Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Am I Wasting My Time Reporting Scam and Spam Emails?

Question: You once said that when it comes to email scams, we should just mark it as a scam or spam and move on. But I’ve found websites to report them to, and some email addresses to forward them to, and I’d like to think I’m doing some good. Are you saying that I’m wasting my time reporting email scams directly to these agencies?

Yes.

I don’t believe reporting spam to these sites and services is worth the time and effort. I don’t see any harm in doing it; I just don’t think it helps.

I do want to be very clear, however, that a different type of “reporting spam” is very important, and we should all be doing that.

Become a Patron of Ask Leo! and go ad-free!

The war against spam

Spam is more than an annoyance: it’s a battle. For every step you and I and our email providers take to stop or block spam, spammers come up with new tricks and techniques to bypass those steps. As the recipient of a fair amount of spam — perhaps more than most, since I have several “public” email addresses — I see the magnitude of the problem firsthand.

Reporting spam versus reporting spam

You should definitely report spam using the “spam”, “junk”, or equivalent mechanism in your email program or web interface.

Spam word cloudParticularly for web-based email services, our collective feedback is how the system learns what is and is not spam. Think of it as a form of crowdsourcing. This information is collected and used to tune what the email service looks for when deciding something is spam and whether or not to automatically place it in your spam folder for you.

The more you report spam in this manner, the better the spam filter gets.

This does nothing to reduce the amount of spam targeting your email address, but the result is that less of it ends up in your inbox, being deflected into your spam folder instead.

Keep doing that. (Just don’t use the “spam” button to unsubscribe from things you asked for; doing so actually hurts other recipients.)

Reporting by submitting or forwarding

The type of spam reporting I feel is useless is that in which you either forward the email to a specific email address or copy/paste the email body or other information into an online submission form.

There’s nothing wrong with doing so — it’s not going to harm you or cause you to get more spam — it’s just not going to help you get less.

I’m fairly convinced the addresses you listed1 already get so many reports that whatever you’re reporting is just a drop in the ocean. It would be incredibly rare for you to pass along something that hasn’t already been submitted.

Besides, the nature of spam has changed such that these services simply can’t really work reliably.

Spam sources of the past

In the past, the majority of spam came from specific servers that were either owned by or had been compromised by spammers. These servers sent out millions of spam email messages.

The fact that the email came from consistent servers meant it was possible to track them down, and depending on where they were located, shut them down or block them.

That’s when most of these reporting services come into being. By forwarding spam to them, you were helping identify specific sources of large amounts of spam. The services then tracked down the owner, or the owner’s ISP, and had the spammer shut down. If they couldn’t shut them down, they added the IP address of the server to a “black list” which other ISPs then used to block that server.

Unfortunately, this approach is no longer effective.

Why?

Botnets.

Spam now comes from everywhere

Botnets, created by installing malware on millions of computers worldwide, have replaced individual mail servers for sending spam. Rather than sending 10,000,000 emails from one server, a spammer might now send 100 mails from each of 100,000 infected machines.

Your machine could be one of them, and you might not even realize it. (Make sure your anti-malware tools are up-to-date and scanning!)

One hundred thousand machines is an impractical number of machines to track down. Even if it could be done, tracking them down wouldn’t help; spammers would just use other infected machines to continue to send out spam.

As a result, the reporting services you’re asking about can’t really help.

We do hear of botnets occasionally being brought down, but identifying the spam emails doesn’t play a role. Instead, the malware that infected machines in the first place must be tracked down and defended against.

Speaking of bots…

A relatively new entry in the “report spam” arena is the ability to forward a copy of spam to a service of some sort that promises to waste the spammers’ time by using a different kind of “bot” to engage them in a fake conversation for as long as possible.

In my opinion, this is another waste. In fact, it’s akin to fighting spam with spam — you’re causing the internet to be flooded with even more fake email.

I’m also convinced that the spammers will catch on pretty quickly and recognize the bot for what it is: ineffective and easily ignored.

When reporting spam might help

Before I write off reporting completely, though, I do have to add that some agencies — in particular, the FTC (the U.S. Federal Trade Commission)  — may do more than just track down servers and IP addresses. The FTC may also look at the content of the message and see if what’s being hawked violates federal law. With enough instances of an issue, I would hope they’d go after the merchant.

Unfortunately, they may not be able to do much even then. Many — perhaps even most — of these scams originate overseas, where the FTC has no jurisdiction.

The bottom line, in my opinion: depending on the spam and the service, forwarding spam to these services has a very small chance of helping.

Lovely spam! Wonderful spam!2

To sum up: I don’t bother reporting spam, other than by using the “spam” or “junk” buttons in my email program.

  • Reporting individual spam emails just isn’t effective.
  • These agencies get plenty of spam on their own, perhaps even using “honeypot” email addresses.
  • I know there are others forwarding their spam.
  • I have better things to do with my time.

I simply choose not to.

If reporting it makes you feel better about spam and scams, and if you’ve got the time, carry on, I suppose. I just don’t believe it makes any difference in stopping spam and scam emails from arriving in our inboxes.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & references

1: The original, full question included several example email addresses that I elected not to republish here.

2: Monty Python – Spam

52 comments on “Am I Wasting My Time Reporting Scam and Spam Emails?”

  1. I fully agree with the war against spam. I find that using Gmail is about the best tool for cutting down on the amount of spam that gets to my inbox. But I’m not sure that these “spam control sites” are the best way to fight spam. For instance, a friend of mine runs a publishing effort that also uses email to contact customers once or twice a year. They have run into serious problems because someone (they don’t know who) reported them to one of these sites. The site black listed them and they were no longer able to contact anyone who subscribed to that site. I don’t remember the details, but it made a lot of trouble for them. They contacted the site but they wouldn’t even reconsider their listing or check into why they were black listed. Apparently it’s enough that one person out there somewhere disapproved of an email they received.

    It hardly seems fair to a company to sign up for email information, then when it comes to report them for it.

    Reply
    • I fully agree.
      People need to be careful to mark spam as spam and not mark everything they don’t want as such.
      It makes a terrible mess for everybody.

      Reply
  2. I agree. I don’t think marking an e-mail as spam completely stops it because it’s probably on it’s way to thousands of other computers. However, the reason I do hit the spam button, is to stop it from repeatedly appearing on MY screen. It helps. Then it’s replaced by other from somebody else. That’s unfortunate and aggravating but that’s computer – email life!
    Thanks for the article.

    Reply
    • However, if you use the Spam reporting feature of Gmail (and other systems) you are doing a LOT MORE than just blocking it from your screen. The software that they have tags the message as spam and if too many people are lazy and do this instead of unsubscribing, it starts to mark those messages as spam and blocking them from all people.

      Only mark REAL SPAM as spam. When the message is from a legitimate site, take the couple minutes it takes to unsubscribe. You may have left your email address when signing up for access at a store’s web site. They may flood you with daily messages, but it is NOT SPAM.

      Reply
      • I agree with this approach as far as it goes. But I’ve found several sites that I knowingly subscribed to but later have unsubscribed because they no longer fill my needs. However, they don’t stop sending their emails even after a week or more and more attempts to unsubscribe. I then feel no sympathy for them and add them to the Gmail spam list.

        Reply
      • Exactly. And it’s very important to not mark things like newsletters you have subscribed to as spam. If a company is following ethical practices they will be using software that lets you unsubscribe. Marking your subscriptions as spam hurts everyone. Take that extra minute to unsubscribe from things correctly. We are all in this together and participating in a healthy way is good for everyone.

        Reply
      • Being a teacher, I get lots of emails from book companies. Many come from the book companies getting my email from the university website or because I ordered a book from them. My opinion on that is unless I specifically ask for their mailings or give them permission by ticking a box, it’s spam. It may not fit some people’s definition of spam, but I feel that they deserve to be blacklisted if they don’t get permission to send me email.

        Reply
  3. I use Thunderbird to manage my email addresses. When I mark an email as “junk,” Thunderbird’s term for spam, does that information get back to my email provider or is it just used locally by Thunderbird?

    Reply
  4. I generally just mark any spam that gets through my filter and move it to the spam folder.
    I DO report phishing emails to the entity they are spoofing. Most major companies that are spoofed have addresses to forward the phishing emails to.
    I don’t do this for my benefit but for the benefit of the companies that are being spoofed.

    Reply
  5. Very interesting – about a week ago the count in my spam folder dropped from a couple dozen a day to a couple emails a day. This is for a very old email address through MS and that I relegated to more-susceptible contacts many years ago. My other address spam-counts have not changed. You think I would be happy but I’m also a little worried about what unknown thing has happened.

    Also, some long time subscriptions to businesses have started showing in spam instead of inbox.

    Puzzled. I’m curious if anyone else has experienced this.

    Reply
      • “Maybe Outlook.com finally got it right.”??? Outlook.com has always done a great job in removing spam. Sometimes too well. Unfortunately, in their over-aggressiveness, they tend to mark a lot of wanted emails as spam. I’ve even been a victim of having my whole email service provider’s domain blocked by Hotmail. I wrote many messages on the Hotmail forum about it and wrote to several computer gurus about it. I finally contacted Mary Jo Foley through ZDnet and she was able to get Microsoft to fix it.

        Reply
  6. I was using one e-mail program that allowed users to send fake return to sender notices. It would mimic a message that says the e-mail address is no longer valid. I believe this is also ineffective. Also, depending on the number of spam received, it may take longer than to forward them to various addresses.

    Reply
    • To summarize what the article describes:

      Reporting spam #1: pressing the “this is spam” or “junk” buttons in your email program or interface. This is OK, and valuable.

      Reporting spam #2: forwarding spam email messages to some agency that promises to track down the spammers. This is pointless.

      Reply
  7. If you are on a spammers’ mailing list you probably will have received one or more “Nigerian scam” messages. They are thought to originate in Nigeria, though all the ones I have received come from a server in Japan.

    The author pretends to be a high U.S. government official or perhaps an official of the Benin republic who seeks to inform you that a sealed box containing $4 Million is waiting for you at some U.S. airport, and requests that you send your full name and address and perhaps other personal information so that this treasure trove may be delivered to you. Variations include some philanthropist who has decided to make you a donation or some American serviceman who wants you to receive money for him, but all messages come from the same server in Japan. A New Zealand cybersecurity firm named Netsafe has created a chatbot to engage these scammers and waste their time with unproductive chatter. All one needs to do is forward the scam e-mail to me@rescam.org and they will start the dialogue.

    Some people take pleasure in baiting these scammers personally, even to the point of arranging meetings with them. There are a number of videos on this.

    Reply
  8. After considerable effort I am happy to report some success with Amazon Web Services (AWS). Their usual procedure is to send a boilerplate response to a spam complaint and then a week later send another saying that an instance had been found on their servers, but the spam keeps coming. I have found other complaints of this. I finally got results by threatening to make a proposal at a shareholders’ meeting of their parent company, Amazon.

    I have had a 40% success rate in my spam reporting efforts and responses like the following are always gratifying.

    Hello,

    Thank you for taking the time to report this message to the SendGrid Compliance team. Reports like yours make us aware of users who are not following our terms of service, and we greatly appreciate them so that we may take action on your behalf in order to ensure that our services are not being used for the sending of unrequested email. We take user complaints very seriously and do not tolerate spamming.

    Thanks again for sending us this report. If we require additional information we may be in contact with you regarding this report.

    Kind regards,
    SendGrid Compliance

    Reply
  9. I am grateful to Leo for allowing my posts of “do it yourself” spam fighting, using the techniques of SpamCop, despite his opinion that such efforts are not worthwhile.

    I was inspired to take aggressive action against spammers when I started to receive emails from correspondents claiming to be women who had seen my profile on a dating site and suggesting a meeting. A link in the message took me to a site with pictures of bare-breasted women, which I took to be a porn site. I do not have a profile on any dating site and genuine dating sites do not have such pictures.

    The technique involves getting the sender’s IP address from the “Received:” field of the header and looking it up in a database. The most likely ones are ARIN for North America, RIPE for Europe, and APNIC for Asia and the Pacific. One of these will give the identity of the internet service provider and his email address for abuse complaints. Header information is gotten from the “Show Original” link in Gmail and instructions for other email clients can be found online. I forward the spam to this address and attach the full text. Sometimes they will refer me to an online form to fill out.

    In at least one case I have gotten better results than SpamCop. That is the case of Amazon Web Services, which was not taking action against spammers and had asked SpamCop not to send it any more reports. By using rather stiff language I was able to get them to delete a couple of spammers’ accounts. Details are in a previous post.

    Another ISP with a reputation of being spammer friendly was OVH in Paris, France. I was getting a message starting with “This message is from a trusted sender.” There was a large FedEx logo and text saying “Your package could not be delivered because of an incomplete address. Please click this button to reply with your complete street address.” A look at the “Reply to:” field of the header disclosed that any reply would go to fifteen other spammers. Of course I did not reply and they were sending four of these per day. Querying the IP address on RIPE showed that the ISP was OVH. I wrote to them and they referred me to a form. I filled it out and they replied that they could take no action on account of incomplete information. I filled it out again in great detail and they replied that they had deleted the account.

    Maybe word got around. I have had no spam for four days. Previously I was getting two to fifteen a day.

    Reply
    • I agree and disagree at the same time if that makes sense. Anyone thinking that abuse reporting is going to stop spam is ignorant. However, that’s not why I report it. I report it for the sake of the person with the infected computer system or compromised email address (I get TONs of phishing emails from other users of the same email service I use (@Reagan.com), which are probably compromised accounts based on full header information), and I continue to get the scams from the same email addresses until I send something to abuse@rackspace.com (Reagan is a rebranded Rackspace Webmail). It doesn’t stop the scams from coming, but it does alert the affected user that their account is compromised. I usually send something to Rackspace and to the abuse contact for originating IP (which lately I’ve found is usually a server company, though I have seen Comcast, Charter, Cox, and Claro).

      Reply
  10. I am getting several hundred spam emails a month and it seems to be increasing every day.
    I think I am going to just delete my email address and open up a new account, I just give up.

    Reply
  11. The best way to report spam to stop coming in is by reporting to that person’s ISP/Internet provider. In Gmail it’s really easy after opening up the email you click on show original. Once you have done that it will show SPF: there will be an IP Address there IE 192.168.0.0 you can take that IP address and go to whois.arin.net in the search bar put in the IP address of the person who sent you that email. Arin will tell you who the abuse email complaint you sent to is. IE abuse@cox.net, abuse@rr.com, abuse@comcast.net, abuse@charter.net, abuse@amazonaws.com etc Now it will also tell you if you need to visit another IP registry page. Whois Arin is only for America, Ripe.net is for Europe. Latin america has their own so does Africa and Asia. From there you’ll be able to plug in the IP address and it will give you the abuse complaint box to let them know you are getting spam from one of their customers. Now in order to file the complaint you just need to include the email headers nothing else. If you don’t include the email headers then your complaint will be rejected. In Gmail its called show original and you see Delivered-To: and it will be long copy all that compose a new email with the subject of spam coming from your network, to the abuse box of that ISP and paste the email header in the body of the email and send it off. It really helps cut down on spam coming to your email box. I have pretty much gotten mine to almost be none existent.

    Reply
  12. I disagree somewhat with the reporting issue. I gets tons of spam because I am an IT person and most of it I just delete. However the ones that state I have an “inheritance” or “fund” or some other ridiculous amount of money due me (which I know is false) OR the ones that state I will be arrested if I don’t pay some bogus debt which I do not owe, I DO report those. Especially that last kind because they are usually threatening. I scrutinize the email header to try to see what email account it originated from. Once I do that, then I will report that email to whoever owns the account….Microsoft, Google, Yahoo or whoever. I usually will get a reply first stating they received my complaint and fake email but many times I’ve received a follow up email that stated they did investigate the email I sent and they discovered it violated their terms of agreement so they shut down that email account. Granted, I realize once this is done, the spammer will just open up another email account and continue but at least I know that maybe I did something that at least inconvenienced the person that sent that email just as much as that email annoyed me. Anyway I say if you have the time do report offensive spam.

    Reply
  13. I do take the tactic of John by reporting spam as abuse to various internet providers. GoDaddy is pretty good at shuting down a site, but unfortunately they just come from another. If you can make life a bit more inconvenient on these parasites, good.

    I have found one way of getting rid of some spam is to use social media. This works for some of the national companies that farm out email marketing. Two examples are a window blind company and a home security company. I went to their facebook page and posted on their profile and used Messenger to complain about these tactics. In another case, I received seven spam messages in a four hour span. I took a screen shot of my inbox, cropping out my info and asked them if they were proud of their marketing efforts. I also told them that if I ever needed their type of service, that they would be immediately ruled out. They did ask for my email and got me off the list. If enough people did this, it would at least give some legitimate companies pause to better scrutinize their email vendors. It won’t help with fly-by-nighters; but can cut down on some.

    Reply
  14. I would like your opinion on automatically forwarding spam and any issues that can arise because of it. We have a work domain that receives lots of spam. We have recently upgraded to a new spam filter that gets most of it. I do wonder what happens to the spam that does get through, however. We have a few email addresses that are for the group that then get sent out to individual members. One of those members automatically forwards all of the emails to a personal account ( @oh.rr.com domain). My question is does the forwarding of the spam cause any negative consequences to my domain? I worry if the spam gets through, and then he marks it as spam from our domain in his personal server, does that give the other emails from our domain a “negative” rating? Or is it just on his personal account? Or is there any trigger that forwarding the email makes the initial domain email a more likely spam target?

    Reply
    • Forwarding spam is a bad idea. I’ve experienced this myself. (I used to forward all email from @askleo.com to my gmail account.) The problem is that it makes it look like your server (askleo.com in my case) is sending spam. And yes, that can impact its reputation. In my case it means that forwards were throttled, and in the worst cases, blocked. The solution in my case was to not forward from askleo.com to gmail, but rather have gmail do a POP3 pickup from askleo.com. Problem solved.

      Reply
  15. I know I’m late to the party here but thought it worth mentioning that spam phone calls have gotten just as bad as spam email. I NEVER answer mine any longer. As sure as I do, I either get one of those aggravating hangups or some telemarketer blithering on about something I can’t possibly live without.

    I installed a call blocker allowing only a couple of exceptions and everything now goes to voice mail. My voice mail greeting informs them in a cheery voice that I’m currently out time traveling but if they’ll leave a message, their credit card, and pin number, I will gladly call them back yesterday.

    The bots just hang up but it’s funny to hear an actual human’s reaction to the message. LOL

    It totally ticks me off that I have to pay for this bloody phone but the scammers and spammers get to use it more than I do.

    Reply
  16. As a developer for over 100 websites, I have extensive experience dealing with and tracking ip addresses and a substantial list of agencies behind spam. Is there a public forum to share these contact details with the public so they know who are behind a majority of the spam out there which is US based?

    Reply
  17. I say report them. For you, at the moment its pointless, but in this age of ‘Big Data’ more data sets help the filters (hang on for the BS buzzword bingo) AI and Machine Learning algos do a better job. Think of it as trickle down theory.

    Reply
    • But “the filters” aren’t helped by forwarding the messages to some email address. But the “Report SPAM” button DOES. That’s why the article says that, yes, you should always use the report spam button. Forwarding spam to some address is pointless.

      Reply
      • I disagree based on experience, Leo.
        At least as far as Gmail is concerned. I’ve been reporting the same spam emails from the same senders for MONTHS and there has been no change whatsoever, so Google’s filters either aren’t making use of my ‘report spam’ notices or the function is equivalent to a bit bucket.
        I now think it’s a waste of time and effort, again at least as far as Gmail is concerned.
        My guess is the Gmail service has gotten too big (too many clients) to handle the volume and ultimately little to no difference is made.

        Reply
  18. I know this is an older story but something needs to be added or those who still read it.
    When using Outlook and I block spam it slows down the amount of spam I get.
    If I report any of them as phishing my inbox gets flooded with more phishing and general spam. Even from email addresses that I have previously blocked.
    Someone who works for Hotmail and investigates phishing doesn’t like doing their job. This person/these people are punishing us for making them do their jobs.

    Reply
  19. I get loads of the spam, the issue I have is some legitimate mail get puts in as well, so I have to manually filter it all and add addresses in as safe senders. Outlook has or had a maximum limit of 5,000 usernames or 500 domains but doesn’t give the option to block a domain or use wildcards when base usernames or base domains with extraneous characters keep sending. Making manual adjustments every time is very time consuming. We and MS know how it works so give us the tools to simplify the blocking process and also auto flag as phishing rather than me reporting and the blocking in 2 steps.
    These users, some are smart and use a VPN but most are not, have a DHCP address and that identifies an ISP, I am not confident that action is being taken by or against ISP’s that allow this type of activity, as soon as they get their traffic rejected they lose money and that really concentrates their minds on taking action, money talks. Let us see it start talking.

    Reply
  20. SPAMCOP does not do shit. 99% of the emails don’t get any action from anyone especially the ISPs they report them to. The only site the original ISP and don’t go after the email accounts of the users who send the spam out.

    Who knows maybe they they are even feeding the spammers new mail email accounts to spam

    Reply
    • Generally “after the email accounts of the users who send the spam out” have been forged and they are NOT the people actually sending the spam. It’s just not that simple. Anyway, reporting those people would a) punish the totally innocent and b) accomplish nothing.

      Reply
  21. SPAMCOP is useless and may actually be feeding email address to spammers. They will not forward spam to Gmail, Google, Amazon.com, Amazonaws.com and many others, (the previous are 80% of the spam generators. They just “file for reference” which is useless to everyone. Years ago I created a fake email address and ONLY used it on SPAMCOP. Within a month I started to receive spam at that address and the only explanation was that SPAMCOP sent them the address to add to their list of emails to spam.

    Reply
  22. I use Outlook email. I get one or two emails everyday from a place claiming to be Microsoft. And everyday I report the emails as phishing. This has been going on for a year+++. Surely if Microsoft were serious, they could stop phishing claiming to be them…but they either can’t or don’t.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.