Sugarplum -- spam poison

Sugarplum/poison logo

What is Sugarplum?

Does this answer your question? :)

Sugarplum is an automated spam-poisoner. Its purpose is to feed realistic and enticing, but totally useless or hazardous data to wandering address harvesters such as EmailSiphon, Cherry Picker, etc. The idea is to so contaminate spammers' databases as to require that they be discarded, or at least that all data retrieved from your site (including actual email addresses) be removed.

Sugarplum employs a combination of Apache's mod_rewrite URL rewriting rules and perl code. It combines several anti-spambot tactics, includling fictitious (but RFC822-compliant) email address poisoning, injection with the addresses of known spammers (let them all spam each other), deterministic output, and "teergrube" spamtrap addressing.

Sugarplum tries to be very difficult to detect automatically, leaving no signature characteristics in its output, and may be grafted in at any point in a webserver's document tree, even passing itself off as a static HTML file. It can optionally operate deterministically, producing the same output on many requests of the same URL, making it difficult to detect by comparison of multiple HTTP requests.

Sugarplum is free software, distributed under terms of the GPL.


Thursday, 09/25/2003: As has been widely noted already, ten days ago Verisign (the most prominent domain registrar in US TLDs, and a chronic abuser of its position) started issuing wildcard responses in the .com and .net TLDs, presumably trying to profit off mass-typosquatting by selling ad space and accumulating statistical data on the traffic to common typo-domains. While it's an incredibly stupid and greedy idea, this has an interesting side effect -- because nearly any randomly generated .com/.net domain now resolves to an IP, poison addresses become somewhat more effective -- where previously a dual MX/A-record lookup was required to test for poison, now it requires a comparison against any IPs served up by Verisign for the wildcards as well, something no address harvester is/was equipped to do.

Wednesday, 05/07/2003: Something way out of left field: I ran across an essay written by a Neil Hennessy in 2001; it seems he was quite taken with Sugarplum's randomized-language output, which corresponds to some degree with a particular poetry genre. Describing it, he explains "Sugarplum confounds the readers fetish for reference by planting imaginary email addresses, preventing the reader from reaching beyond language to anchor itself in a proper name from the extralinguistic world." It also seems to have been included in a stage performance of some sort. I'm, er, flattered. :)

Tuesday, 04/01/2003: Here's 0.9.10, with some features/fixes to the deterministic mode as reflected across multiple hosts in various ways.

Wednesday, 03/19/2003: The Center for Democracy and Technology released a report on a study they performed of how email addresses fall into the hands of spammers and what happens next. Most of the results are unsurprising, but they note that in their tests 98% by volume of the spam observed was sent to addresses harvested from the web (note that they weren't using test addresses suceptible to dictionary attack). Notably, there appeared to be a strong correlation between the popularity (term undefined) of a site on which an address appeared, and the quantity of times it was then spammed. It'd be really nice to see some of these high-popularity sites start setting out poison -- to date this has usually been done only by those with relatively low traffic and specialized topics.

Saturday, 02/01/2003: Sugarplum 0.9.9 is available. Minor bugfix release; see the changelog.

Friday, 09/27/2002: Sugarplum 0.9.8 is available. This is a major revision, based on a "two years hence" review of evolved spammer tactics, countermeasure viability, and various public feedback. This release is much quicker, easier to install and maintain, and about half the size. See the changelog for details.

Thursday, 05/30/2002: I've gotten a couple of inquiries whether Sugarplum is still being maintained. The answer: nothing new has been added lately, since Sugarplum is pretty much feature-complete. There's not much to add. Sugarplum hasn't fallen to bit-rot; it still runs under the versions of perl, Apache, Linux and GDBM current as of this writing.

Thursday, 12/28/2000: Sugarplum 0.8.4 is available for download. This release incorporates some bugfixes and feature suggestions, most notably teergrube (tarpit) "bait" addresses and a new "deterministic" mode.

Sunday, 11/25/2000: Following the 0.8.3 announcement, Sugarplum was posted to Slashdot. This yielded lots of suggestions, a few patches, and a great deal of load for my feeble 128k outbound link. :)

Wednesday, 11/22/2000: Sugarplum 0.8.3 is in the download area. New features include repeatable Last-Modified headers, dictionary generated usernames and a few other minor adjustments.

Tuesday, 7/13/1999: Today I happened across a piece of filtered-out spam in a purge queue commenting on its lists' immunity to spam poisoners. Excerpt and commentary here.

Friday, 6/4/1999: Sugarplum 0.8.2 is in the download area. This version fixes a few minor bugs and adds a few minor features. Specifics in the changelog.

Tuesday, 6/3/1999: Sugarplum 0.8 receives a shiny "5 penguin" rating from Linuxberg. Whee. Glancing at linuxberg's "what's new" page, I note that as much as a third of the software posted there has received the same rating.

Suggestions, comments, bugfixes, etc. are most welcome.

Devin Carraway <sugarplumA@TdevinDO.Tcom>
Last modified: Tue Apr 1 04:29:52 PST 2003

Valid HTML 4.0!