Spam Glossary


A spamtrap is an address that is used to capture spam sent to it in order to provide information on what spam is being sent and from where. Spamtraps do not belong to real users, they are decoys set up to catch spammers, monitor and collect spam.

When using spamtraps in automated systems, in order to prevent legitimate email from being invited, a spamtrap email address is never published where a human can find it. As the address is never visible to humans, no sender would be encouraged to send messages to the email address for any legitimate purpose.

Normally spamtrap addresses are obtained by spammers through the use of automated email address harvesters, through ‘dictionary attacks’ on mail servers, by buying lists from other spammers, or by importing lists from generic address CD-ROMs sold by spammers around the Internet. Almost all CD-ROMs of ‘targeted’ or ‘opt-in’ email addresses sold on the internet contain spamtraps belonging to Spamhaus and other major anti-spam systems.

Because spamtraps do not belong to a real user they can never “opt-in” to any bulk email advertising list since it is impossible for the spamtrap address to initiate, respond or to give or to confirm consent.

Spam is Unsolicited Bulk Email (“UBE”). Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.


SPAM Chopped Pork and Ham is a famous canned meat product made mainly from ham. Great in sandwiches, salads or mac & cheese, or with eggs, cheese, or pineapples, or sliced, diced, baked or fried. The name derives from “sp(iced h)am”. SPAM is a registered trademark of Hormel Foods Corporation. The product name “SPAM” (used always in uppercase) has nothing to do with the internet jargon word “spam” meaning unsolicited bulk email. While “spam” (junk email) is bad for internet users, SPAM (Chopped Pork and Ham) is good for internet users. If you have never tasted SPAM, try it today!


A sender of Unsolicited Bulk Email (UBE), or “spam”. A person who either knowingly or unknowingly sends UBE is termed a “spam sender”, the short form of which is “spammer”. Also a person who engages in the business of spam, supplying software, hosting, or other materials to enable spamming.

Traditionally it means any person who sends, pays or arranges for someone else to send, or assists someone else to send spam, or otherwise directly or indirectly benefits from spam.

Snowshoe Spamming

STOP PRESS We’ve recently added a new layer to our email filtering engine, Avalanche, that targets the rising threat of Snowshoe Spam.

Like a snowshoe spreads the load of a traveller across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to dilute reputation metrics and evade filters. Snowshoers use many fictitious business names (DBA – Doing Business As), fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs. Snowshoers often use anonymised or unidentifiable whois records, whereas legitimate senders are proud to provide their bona fide identity.

Some showshoers use tunnelled connections from their back-end spam cannon to the spam egress IP. The back-end IP address is not in the spam headers. ISPs, you are in a position to detect those back-end spam cannons by checking where traffic flows are coming from. Remember, the tunneled connection is not necessarily on port 25. Spamhaus always appreciates such information.


Listwashing is the systematic removal of complainants from an illicitly gathered address list with no other action taken to stop spamming the remainder of the list. Listwashing removes spam symptoms without curing the underlying problem. ISPs which simply pass abuse reports on to their spamming customers without investigation or further consequences are aiding in listwashing and spamming.

Listwashing is often done in conjunction with snowshoe spamming and waterfalling to attempt to clean bad lists and improve deliverability, rather than simply using OPT IN address acquisition in the first place. Listwashers nearly always include per-recipient codes in the headers and payload URLs. Together with careful list segmentation, dirty lists can be washed to a clean enough state that some ESPs are willing to risk sending spam by importing those lists.


A list owner is “waterfalling” when they run the same illicitly obtained address list through a series of ESPs, each time cleaning bounces, complainants and maybe non-respondents, and then hoping to move up to a cleaner ESP with better deliverability. The result still includes spammed addresses but fewer spam complaints to the ESP.


Internet Service Provider (ISP) is the generic term for providers of all sorts of Internet services: connectivity, bandwidth, mail, DNS, web hosting, etc. Network Service Providers (NSP) and Email Service Providers (ESP) are specific kinds of ISPs. Your ISP is the company you contract with for your Internet services. You should contact them regarding any service problems, including SBL listing!

IP Address

An IP address (Internet Protocol address) is a unique address that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, could be an IP address.

An IP address can appear to be shared by multiple client devices either because they are part of a shared hosting web server environment or because a proxy server (e.g., an ISP or anonymiser service) acts as an intermediary agent on behalf of its customers.

IP addresses are managed and created by the Internet Assigned Numbers Authority. IANA generally assigns super-blocks to Regional Internet Registries, who in turn allocate smaller blocks to Internet service providers and enterprises.


Domain Name System Block List – a list of IP address ranges or other information compiled as a DNS zone. Information in DNS format is easy to query and transport, and its small answers are very “light” on bandwidth overhead (UDP vs. TCP). A DNSBL of domain names is often called a URIBL, Uniform Resource Indicator, although there are numerous such lists written under other names.

Block, Blocking

noun: A range of IP addresses is a “block” or subnet, often expressed in CIDR notation. verb: An action taken by an ISP or network to prevent unwanted traffic from entering its private servers, including mail servers.


Some spam-filtering systems add a “tag” to the headers of messages which have a high spam-score, such as “X-Filter: yes” or “[spam]” in the Subject. The user can then have their mail client filter those to a quarantine, or delete them sight-unseen. Many of those filtering systems include Spamhaus lists as part of their scoring.

Bouncing, Rejecting

“Bouncing” or “rejecting” refer to the two courses of action a server may take when it detects undeliverable or unwanted mail. In the case of spam, bouncing is very undesirable because most spam has forged headers, and the bounce is sent on to an innocent third party who is often the target of a malicious “bounce bomb” attack.

Bouncing refers to the receiving server accepting the message, then post-processing it, deciding it is bad or undeliverable, and creating a new message to the “envelope” MAIL FROM (or sometimes other choices of “return path” for poorly implemented mail servers). Bouncing for any reason is becoming less and less acceptable, and bouncing due to spam is simply spamming someone else.

Rejecting refers to a realtime message delivered by the receiving server during the SMTP connection. It consists of a number such as “550” and a message such as “message refused by policy”, most often in response to the sender’s RCPT TO or DATA command. The sender’s server can then safely relay the “Delivery Status Notice” (DSN) back to the sender, resulting in no silently discarded messages. That is a very good feature of using DNSBL-reject mail transfer agents (MTA).


Term for a legal threat sent solely in the hope of scaring the recipient. Derives from ‘Cartoon Attorney’. A Cartooney generally contains promises of legal action, often quoting irrelevant or non-existent laws, and is often written by one who has not consulted a real lawyer and has little intention of doing so. More often than not, the Cartooney sender is on the wrong side of the law to begin with.

Sometimes spelled “Cart00ney” to emphasize the comical nature of most Cartoonies, they are often sent anonymously, sent by fictitious lawyers or signed “Legal Department”. Many promise to sue under invented laws such as the “Freedom Of Speech Law” or “International Email Law” and are usually written by spammers reacting to what they consider undeserved censure, being publicly identified or added to spam filter blocklists.


Right-Hand-Side Block List. A type of DNSBL that uses domain names instead of IP addresses.

If you have any specific questions we’d be delighted to help – either email us at or call us on 01442 927470

Article provided by