Managing the flood.
Everyone gets spam — no exceptions.
Those who aren’t getting it now, will, and those only getting a little will eventually get more.
I get hundreds of spam messages every day. That may be at the high end of the average range, but it’s not uncommon.
What’s a poor user to do?
Become a Patron of Ask Leo! and go ad-free!
Getting rid of spam
Spam cannot be stopped, only managed. This means spam gets routed to your spam or junk folder, and only legitimate email appears in your inbox.
- Learn the nuances of your available spam filters.
- Learn how to use an allow-list.
- Protect your primary email address.
- Check regularly for false positives.
- Mark any spam in your inbox as spam.
- Never mark email you’ve asked for as spam.
- Consider a spam filter with a good reputation, like Gmail.
You can’t stop spam
Even after all this time, there is no solution guaranteeing you’ll get:
- Only the email you want.
- All the email you want.
- None of the email you don’t want.
Instead, there are partial solutions with varying degrees of success, depending on your needs and your willingness to accept restrictions or take additional steps.
But all solutions today risk both of the unwanted alternatives:
- Letting some spam through.
- Blocking some legitimate email.
Let’s look at some of those solutions. But first, we have to define what “success” means.
Inboxes & spam folders
A successful anti-spam solution does not stop spam from being sent to your email address.
Instead, effective spam solutions filter your email in such a way that:
- Spam is automatically detected, and either deleted or, more commonly, placed in your “spam” or “junk” folder.
- Everything else — meaning legitimate email — is placed in your inbox.
Unfortunately, filters are never perfect. They will occasionally mark something as spam that is not spam, and they will occasionally allow spam through into your inbox. This means you need to remember to do two things:
- Mark spam that arrives in your inbox as spam or junk. This teaches the spam filter what you consider to be junk, with the intent that it improves its detection over time.
- Occasionally scan your spam or junk folder looking for legitimate email that was erroneously placed there. This is called a false positive. If you find some, mark them as “not spam” — again with the intent of training the spam filter.
This is how we deal with spam. The measure of a good spam filter is how infrequently it miscategorizes email.
Spam filters are used in one form or another by almost all email providers, services,1 and programs.
Filters analyze email messages as they arrive, prior to reaching your inbox. They flag, or in some cases delete, messages they identify as spam. Characteristics used to make that decision include (but are not limited to):
- Words or phrases commonly associated with spam, such as certain drug names, sexual terms, and so on.
- Links that go to known malicious or suspicious sites.
- Links within HTML messages hiding their true destination.
- The presence of attachments, or attachments found to contain malware.
- Email from IP addresses with a bad reputation.
- Email from email addresses with a bad reputation.
- Email from domains with a bad reputation.
- Too much email too quickly from a single source.
- How often similar email has been marked by recipients as being spam.
There are probably more criteria, including some kept secret to make it harder for spammers to work around them.
Perhaps the most important concept to emerge in the last few years is that of “reputation”. An email address (i.e. firstname.lastname@example.org) might garner a bad reputation for having sent a lot of email identified as spam. An email domain (i.e. any email address @askleo.com) might also have a bad reputation, as might a specific email server — perhaps hosting email for many email domains and addresses. In the past, IP addresses were also used to identify servers responsible for spam, but this has become largely ineffective as spammers’ techniques have changed.2
Spam filter recommendations
No two spam filters use the same criteria or techniques, and different criteria become more or less important over time. This is one reason we often consider one email service as having a better spam filter than others, and why recommendations can change over time.
I don’t really have a formal recommendation for spam filters, because they are specific to either your email provider or program. You may already have several spam filters available to you:
- Your email service (Gmail, Outlook.com, etc.) or your ISP-provided email probably already has one. Make sure it’s enabled.
- Your email program (Microsoft Office Outlook, Thunderbird, etc.) also probably has one. Make sure it’s enabled, too.
- There are third-party programs and services like Mailwasher you can install that will also filter your email.
On the other hand, I do have one specific recommendation, though it involves changing how you manage your email. Use Gmail either as your primary address, or route email from another source through Gmail. As I update this post, Gmail continues to provide the best, albeit not perfect, spam filtering I’m aware of.
Almost all my email is handled through Gmail, including all askleo.com email.
Using multiple addresses
Another approach is to use multiple email addresses. This does not stop spam, but it can reduce spam sent to specific email addresses.
- Select one email address to be your “private”, guarded email address — much like an unlisted phone number. Give this only to people and services you trust.
- Create additional “throw-away” email addresses to use for a limited time (say when registering a product) or for a limited purpose (like registering for a website) that you can safely ignore after those purposes have been met.
There are lots of ways you can create throw-away email addresses. Signing up for a free email account is probably the most common.
Your “private” email will still get spam; just not as much, since you use it in fewer places where it might be compromised or otherwise fall into the hands of spammers.
Another entry into the fight against spam is something called challenge/response. It’s available as a service you can add to your existing email, and is offered by some ISPs.
Challenge/response, as its name implies, is a challenge sent in response to email from an unknown source to prove the sender is real. Using challenge/response:
- Someone unknown to you sends you an email.
- Rather than delivering the email to you, the challenge/response system automatically replies with a challenge — a message the sender must acknowledge. Often it includes a “prove you’re human” CAPTCHA.
- If the sender properly acknowledges the challenge with a response, then:
- The original message is delivered to your account normally.
- The sender’s email address is placed in a “confirmed” list, and they need not experience challenge/response for emails sent to you in the future.
- If the challenge is not met with a proper response, it’s assumed the sender was a spammer or bot, and the original message is discarded after some time.
The biggest problem with challenge/response is that not all legitimate email is sent by people who can respond to the challenge.
Signing up for a mailing list, making an online purchase, and other activities might result in a computer, not a person, sending you an email confirmation. This is email you want, yet senders to such lists don’t have the resources, or often even the ability, to respond to a challenge for each recipient. They usually ignore all challenges. The result is that unless you remember to proactively add their email address to an “allow” list beforehand (assuming you even know this will happen), you won’t get the email you want.
I know some people swear by them, but I generally do not recommend challenge/response solutions.
Allow and deny lists
Almost all of the solutions above include the ability to add email addresses to an “allow” or “deny” list.3
An allow list means you indicate email from a particular address should never be flagged as spam or delayed in any way. A deny list means just the opposite: email from a particular address should always be flagged as spam and never delivered to you.
Allow lists can be important to prevent false-positive spam filtering of things like newsletters.
On the other hand, deny lists (also known as blocking), are ineffective and essentially pointless. Spammers frequently “spoof” the “From:” address in email, making it looks like it comes from someone other than it really does — often even looking like it came from your own email address.
Finally, don’t stress out about spam. Just use the Delete key or Spam button and move on.
The bottom line
There’s no magic bullet. Spam will continue for the foreseeable future. You will get, or continue to get, spam.
However, there are steps you can take to reduce the amount you need to deal with.
- Learn the nuances of the spam filters available to you.
- Learn how to add email addresses to an allow list.
- Protect your primary email address.
- Check your spam folders regularly for false positives.
- Mark any spam making it into your inbox as spam.
- Never mark email you have asked for as spam.
- Consider using a spam filter with a good reputation, such as Gmail.
Finally, don’t stress out about spam. Just use the Delete key or Spam button liberally, and move on.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: I draw a distinction between email providers (like your ISP or workplace) and email services (like Outlook.com, Gmail, Yahoo! Mail, and others).
2: Specifically, the rise of spam-sending botnets that distribute sending activity over millions of machines at millions of different IP addresses.
3: Also often referred to as whitelist or blacklist, respectively, though the industry is attempting to migrate away from those terms.