Koli-Loks Spamtrap Intelligence Service



Koli-Loks is a trusted cyber-security research organization, with over 25 years of experience tracking abuse in email and on other messaging platforms.

The Spamtrap Intelligence Service (SIS). Delivers detailed information on individual spamtrap hits, and valuable insight into spam flows from specific IP addresses on your network, or advertising specific websites hosted on your platform.  Reports can be received as email alerts for individual spamtrap hits, or downloaded daily as a CSV-format file to be imported into a database or spreadsheet and further analyzed.

The SIS:

provides continuous, detailed feedback on spam seen coming from your network(s)
– covers specific IP ranges, domains, and other bits of information that identify both the senders of spam emails, and the companies or websites advertised in spam emails
helps you identify the exact source and origin of spam and abuse

This information was originally designed to allow ESPs to monitor the email streams sent by their customers, providing detailed information on who is causing your pain. The same information can help ISPs identify customers who spam, and customers whose servers or networks are compromised and provide a channel for criminal spam and abuse.

The SIS FBL consists of one record per spamtrap hit that matches your criteria. That record is saved in a CSV-format file that is posted daily, allowing you to download and import the CSV file into a database or spreadsheet. If the spamtrap hit is one that you want to know about immediately, the SIS FBL record can also be sent to you in near-real-time as an email alert.

Each SIS FBL record contains the following information:

• Timestamp. Date and hour that the email was received.
• Connecting IP. IP address that sent the email to our MX server.
• HELO. HELO string issued by the server that sent the email to our MX server.

• From email address. Email address from the From header.
• Subject. Contents of the Subject header.
• URI host. Hostname from the email URI, if any.
• Drop box email address. Any email address in the Reply-to header or message body.

These fields are unmodified except where a tag or identification string appears to exist to identify the email recipient. In that case, the information in the field might be modified to remove the identification string.

This data provides excellent visibility into which emails are hitting spam-traps.  This information is highly effective in helping email senders identify the exact sources of spam and abuse coming from their networks. It is equally effective in helping web hosts identify the customers who are advertising their sites using spam sent from another location.

Please click here for a Koli-Loks SIS product data-sheet

Koli-Loks Raw Spam Feed, Provides a near-real-time  unmodified, uncurated spam feed from a special spamtrap collection designed to provide information on “criminal spam” such as malware, phish, Nigerian 419, and other scams.

The Spamtrap email addresses and domains in the raw spam feed:
– Receive high volumes of spam from botnets, containing malware attachments or links, or that is fraudulent or otherwise classified as “criminal spam” by most countries and jurisdictions.
– Have been out of service as email addresses for at least ten years, long past the time when they would be expected to receive misdirected legitimate email.
– Are to some extent publicly known or suspected of being spamtraps (known traps), and therefore receive very little email from spammers that are careful whom they target. This largely removes email service providers and otherwise legitimate companies with poor email practices from the stream.

The intended uses for this feed include:
– Anti-malware, blocklist, and spam filtering systems. The raw spam feed can be directed into an automated filter to provide data for anti-virus and anti-malware software, anti-spam blocklists, and spam filters.
– Malware and spam research. The raw spam feed can be directed into a database or other storage facility to be made available to researchers in any subject which is advertised in spam or uses spam as a mechanism to operate.
– Vetting systems. The raw spam feed can be used to test the effectiveness of anti-spam blocklists, anti-virus/anti-malware programs, and spam filters.

Koli-Loks SIS FBL feeds are available for well vetted organizations, that have strong anti-spam policies and Acceptable Use Policy.
The Koli-Loks Raw Spam feed is available to threat researchers, companies that produce  anti-abuse and anti-spam products, and those in the email anti-spam community.

Please click here to contact SecurityZones to inquiry about the Koli-Loks services.