How to block spam: filters and other tips for reducing junk email

No-one can get it right all the time—not even the great Bill Gates. Back in 2004, he made an infamously rash prediction that: "Two years from now, spam will be solved." A decade and a half later and guess what, billions of spam emails are still bouncing round the Internet each day; some guesstimates suggest up to 94 percent of all email is junk! Most of us accept "unsolicited commercial email" (the more formal name for spam or junk email) as the price we pay for global interconnectivity and all the other good things the Internet can bring. But do we really have to pay a price at all? Take some sensible precautions and you can substantially reduce the risk of spam ever becoming a problem.

Photo: An email address makes it easy for people to contact you from all over the world—including spammers!

Assume your email address will be compromised

It's best to face up to this fact from the start: sooner or later, your much-loved email address is likely to find its way into the hands of the spammers, those irritating people determined to send you advertisements for drugs or doubtful emails about Nigerian general who died in train wrecks. If you're setting up a brand new address, accept this from the outset and plan accordingly. You can take sensible precautions to stop your address from being compromised, but do be prepared to change address again in future if needs be.

Use multiple addresses for different purposes

Some people set up two or more email addresses that they use in different ways, typically one address for business and another for personal use. You could also set up one or more "disposable" email addresses for online shopping. I have one shopping address that I use for utilities, service providers, and companies I shop from all the time—people I know and trust not to sell my address on to others. But I also have a second, more disposable shopping address for one-off purchases from vendors I may use only once. If that address becomes compromised, I can easily disable it and set up another one. If you own your own web domain, you should be able to set up multiple email aliases (sometimes called forwarders), which look just like separate email addresses but effectively just redirect any mails to another address of your choosing. Learn how to set up and delete email aliases and you can create disposable addresses as often as you need to.

Some of the web-based email providers (such as Yahoo! Mail) also let you create disposable addresses tied to your main address. If you use one of these services, have a dig around among the options.

Make good use of your spam filters

You may not have realized this, but the majority of good, honest, decent Internet service providers are the ones who suffer most from spam. You think you have it bad, but their hideously expensive email servers are cluttered up and slowed down by literally millions of junk emails they'd rather never see in the first place. If those emails are addressed to legitimate users, there's little or nothing ISPs can do about them—except wait for them to be downloaded and deleted.

Some ISPs do take a more proactive approach, however. They run every incoming email through filtering software that quickly scans it and tries to guess (using what's called Bayesian filtering) whether it's spam or not. Emails may also be checked to see if the sending domain (or its IP address) is listed on what's called a real-time blacklist (RBL)—a list of known spammers. If a mail is identified as spam, it's flagged as such: it will have an extra line added to its header recording its likely status or "spam score."

If your ISP is helpfully flagging spam this way, you can easily set your own email program to look for those spam headers and weed out any emails containing them. In Thunderbird, that's as simple as ticking a box that says something like "Trust headers set by [....]", and then selecting one of the popular spam-busting programs in a drop-down box (SpamAssassin, Spam Pal, and others). Some ISPs allow you to block or redirect any emails that look like spam at their mail servers (before you download them, in other words), which may or may not be a good idea depending on how critical your mails are likely to be. If you're plagued with a really serious spam overload, ask your ISP whether they have spam filtering software installed on their servers and how you can take advantage of it. They don't always draw attention to it, and some ISPs actually charge you for using spam filtering.

Set junk mail filters on your email program

You can also filter out spam in your email program after you've downloaded it. The best email "clients" (downloadable mail programs, such as Thunderbird) contain sophisticated filters that gradually learn to recognize spam emails and redirect them into a separate spam folder. You can help them filter more accurately by clicking on the "junk" button when you see that an email is spam (or on the "not junk" button when legitimate email has been classified incorrectly as spam). Even if they don't have this feature, most email programs let you add manual filter rules of your own. So if your ISP is adding spam flags to email headers, it's relatively easy to add an email filter rule that checks the headers for spam status and files them accordingly: If spam status header contains "SPAM", redirect to "JUNK FOLDER"—that kind of thing. It's a lot simpler than it sounds! If you're bothered by spam from a particular person or domain, you can add much more sophisticated rules to filter it out (If domain header contains "example.com", AND from contains "John Doe," redirect to "JUNK FOLDER"), but test what you do carefully or legitimate mail might get diverted as well.

If your email program doesn't have its own spam filters, and you're using your own web and mail server, you might be able to use an add-on filter such as SpamAssassin, which sets headers in emails according to the probability that they're spam.

Photo: Mozilla Thunderbird will try to guess which messages are junk. You can help to train it by correcting it when it gets things wrong.

Use your email program in "secure" mode

Sometimes spammers work by guessing your email address and then trying to prove that it's active. If you receive a spam email, merely opening it up can be enough to confirm that your address is active, even if you don't reply. That's because HTML-formatted emails can contain tiny invisible images (known as tracking pixels) that automatically link back to the spammer's server. You can minimize the risk of confirming your identity by setting your email program so it never sends return receipts (confirmation messages that go back to an email sender when you open their mail), sends and receives all emails in plain text, and doesn't display images or attachments "inline" (open them up by default). If you're really keen on security, switch your email program to offline mode before opening anything that looks like spam.

Consider using disposable, web-based email

You can set up an email address with Yahoo Mail, Outlook/Live Mail (formerly Hotmail), Google's Gmail, and other online email providers in a couple of minutes. Most of these services have very sophisticated built-in spam filters so all the hassle of handling spam is done for you. If you have a cherished personal or business address, save that for your valued contacts—and consider having a web-based email address you can easily change for shopping, submitting comments to website message boards, and everything else you do online that matters less to you.

Ignore spam—don't respond

Spammers think it's ok to send you mail if they include removal instructions at the bottom, but it's well known that some spammers use those "click here to remove" links to confirm that your email address is alive and ready to receive even more spam! Unless an email comes from a company you really trust, removal instructions are best ignored. The golden rule about spam is never to acknowledge or respond to it in any way.

"Don't respond" is particularly good advice if you receive unexpected mails claiming to be from your bank, insurance company, utility, or some other company you do business with. Never click on links in mails like this: they are very often phishing emails (fakes that redirect you to bogus websites to try to trick you into divulging personal details, such as bank account or credit card numbers). If your bank sends you an email telling you there is some problem with your account, telephone the number you have for them or go into a branch; don't click on a link in an unsolicited email. Reputable organizations generally don't send "click this link" emails—and when they do, they usually include some sort of personally identifying information in the mail to help you verify that it's really what it seems to be. If you've bought something from a website and you get a phishing email, ignore it; log on to the website and check your order that way.

Use RSS instead of joining email lists

Until a few years ago, signing up to a website's email list or newsletter was the best (and indeed, often the only) way of keeping in touch with a site you wanted to follow. But the minute you click "subscribe" or "join list," you could be signing up to a deluge of unwanted mail (even if it isn't, strictly speaking, spam). Worse, you could be adding your name to a list that's sold on to another company or used for other purposes. Why would you want to do that? Since the introduction of a wonderful web technology called RSS, you no longer have to sign up to email lists. Many websites now publish RSS feeds—effectively little news headlines about themselves or things that interest them. Sign up to a site's RSS feed and you can follow it instantly and anonymously without sharing your email address (you can unsubscribe at any time too). (Using sites like Facebook and Twitter to follow people, organizations, and companies is another way to stay abreast of things without signing up for an email deluge.)

Consider using a third-party payment service

Every time you buy something online, you have to register with a company and submit all kinds of private or confidential information you'd probably rather not share. If you open an account with a third-party payment service, such as Google Pay (formerly called Google Wallet and Google Checkout) or PayPal, you can limit what you're sharing very effectively. When you use Google Pay, for example, Google acts as an intermediary, handling all the payments on your behalf, and you can opt not to share your email address with the shop you're buying from if you wish: everything will be channeled to you through Google instead. If you pay for things using PayPal, you can avoid sharing your credit card details with shops you've never encountered before and might not automatically trust. Using services like these can help you reduce how much information you're sharing online, lessen the risk of identity theft, and cut problems like spam.

Screenshot of Google Checkout payment service.

Screenshot of PayPal online banking and payment service.

Photos: Using payment services such as Google Wallet (left) and PayPal (right) can help you ensure your private information stays that way—reducing problems like identity theft and spam.

Watch out for your website

If you're in business, your website is your online shop window—and having an email address where people can contact you is pretty much obligatory. But posting an email address with an at (@) sign on a web page is an open invitation to spammers: separate studies by the Federal Trade Commission and the Center for Democracy and Technology suggest anything from 86–97 percent of addresses posted on web pages will eventually attract spam. Since these addresses are typically harvested automatically by computer programs, the simplest way to tackle the problem is to write your email address in a way that makes sense to people but not computers, maybe by writing the words out in full ("Send emails to freddysmith at blahblahblah dot whatever") or by posting your email address written in an image file (beware that blind or visually impaired people won't be able to read that and include alternative contact details for them). You could also try Google's reCAPTCHA to disguise your address from spam-harvesting computer programs. Or, instead of a simple contact email address, you could use a contact form with anti-spam protection.

Spammers are far from stupid and guessing email addresses is something they're good at. If they have a list of domain names, they sometimes try to mail likely addresses at those domains (so you might get speculative emails to info@, sales@, postmaster@ and so on). The best way of tackling this is to use non-obvious addresses. Instead of having a general contact email address info@, as we all used to, choose anything else instead: maybe generalenquiries@ or info123@ or whatever you like. Another thing spammers seem to do is guess the first part of an address from the second part. So if your domain is johndoe.com, don't be surprised if you get unsolicited spam emails addressed to things like "john@johndoe.com"; maybe pick a non-guessable address to start with?

When you set up a website, you're obliged to register details of ownership on a giant global database called WHOIS, which includes one or more contact email addresses for each domain. Most ISPs now give you the option to select "domain privacy" when you order domains (which is a good excuse for charging you more money just to keep your details hidden from public view). A cheaper and simpler alternative is either to have your ISP listed as the technical and administrative contact or to use a disposable email address specifically for WHOIS.

Don't worry, be happy

In the end, spam is junk, pure and simple. Don't get worked up about it and don't let it upset you. Remember that most of it is send by computers that don't have emotions; don't let these mere machines spoil your day! Take sensible precautions and spam won't be a problem. Don't let the spammers get you down!

How to stop spam emails