followups and additional information. This file is a list for one of the domains preserved for the arcihives. All fed to spamd, of course, and now included below. It is worth noting that this list of email addresses is updated only when I have a few minutes, so if it's static for too long, I'm probably just busy or even (shock, horror) away from my computer.

Flattr this:

Most recently added (the raw version is here):