Using Email Aliases as a Basic Honeypot
As part of my ongoing #infosec #research, I set up an email aliasing service using SimpleLogin to better understand how publicly available email addresses are being used and abused online.
As a cybersecurity professional, I wanted to study the behavior of companies and spammers when exposed to a publicly available email address. I created an alias specifically designed to act as a honeypot—a trap to attract spam and malicious emails. I made my LinkedIn email address publicly accessible with the intention of gathering data on unsolicited messages and the sources they came from.
What is SimpleLogin?
Before diving into the results, it’s important to explain how SimpleLogin works. SimpleLogin is an email aliasing service that allows you to create multiple email addresses that all forward to your primary inbox. This tool provides an extra layer of security by protecting your real email address from exposure. By creating disposable email aliases, you can control which services contact you and deactivate any alias if it starts attracting spam. This makes SimpleLogin a valuable resource for protecting personal data in a world where privacy is increasingly compromised.
The Cybersecurity Experiment: Setting the Honeypot
To my surprise, instead of receiving just generic spam or malicious phishing attempts, I started receiving marketing emails from local companies, including some from cybersecurity firms—companies that should know better. This was unexpected, given that the email address was never shared with any legitimate businesses. The results of this honeypot show that even industries focused on protecting data may not always adhere to best practices when it comes to marketing.
Spam Report
| Source | Type | Percentage |
|---|---|---|
| Australian Companies | Marketing | 43% |
| Foreign Companies | Marketing | 27% |
| Unknown Sources | Malicious | 30% |
| Legitimate | 3% |
Violations of Cybersecurity and Data Privacy Laws
While many of these emails came with unsubscribe buttons, there’s a significant issue here: I never opted in to receive them in the first place. Under the Spam Act 2003, it is illegal for companies to send marketing emails without explicit consent. This act is a core part of protecting consumer data and privacy in Australia. However, many of these companies, including some in the cybersecurity industry, were in clear violation of this law.
What was even more revealing was how sloppy some of these emails were. In one instance, I noticed that the unsubscribe section of an email finished with a stray quotation mark (“), which clearly indicates it was copy-pasted without proper editing. This kind of detail reflects poorly on the companies that sent these emails and undermines their credibility.
AI in Spam
Another key takeaway from this experiment is how AI-generated content is being used in marketing emails. Some of the emails I received were partially written using AI tools like ChatGPT.
As part of this blog post, I’ve generated one of the paragraphs using ChatGPT. Can you identify which paragraph it is? This exercise illustrates how difficult it can be to distinguish between AI-generated content and human writing. The growing use of AI in marketing and communications could make it easier for malicious actors to mask phishing attempts, making it harder for both users and cybersecurity systems to detect suspicious activity.
Data Protection and Vigilance Is More Important
This experiment is a stark reminder of the importance of protecting your data—not just as an individual, but as part of a comprehensive cybersecurity strategy. Email addresses are valuable targets, and exposing them publicly increases the risk of both legitimate and malicious use. As this honeypot experiment showed, even companies that should prioritise privacy can misuse your data for unsolicited marketing, often violating data protection laws.
The rise of AI-generated content also adds another layer of complexity to cybersecurity. AI-driven emails, whether for marketing or malicious purposes, are becoming more sophisticated, which means security measures must evolve to detect and mitigate these new threats. Email aliases, like those provided by SimpleLogin, are one effective way to maintain control over your inbox, while also protecting your identity from malicious actors.
In the broader cybersecurity context, protecting sensitive data is more critical than ever. By employing email aliases, regularly reviewing your privacy settings, and staying vigilant against AI-enhanced spam, both individuals and organisations can maintain better control over their digital security landscape.