Live Direct Marketing logo
Inbox Placement Test
List hygiene10 min read

Spam traps: how one bad address ruins your domain

A single hit on a Spamhaus pristine trap can blacklist your sending domain across the global internet within an hour. There are three trap types, three ways they enter your list, and exactly one effective defence — and it isn't verification.

Spam traps are the deliverability equivalent of stepping on a landmine. They look like normal email addresses, accept mail normally, and produce no bounce. But when you send to one, you've tagged yourself as a sender who didn't obtain consent — and the operators of the trap (Spamhaus, Validity, major ISPs) act on that signal hard. A single hit on a pristine trap can put your domain on the Spamhaus DBL within hours.

TL;DR

Three trap types: pristine (never used, planted by trap operators), recycled (formerly real addresses now repurposed as traps), and typo (common typos of real addresses). Get them through scraping, purchasing lists, and not maintaining the list. Verifiers catch some but not all. Sunset policy is the only complete defence.

Pristine traps

Addresses created by trap operators (Spamhaus, Validity, Microsoft, Google, others) for the explicit purpose of catching senders who don't obtain consent. They:

  • Are planted in places only scrapers would find them — buried in HTML comments, in obscure pages, in semi-public databases.
  • Have never opted in to anything.
  • Have never sent any mail (so they don't appear in any legitimate exchange).
  • Hit you the first time you send — they don't need repeat offences to flag you.

Pristine traps are the deadliest. A single hit signals to the trap operator that you scraped or bought addresses, and listings on Spamhaus, URIBL or DBL can follow within minutes. Once listed, your domain's sends to participating providers (which is most of them) are routed to spam or rejected outright.

Recycled traps

Addresses that were once real, used by real people, and have been abandoned. After a long inactivity period (typically 6-24 months), the ISP may convert them to spam traps. Mechanism:

  1. Original user stops using the address.
  2. ISP eventually disables the mailbox; mail bounces with User unknown for some period.
  3. ISP re-enables the address as a trap. Now it accepts mail again — but every send signals that the sender hasn't maintained their list.

Recycled traps are common at consumer providers (Yahoo, Hotmail/Outlook). They catch senders who buy old lists, fail to act on bounces, or never sunset inactive contacts.

Typo traps

Common typos of major mail providers, registered as catch-alls by trap operators:

  • gmial.com instead of gmail.com
  • yaho.com instead of yahoo.com
  • hotmial.com instead of hotmail.com
  • aol.co instead of aol.com
  • And dozens more mis-spelt provider domains

Real users type these wrong all the time on signup forms. Without real-time validation, the wrong addresses enter your list. The trap operators harvest them and use them to identify bulk senders who didn't verify input.

Typo traps are the easiest to defend against — real-time signup validation catches them immediately. Yet most signup forms still accept them silently.

Who runs the traps

  • Spamhaus. Best-known. Their listings (SBL, DBL, XBL) are referenced by most enterprise mail systems. Pristine trap hits feed directly into DBL listings.
  • Validity (formerly Return Path). Operates Sender Score and proprietary trap networks. Used heavily by Microsoft and enterprise ESPs.
  • SURBL / URIBL. URL-focused but include sender-tracking components.
  • ISPs themselves. Microsoft (Outlook.com), Google, Yahoo, Comcast, Mail.ru, Yandex all run internal trap networks. Their listings are private but affect placement on their properties.
  • Major ESPs. Many ESPs maintain seed-trap networks internally to protect their shared IP reputation. Hitting their internal traps gets your account suspended quickly.

How traps end up on your list

  1. Scraping. Web-scraping email addresses from public pages, LinkedIn, GitHub, etc. Pristine traps are heavily planted in scrape targets.
  2. Purchased lists. The list seller bought from someone who scraped, who bought from someone who got hold of it via breach. Typical purchased B2C list contains 5-15% trap density.
  3. Old / inherited lists. Acquiring a list from a previous campaign, employee, or merger without re-validation. Recycled traps accumulate over time in such lists.
  4. Form submissions without validation. Typo traps enter this way. Also bots filling forms with random addresses.
  5. List rentals / co-marketing. Renting access to someone else's list is technically distinct from buying, but the trap density problem is identical.
One trap hit can cost months

A single Spamhaus DBL listing requires you to: stop sending, identify the source of the hit, clean the list, request delisting (Spamhaus may take days), then resume warming. The domain reputation hit can take weeks more to recover. The total cost of one trap hit on a previously-clean domain runs 1-3 months of normal sending volume.

Why verification doesn't catch all traps

Verifiers maintain databases of known traps. They're useful, but limited:

  • Pristine traps are by design known only to the operator and to the spammers who've already hit them. Verifier databases capture some but not all.
  • Recycled traps look indistinguishable from real-but-inactive addresses to an SMTP probe. Verifier may flag as "risky" but won't definitively detect.
  • Typo traps are usually catch-all domains — every probe succeeds. Detection requires recognising the typo pattern, which the better verifiers do, but not all.

Run verification, but don't treat it as complete protection.

Sunset policy is the real defence

Recycled traps come from inactive addresses that you've kept on your list past their useful life. A 90-180 day sunset policy on inactive contacts removes them before they get repurposed as traps. This is the only complete defence against the recycled-trap class.

For pristine and typo traps, the only complete defence is to not let them onto your list in the first place: never scrape, never purchase, validate every signup in real-time.

Signs you've hit traps

  • Sudden drop in inbox placement at one or more major providers.
  • Spamhaus DBL listing on your sending domain — check at spamhaus.org/dbl.
  • Bounce messages from recipients citing "policy rejection" or referencing blocklist URLs.
  • ESP account suspended or warned.
  • Sender Score (Validity) drops sharply — often before any public listing.
  • Postmaster Tools at Gmail shows IP/domain reputation collapsing.

Recovery after a trap hit

  1. Stop sending immediately. Don't add fuel to the fire.
  2. Identify the source — recently added contacts, recently imported list, scraping batch. Quarantine that source.
  3. Run the entire list through verification. Suppress all flagged.
  4. Apply aggressive sunset (60-90 days inactivity). Suppress all unengaged.
  5. If listed on Spamhaus or other public blocklist, request delisting only after cleanup is complete.
  6. Restart with low volume, engaged-only segments. Re-warm the domain over 4-8 weeks.
  7. Consider switching IPs (or sending domain) if reputation damage is too severe to recover quickly.

Practical anti-trap rules

  • Never scrape addresses. Ever.
  • Never purchase lists. Ever.
  • Real-time validation on every signup form.
  • Confirmed opt-in (double opt-in) where business model allows.
  • 90-180 day sunset on inactive contacts.
  • Quarterly bulk validation.
  • Monitor blocklist status weekly.
  • Watch Postmaster Tools daily during high-volume periods.

Frequently asked questions

If I get listed on Spamhaus, will delisting fix me?

Delisting removes the immediate block but the underlying reputation damage at Gmail/Outlook persists. Cleanup work has to happen first; delisting is the last step. Fully recovering inbox placement after a Spamhaus hit typically takes 4-8 weeks.

Can I tell if a specific address is a trap before sending?

Verifiers catch known traps. Pristine traps planted recently or in obscure locations may not be in any database. There's no perfect way to identify a pristine trap from inspection alone — your defence is in collection practices, not detection.

Are there spam traps on B2B domains, or only consumer?

Both. B2B-focused trap operators (Validity especially) plant traps that look like role accounts (info@, sales@) at real-looking corporate domains. Don't assume B2B is safer — list-purchase abuse is rampant in B2B too.

What's the safest way to grow a list quickly?

Paid lead capture with double opt-in, content marketing with email-gated assets, and partnerships where the partner's subscribers explicitly opt in to your sends. All three keep trap density near zero. Speed of growth is slower than buying — but the list is usable.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required