How I Beat Spam

Without Having to Change My email Address

My email address has been around online for many, many years, and it gets a lot of spam — many hundreds per day. For most users, spam far outstrips legitimate mail. It was 1996 that I realized that spam would become a huge problem, which is why I wrote my Spam Primer to educate my readers about it. And sadly I was right: it’s estimated that more than 90 percent of all email transmitted is spam. And how many of them get to my inbox? Lately, I’m averaging less than one a day.

That’s right: I beat spam, and without changing my email address.

About this point, a lot of you are wondering “HOW?!” How much of my solution you can put into place depends on your setup, your access to filtering, and your technical expertise, but you can certainly do a lot of what I do. I’ll explain everything as best I can; if you’re fairly techie, you’ll perhaps find it simplistic, but I know even with full explanations (and some links for more information), some will find this over their heads. If that’s you, stick with it: you can still learn a good part of it; it’s not all that technical!

The best part? I did it without having to change my email addresses. I didn’t even have to make any changes to my DNS records; not even the MX.

Part one I did years ago: the server company I was using didn’t support any spam filtering. If I wanted some sort of spam filtering package, I had to install it myself, configure it myself, and maintain it myself. If I screwed something up, they wouldn’t help. The only thing I felt qualified to do myself was “procmail recipes”, which is fairly nerdy but easy enough to do if you spend some time learning it. When you see a pattern in the spam, you can write a “recipe” to reject it or dump it. What I wanted was a more “intelligent” solution, and one was available: SpamAssassin.

Since my server provider wouldn’t support SpamAssassin, I left them for another provider that would, and life got better.

SpamAssassin

Step 1 was using SpamAssassin. Since it’s my own server, I have the ability to customize the “rules” that SpamAssassin uses, and what I learned in doing procmail (“regular expressions“) directly applies. So not only can I easily block all mail from specific domains (which is of only limited use), but I can, for instance, block mail that has that classic line, “If you believe this is spam, click…” — yeah: I believe it! If that phrase is in a message, it gets a few points toward “spam status”. If a message gets enough points — passes a threshold I can set myself — it’s dumped.

But I’m the author of the Spam Primer: what if someone wants to legitimately ask questions about spam, using examples to ask a question? I’d want to get that mail, so I have programmed a “password” that people can put in the subject line. It’s currently “hammer”: if that’s in the subject line, the message gets through even if there are dozens of “forbidden” phrases in there. (Turns out “hammer” isn’t the best word to use, since some porn spammers like to use it in the subject line, so I’ll be changing it when I get around to it. The current password is always shown on my Contact page.)

But SpamAssassin Isn’t Enough

After a few years of running SpamAssassin, my spam numbers were creeping up. The folks behind SA do revise it from time to time, but they really can’t keep up with the tactics that spammers use: they are always finding ways around its rules, and they can move faster than the SA volunteers. Clearly, it was time to up the ante.

I’ve long recommended Google’s Gmail to my readers as the best free webmail service. Not only does it not have ads that flash in your face (which I hate), but they have long been the best at spam filtering. If something does get filtered, it goes into a spam folder so you can recover it. Yes, other webmail services do this too, but I’ve found Gmail does it best.

But there are definitely problems with using free webmail services: they’re free, and if something goes wrong, you can lose all your mail and contacts (address book). I’ve heard the fewest bad reports about Gmail, though even they aren’t guaranteed to not screw up. Next is Yahoo — they do better that most, but I’ve heard a lot more reports of problems there than at Gmail. (And they have irritating ads, unlike Gmail’s simpler not-in-your-face ads.) But most of the horror stories I’ve heard center around Hotmail, which is run by Microsoft. (For more on the dangers of free webmail services, see Are free email services worth it? on Ask Leo!)

I not only run an online business, but it’s centered around legitimate email publishing — free and paid subscription newsletters. Thus email is extremely important to me: I need to get messages from readers, yet not be distracted by the huge flow of junk.

Gmail is great because there’s a full-time staff of smart people at Google constantly looking for new spammer tricks and patterns, and updating their filtering algorithms to keep that junk out of our inboxes. So I want to use Gmail, even though there’s a risk in using free webmail services, as Leo explains. What to do?

I’ve figured out a way to get the best of both — my own server’s filtering and Gmail’s benefits — without having to risk my business if something happens to Gmail.

My Hybrid Solution

Ebook cover: click to order on Amazon
All of this and more is included in my book explaining the spam problem and the solutions that will work for you, even if you’re not a techie! Just $3.99 on Amazon for your Kindle (or the free Kindle apps). Click cover to order.

I’ve long had a Gmail account for testing, playing, and to have an address to give online merchants I don’t trust a lot, but in April I switched all of my mail there. But I didn’t change my address to my Gmail account, I forward it there. Here’s how:

  1. Mail still comes to my thisistrue.com addresses, and still gets filtered by SpamAssassin, which gets most of the spam (but not all of it, for the reasons discussed above).
  2. After that filter pass, I’ve set my server to forward any mail that gets through to my Gmail address, but still keep a copy on my server — that latter step is important, as I’ll explain below.
  3. I’ve set my computer’s mailer software to get my mail from Gmail via POP, instead of my server. My Blackberry Android-based phone is also set up to get my mail from Gmail, rather than my server.
  4. I set up Gmail to delete mail from its inbox once it’s successfully downloaded to my regular mail program (Settings → Forwarding and POP/IMAP → choose “delete Gmail’s copy” on the line, “2. When messages are accessed with POP”.)
  5. Last, I set up Gmail to send mail “From” my regular thisistrue.com address. This is easy to do: Google’s instructions are here. Even if I use Gmail’s web interface, my regular thisistrue.com address is the default “From” address.

Google’s spam filtering is excellent, but it’s important — especially during the first few months — to “train” the filters according to your own mail flow. That is, if it lets spam into your inbox, click the “Report Spam” button on that message, and if it puts legitimate mail into the spam folder, open it and click the “Not Spam” button. It’s extremely important that you never use the “Report Spam” button on email you asked to get: that screws up the anti-spam formulas for others. Use the proper “unsubscribe” function and only mark it “spam” if that doesn’t work.

I’ve been very careful to properly “train” Gmail’s spam filters. The result? It’s now extremely rare to get spam in my inbox. It’s down to 2-4 per week. It’s also quite rare to get legitimate mail in my spam folder — that’s down to 4-6 per week. And it’s not a huge deal to go through the spam folder, since most of my spam is deleted by my server’s SpamAssassin long before it gets to Gmail.

I watch for patterns in the spam folder, too. I was noticing a lot of Cyrillic (Russian) subject lines. It’s all spam, and I didn’t want to have to wade through it again and again. I searched Google for help in filtering it, found a SpamAssassin rule to use, and added the two-line rule on my server — and the Russian spam was all gone, just like that.

In Case of Emergency

Last week Google had a well-publicized several-hour outage, which only affected a moderate percentage of its users. (It was well-publicized because it is so rare.) The point is clear: it happens, even to Google! And worse could happen, or your password may be stolen, or you otherwise get locked out of your account. If all you had was Gmail, you could be in real trouble. As I said, my mail is very important to me, so I want to ensure I don’t lose it, even if I lose access to my Gmail account permanently. It’s unlikely, true, but it would be catastrophic to me if I lost several days, or weeks, of mail. I just can’t risk that.

Remember I said that when I was setting this up, I set my server to forward all mail, but keep a copy? That’s in case of a problem like this. If I lost access to Gmail for any reason, all I have to do is set my computer’s mailing software (and my phone) to switch back to my server to get mail, and I’m instantly back in business again until Gmail fixes the problem.

Doesn’t my server-based mailbox get full? No. It has a huge quota, but even with that the server would eventually run out of disk space, so my server has a cron job that deletes all mail that’s more than a month old. In summary, I get all the benefits of Gmail’s excellent filtering without having to worry about the risks of using a free webmail service.

Gmail has one other advantage over other services, which makes it much less likely that crackers compromise your account (effectively, steal your password): two-factor authentication. I use that for another layer of security.

One Caveat, and a Summary

A tiny muss when using Gmail to send mail “from” your regular address: any mail sent through Gmail’s SMTP (outgoing mail) server has a header —

Sender: my.address@gmail.com

— which I can avoid by having my computer’s mail program use my server’s SMTP server to send mail, and thus I don’t have that header on my mail. But really, so what? I don’t really care if people who know how to view Internet routing headers see what my Gmail address is, since all my mail ends up there anyway now. And if it changes later? *shrug*! — they should send mail where I say, and if they don’t, any bounces should give them a clue.

So there you have it. I get well over 100 legitimate emails per day, and somewhere on the order of 300-500 spams. A good 90-95 percent of the spam is filtered out by SpamAssassin, and then all the remaining mail is forwarded over to Gmail, where it’s filtered again, leaving me a small number of spams to look through once a day. If I see something miscategorized, I “train” Gmail to do better. If I see spam patterns, I can add a rule to SpamAssassin to filter it before it gets to Gmail, so I don’t have to look through it anymore. The result: virtually no spam gets downloaded into my desktop mailer’s inbox anymore. And that, my friends, is how email should be!

If you’re completely non-technical, you can get most of the benefit by switching to Gmail and “training” it carefully with the “Report Spam” and “Not Spam” buttons. And remember: never buy anything from spammers: that just encourages them to send more. Be sure you’ve read my Spam Primer so you understand the dangers. If you don’t, you can fairly easily lose your savings, or allow your computer to be turned into a spammer’s robot to spam or attack others. It’s not something you can ignore.

– – –

Share This on Twitter: Click to Tweet a link to this page.

Last, if you’re a visitor here, you might want to scroll to the top of the page and subscribe to my weird news email newsletter. As you’ve already realized, it has a lot more than just amusing weird news stories! (Sample Issue)

– – –

Bad link? Broken image? Other problem on this page? Use the Help button lower right, and thanks.

This page is an example of my style of “Thought-Provoking Entertainment”. This is True is an email newsletter that uses “weird news” as a vehicle to explore the human condition in an entertaining way. If that sounds good, click here to open a subscribe form.

To really support This is True, you’re invited to sign up for a subscription to the much-expanded “Premium” edition:

One Year Upgrade
Comments

(More upgrade options here.)

Q: Why would I want to pay more than the minimum rate?

A: To support the publication to help it thrive and stay online: this kind of support means less future need for price increases (and smaller increases when they do happen), which enables more people to upgrade. This option was requested by existing Premium subscribers.

 

32 Comments on “How I Beat Spam

  1. I use a similar combination of SpamCop, which filters my mail on the server, and SpamSieve, which filters it on my Mac. I hardly ever see spam on my inbox. However, I still go through my spam twice a week to flag any false positives. Plus, neither of these filters is free, and SpamCop’s interface is somewhat archaic.

    Google does have for-pay email solutions, but a free Gmail account is all an individual really needs, and is what I use. I’ve never been terribly impressed with SpamCop, but obviously some will find utility there. -rc

    Reply
  2. That’s just excellent. I wasn’t aware that GMail offered that level of usefulness, though I am keenly aware of how effective their spam filters are. It’s something to consider even for those of us who don’t have access to our email server.

    I wouldn’t think that a GMail outage would result in any lost mail, since most email systems retry sending the messages for up to several days. It would, however, be a major PITA.

    I don’t think Gmail would “lose” mail exactly — and they didn’t during the outage last week. However, you could lose access to Gmail (say, if you forget your password and don’t have your alternate address set to a working address), and thus perhaps lose mail that way. -rc

    Reply
  3. For the record: I followed Randy’s lead and am now using this technique myself, and have for several months. It really works well, and has reduced spam from a problem down to a minor annoyance – even without SpamAssassin running interference.

    It also had an unexpected benefit when the laptop containing my email died, I had immediate access to all my email – still using my normal email address – via GMail’s web interface.

    All of the free email services need to be used properly and with backup appropriate to your situation, but there’s no arguing their utility.

    Leo Notenboom is the Leo behind Ask Leo! — I linked to one of his articles in my essay. -rc

    Reply
  4. This is a great essay for people who are looking to nix spam. I have tried several of these techniques too with great success.

    Recently, though, I have moved to a solution called Spamsoap. This is an excellent solution for anybody who manages their own domain. The only trouble is cost. The only real reason why I moved to it is because a bunch of clients wanted to know more about the service. I’m very happy with it, and I’m inclined to keep it for all of my own domains. Just for reference though, it is $180/yr and is the ONLY commercial spam product that I recommend anymore.

    Cheers to guys like you who are taking the time to help people battle spam with more cost effective solutions.

    If $180/year was the only way to deal with spam, it’d be worth it to me, even though most individuals would be hard pressed to justify such an expense. But the bottom line is, we don’t have to pay that much. Still, that would be awfully cheap for a larger corporation; it’d pay for itself from increased productivity on the first day. -rc

    Reply
  5. I heard of filtering through Gmail several weeks ago but haven’t implemented it yet. So thank you for the tutorial. It’s the push I need to get it done.

    A few questions:

    1. When you computer’s mailer program gets mail from Gmail, will it still be sorted into folders using current rules? (i.e. Do the “to” or “from” change by rerouting?) I have several different email addresses to keep separate.

    2. My host supports IMAP, so I would like to make both my computer and phone use that. Do you know if that will work with your system? I recall hearing that something needs to be POP to work with Gmail.

    Thanks again.

    Good questions. 1. There’s no change in the main headers, so all the filters and folders and such work fine on my desktop mailer. 2. As noted, my Blackberry uses IMAP, so yes: that works fine. -rc

    Reply
  6. Sounds good, but I’m still foggy on one little point. There ain’t no such thing as a free lunch. If you don’t have to pay for it, and you don’t have to suffer ads through all your email (incoming or outgoing), then what is the incentive for Google to offer this service? I’ve been burned too many times by not lawyering through the fine detail where toolbars are added to my browser which changes the settings for my programs and adds others I wasn’t even aware of.

    I guess it’s like the free version of TRUE: there are ads, but some never look at them, let alone click them. Some never upgrade or support it in any way. But as long as enough do, it can live. Likewise, I’m sure a lot of people use the web interface for Gmail — I often do too. Enough see, and click on, the ads to presumably make it worthwhile for Google to continue to provide the service. -rc

    Reply
  7. Great advice, Randy. Now if someone would come up with something that works as well for telephone spam…

    I get very little. In the U.S., there is a federal “Do Not Call” law, and it is illegal to call such a number if it’s added to the list, which can be done online. Apparently you don’t have such a law in Canada. Pity! It works fairly well here, even though the politicians were slimy enough to include an exemption in the law for themselves! -rc

    Reply
  8. Mail on a Mac has an eminently trainable spam filter. Rarely screws up, and I value the hours not spent sorting it.

    That’s nice, but I’d rather not see the spam on my Blackberry, and would rather not download it to be sorted on my desktop! -rc

    Reply
  9. I’ve been using Gmail myself since January, but mostly because I wanted to cancel the paid dial-up service I had been using since I got DSL, and I didn’t like the new ISP’s email interface (i.e. flashing ads). Ever since I first got my own email five years ago, I’ve been extremely careful about where I put it out; I always read privacy policies before submitting my email in an online form, and I never post my email anywhere where it can be read in plain text and picked up by Web crawlers. (By the way, this extremely non-technical person learned about that from your Spam Primer. 😉 )

    Thanks to being careful with my address, the only “spam” I’ve ever received is one newsletter from my local bowling alley on which the “unsubscribe” request wasn’t honored — even after talking to the owner of the alley, he looked in the database and said that my address wasn’t in there, yet the emails kept coming, so I just marked one “spam” because that’s what they had become. Now, Gmail tosses all of them in my spam folder. Also, I’ve only ever had one false positive with Gmail (though I only get about one to two emails per day on average).

    I’m sure I’ll start getting spam one day (probably from a dictionary attack), but I think this shows that if you’re careful with your address from the day you get it, you can keep it spam-free, though probably not indefinitely.

    Reply
  10. GMail recently started supporting sending mail with SMTP from its webmail interface, bypassing the Sender header. See Gmail support (focusing on “If you choose to send mail through another domain’s SMTP servers:”)

    Reply
  11. I hadn’t thought of the GMAIL redirect, but I had to implement the foreign code page filter years ago. I also use an msn/hotmail account for all “you must register …” items. Over the years I have had to change email addresses 3 times because my ISP got bought up. The last time I got a personal domain so as to stop changing email addresses and have kept that email address to trusted friends only. Everyone else uses the more public address(s). My personal domain email ISP has very aggressive filters; and, knock on wood, I haven’t had any real spam there.

    Reply
  12. I have several email addresses for the purpose of using when registering to sites and such. I never give out my Gmail address, except to Randy and a few others I trust.

    I noticed that you have SpamGourmet in the Bonzer Sites already, so I won’t suggest it here, but I use it sometimes with a different address for each place I give my address to. In this way I immediately notice if someone starts spamming.

    Reply
  13. My gmail has become very important to me, also. The click-wrap warning that mail could be lost wasn’t so scary when I first signed up, but when a recent Slate article reminded me of the terms, I realized that such a loss could be catastrophic. So I downloaded a gmail backup program mentioned in that article. So far, it seems to work quite well.

    It’s pathetic that the first thought when Google had a brief outage where no mail was lost was “Can I sue them?” The fact is, any mail service could lose mail, and it’s up to you to have your own backups. I roll my eyes every time I hear someone say, “I’m locked out of Hotmail and I don’t have my address book anywhere else!” It’s simply stupid to depend on a free service — or really, even a paid service — for anything that’s critical to you. So kudos for taking action to back things up yourself. -rc

    Reply
  14. I agree that Google does an excellent job, but a simpler solution for those who don’t run their own mail-servers, yet want to keep the same email address, is to use Google apps – I used to run my own email server, I switched MX to Google apps several years ago, and my spam is almost nonexistent. However, your statement about rare outages is right – when gmail went down last week, Google apps was down as well, and I was unable to retrieve my email for most of a day. Your solution is better from a belt-and-suspenders perspective, but I’d say mine is easier if you are not technically inclined.

    Easier, to be sure. The only “problem” is the single point failure problem that I’m trying to avoid, which bit you last week. If I was going to risk a single point failure, though, I’d do it with Google first, Yahoo second, and Hotmail 50th. -rc

    Reply
  15. I have my own domain, with multiple email addresses I used to use to sort things, and dodge spam. I also manage a few domains for friends, from which I get the webmaster and ‘catchall’ email accounts. Add to that that I do a bit of contract work both online and offline with email being the primary way I get work, and not only do I wind up in a situation where email is very important to me, but my spam pile can be quite large.

    I’ve been using a similar set up for a year or 2 now with awesome results. I too can vouch that it takes dealing with spam from being a major time sink and a real problem to more of a minor irritation. I use IMAP with gmail on my main computer with a set of filters that automatically saves locally most mail, and specifically anything sent to the gmail address directly. The primary difference being how I handle ‘cleaning up’ on my mail servers. Instead of manually going in every so often, I have thunderbird running on a second computer, configured to use my mail servers instead of gmail. It’s set to leave a copy on the servers, but delete after one week. This keeps my quotas from filling up, and has the added benefit of providing easy access when gmail does, VERY RARELY, go down. On the other side of the coin, I can easily access my mail with gmail from any computer if something catastrophic happens to both of the computer here at the house. Add in that my routine data back up include the email folders on both computers and I’m left feeling comfortable that I can get at my email when I need to and the risk of losing an old email I need is slim.

    Obviously a lot of people don’t have access to a second computer, but it should be easy enough to run a second email client on you computer to do the same thing. If you use thunderbird, set up outlook or eudora as a back up, or vice versa. Most email programs you could probably set up multiple identities, or servers in one identity to essentially do the same thing, but that would be a bit cluttered for my taste.

    Using a second computer to create a backup AND clean up the server inbox is clever. Nice addition! -rc

    Reply
  16. I’m a cynic. I don’t register new products, the receipt is all I need for the warranty, so it’s just a way to send me junkmail. I don’t do surveys for the same reason. Nobody cares about my opinion, so it’s just another way to gather my personal information to overload me with junk. Testimonials don’t impress me, since trolls can post false or inaccurately good or bad ones, for whatever reasons motivate them. And I don’t buy into the Free Lunch concept; it costs somewhere, somehow.

    But Gmail? That impressed me. I don’t run an online business, nor do I have my own server. But I do have my own domain with my own email address, just because ISPs too often change. Gmail is willing to filter my domain email, in either or both directions, for free. They are incredibly excellent in filtering spam so I don’t have to download it before filtering it, myself. And I haven’t seen any ads in either direction, for incoming mail or outgoing.

    Thanks, Randy, for a really good suggestion.

    Reply
  17. Just a note, Canada does have a Do Not Call registry. There were huge problems signing up for it (they didn’t realize how popular it would be. Ha!), and once it was in place, Canadian companies were required to buy a copy of the list so that they would know who they weren’t legally allowed to call.

    Unfortunately, foreign companies could also buy the list, and they weren’t bound by any of our laws, so they were buying the list and calling everyone on it.

    There was talk about fines for the foreign companies that had Canadian locations, and some sort of deal we were trying to strike up with every other country in the world to handle the rest of them, but I haven’t heard anything more about it.

    As for the spam, well, after getting that Chernobyl virus back in 1996, I decided that I really needed to learn more about the internet if I was going to use it. Since then I’ve not had a virus or spyware on any of my computers, and since switching to Gmail I’ve had almost no spam (like, maybe 2 spam messages in *years*… mostly thanks to your Spam Primer and snopes.com).

    Reply
  18. The way these free email services work is by scanning your email, looking for keywords and email addresses, and then selling that information to advertisers. GMail is notorious for doing this. If you want your mail to be private (as private as it can be on the Internet), don’t use free mail services.

    Most ISPs (at least mine does) provides antivirus and spam filtering free (or at low cost). All my email boxes are set up this way. I then use Avira on my PC, and generally get VERY few spam mail in my inbox. I used to run a server, but by the time you put in redundancy, uninterruptable power (not just a cheap UPS box) and other fault tolerant things, and then have to manage it, it got to be a pain.

    Not quite right. They do use keyword scanning to determine what ad might apply to the subject of the email, but as one who buys such advertising, I can tell you that Google certainly does not tell me anything about the emails where the ads are shown, and especially not the address. The most I can tell is that the ad was displayed, and whether or not it was clicked on. This causes some paranoid types to exclaim in horror, “You mean they’re reading my mail?!!?”, but no: no person could possibly read it all, and Google wouldn’t want to spend the money to do that. It’s computers that scan for keywords, and if they have a match for an ad that’s bidding on those keywords, that ad is shown. The same technique is used on this page: there are ads along the left side, and they will tend to be about anti-spam products and services. -rc

    Reply
  19. I’ve been using Gmail for several years now, and I have to say, Randy is unlucky in the amount of failures his Google spam filter has. Maybe it’s because he has sooo many emails. I haven’t had a single real message in my spam folder since the first three weeks or so, and before the server failure, I only had a spam in my inbox once a year or so. Since the server failure, I’m seeing three or four a day, for some reason; I wonder if some of the filter data was lost.

    I do check the spam folder every once in a while just in case. I was shocked to find one in there that addressed me by name; usually these things come from random-email generators. Maybe I’ll have to change my email address soon.

    It’s definitely true that I get an odd mix of email, and I’m not surprised at all that automated systems can’t get it 100% right about what’s spam, and what’s not. I do in fact think they’re doing a darned good job most of the time, even though I think to myself now and then, “How could it miss THAT?!” -rc

    Reply
  20. Thanks for the Gmail spam filtering tutorial, Randy. I’ve been doing exactly the same thing for a number of years. Encouraging others to join Gmail and to report spam helps us as well. Google uses their own big-brained employees to figure out the best strategies for identifying spam, but additionally they get information from people like you and me reporting spam that shows up in our inboxes. It’s a great system, and like you, my spam has dropped to nearly zero.

    With regards to Google’s Adwords system for presenting the occasional ad based on mail content: I actually find that system occasionally useful. As usual for Google, the ads are off to the side of the screen and don’t intrude on your view of email. However, since they try to be specific to the content of the email, I often find things there that I’m actually interested in. So, ummm Randy, how come when I put “No, really, this is true!” in an email, I don’t see an ad for This Is True?

    Because THAT would strip my budget in the first hour! -rc

    Reply
  21. Just wanted to add that I also have found Google’s Spam filter to be excellent. I used another email service previously, and I still keep that account and forward it to my new main address, and then have been gradually switching over all remaining email over to Google Apps on my own domain. After the switch I went from lots of spam in my inbox daily, to almost nothing (and this was without training).

    For my use, if I lose access occasionally, it’s not a big deal, so I’m not worried about the extremely rare occasions that Google goes completely down (even during the last outage, if I remember correctly, IMAP was still up, just the web interface was down).

    The big benefit of having my own domain on Google is that if for some reason Google ever decides to shut down their service, I can pull my email out and transfer it elsewhere (and my address won’t change). Backups can also be kept reasonably easily just in case. Also the password front can be handled partially by having a couple of admin accounts on your domain, so if you ever lose/forget the password to one, you can one of the others around elsewhere, and reset the password on your main one.

    Reply
  22. I’ve come to your site multiple times in years past to review your anti-SPAM tactics and I am happy to see that I’ve come to a nearly similar solution as you.

    One option to take advantage of the Google/Gmail filtering is to use Postini. I work at a 20 person company and SPAM was killing us. We tried a few third party vendors and finally settled on Postini. They have been providing Google with the anti-SPAM tech for years (as of about a year ago were purchased by Google). You can have your MX record routed through them to get all the latest filters, anti-malware protection, etc. Of course, there is a monthly fee, but I always found it to be reasonable. In my situation, I rather pay the few dollars a month than spend a few hours a month updating software and filers.

    Thanks again for your insight.

    I’m definitely not up on the available solutions for larger organizations; my solution is more geared for individuals and small businesses. So thanks much for helping those too big for this idea. -rc

    Reply
  23. I used to get an exponential increase in spam in my work inbox after returning from vacation. I was curious about it and after a very brief google search I came across the reason. Spam Primer rule number 2 “never, never, ever reply to spam”.

    I NEVER do, even if I am mildly curious about the product. One thing, however, I ALWAYS do is turn on the Microsoft Office out of office assistant before leaving on vacation or a business trip, which replies to every incoming message. This would validate my address as an active account to the Spamkers, would it not? Thus resulting in the huge increase in crap I get in my inbox.

    Vacation autoresponders are evil. -rc

    Reply
  24. How can I get the precise instructions for filtering my email through gmail?

    This breaks down into two questions.

    (1) How can I automatically send a copy of my email in my ISP’s account to my gmail account?

    (2) How can I automatically send email that has been sent to gmail back to my ISP’s account?

    Exactly how to do #1 depends on your ISP, what they allow you to control, and what software they have running on their servers, and it’s impossible for me to give instructions for every ISP out there. The basic thing you need to do is forward a copy of incoming (and preferably already-filtered) mail over to your gmail account.

    As for #2, you don’t want to — because then you’ll be in a loop with copies going back and forth forever. I no longer check my own inboxes, only gmail’s (and I’ve set up a routine to automatically delete the mail on my server after X days, so that I have a backup in case of gmail outage or failure). I have also set up gmail so that if I send mail, it comes “from” my regular email address, not my gmail address, so there’s no confusion over what my preferred address is. -rc

    Reply
  25. Solution for “Vacation email” — many email clients have an option to only send your vacation notice to people that are in your address book. If the sender is not in your address book, no “vacation notice” is sent. This keeps your email from automatically responding if it is someone you don’t know.

    Sounds good, but it’s not that easy. One way to keep wanted mail from being filtered as spam is to put the sender’s email address in your address book — so you get customer notices, newsletters, etc. Simply, automatic acknowledgments are, as I said two comments ago, “evil”. -rc

    Reply
  26. Thanks for all your tips and tricks!

    Here is a problem I have with gmail and listservs: I have various email accounts to use in receiving emails for different organizations, and all of them forward to a “master” account for me to read.

    I used to use EarthLink but some months ago their spam filter started to consider tons of email as being spam, from senders with whom I regularly corresponded.

    So following research I did switch to gmail for that final “inbox.” I am mostly pleased with gmail’s handling of spam.

    But there is one big problem that I have not been able to solve. It involves my getting my copy back of emails I send from my gmail account to various listservs, including several I manage.

    If I send an email from my gmail account to such a list, even if it goes to one of my other various email accounts, the gmail system sees the forwarded message as a message from me back to myself and won’t route it to my gmail inbox. Yes, I could cc myself, but that doesn’t tell me if the message really made it through the listserv ok.

    This is a known problem on the gmail forums and so far no one seems to have come up with a straightforward solution.

    I could try sending from a different email server and address, but for various reasons I do not wish to do that.

    Anyone have a solution?

    Second annoyance: lack of ability to order messages in gmail’s spam box. Currently, emails seem to be ordered by date and time only. It would be MUCH faster to scan the spambox for valid email if I could sort by sender and/or by subject line. But I do not see any such feature in gmail’s web view.

    Any suggestions?

    Your first annoyance is indeed a real one; Gmail considers that a “feature,” not a bug. They’re wrong! It’s not “really” an issue for me since I send most of my outgoing mail from a mailer that’s not Gmail, nor does it get routed through Gmail’s outbound (SMTP) server, but rather my own. I do get copies of those list messages. For lists that I manage, I add an archive address to the distribution that I don’t route through Gmail, and download that mailbox separately with my desktop mailer to keep copies of “everything.”

    As for your second annoyance, yeah, that’s a pain. I don’t get all that much spam in my Gmail spam folder by pre-filtering the mail at my own site, so it’s not much of a problem for me. If anyone else has a suggestion for this, I’d like to hear it too. -rc

    Reply
  27. Excellent Article! My job requires that my email be handled in compliance with the Health Care HIPAA regulations. Therefore, it appears that using gmail is not permissible, since I cannot find anything that confirms that gmail is HIPAA compliant. Any SPAM recommendations for those of us who have to remain HIPAA Compliant?

    HIPAA is the Health Insurance Portability and Accountability Act, which sounds confusing until you realize that it seems to have a lot more to do with patient privacy requirements than health insurance “portability” — I guess it’s in the “accountability” part of the law. I had no idea there were requirements on email systems in there, but can’t say I’m surprised. Thus, no, I have no idea what systems may or may not comply with the law. -rc

    Reply
  28. I have a somewhat different scheme which I have found to be quite effective.

    Many years ago I got my own domain so that I would never have to change my address when I changed jobs or when I decided I liked a different mail provider. When I first got it, I thought the provider’s “catchall” support was a really cheesy way to implement multiple mailboxes.

    Later, when a company asked me for my address, I realized that the “catchall” support was a great anti-spam tool. Now, every time a company asks me for my address, I give them a *new* address with their name embedded in it. For instance, my True subscription comes to “true-premium at example.com”. This lets me automatically support mail based on the address used, lets me know who sold my address, and lets me cleanly kill that particular address without affecting any other addresses.

    My first domain was a second-level domain, e.g. example.com. That worked well, but didn’t extend well to giving my family and friends the same capabilities. In addition, until I killed off those addresses, I found that I got a modest amount of spam to support at example.com, sales at example.com, and so on. I still keep that domain, but now my primary domain is used only as a container for *third* level domains – e.g. jordan.example.com. It seems the spammers don’t bother to send to common addresses at third-level domains.

    I get very very little spam, and my false-positive rate is *zero*. I’ve had to kill off maybe three or four addresses that I’ve given out, a handful of common addresses, and a handful of addresses that I’d never used that the spammers somehow got their hands on.

    I do give out a “real” address to individuals (never companies), so I suppose that there’s a small risk that malware mining their contact lists could get one of my good addresses, but it hasn’t happened yet and it’s been a lot of years.

    You will. The latest spammer trick is to break into legit users’ mail accounts and send mail “from” that legitimate user “to” everyone in their address book. I’m seeing a lot of them lately — and I recognize the purported sender as readers, and the spam comes “from” their actual address. It started with scams (“I’m trapped in London! Please wire me money!”), and now it’s just plain spam most of the time. The obvious lesson is “use better passwords”, but the effect will be that previously spam-free accounts that were only in the hands of friends are now falling into the hands of spammers. -rc

    Reply
  29. Great piece on avoiding spam. I also use Gmail and have been very happy with it. I have two different domains and use zonedit as my name server. Zoneedit gives me the ability to direct where various email addresses go to. When I deal with a merchant that I don’t know or don’t trust, I use an email address that helps me to identify the vendor (vendorid at exampule.com). My email default is gmail. If I see that a vendor specific address is getting spam, I go into zoneedit and redirect the email address back to the vendor. I never see email directed to that address again.

    Ooh, nice twist to forward it to that vendor. Deliciously evil, though it is possible that the vendor is innocent (e.g., your mailstream was sniffed when you were using an unsecure wireless access point). -rc

    Reply
  30. I know your situation is different, with a published email address. I don’t use filters because I am very guarded with my email addresses. I receive very little SPAM, and almost all that I do receive I recognize as the result of me providing the address. In fact, I’m annoyed sometimes when my Internet Security suite labels items as SPAM that are not.

    As far as backing up email, contacts, and the like, I use multiple computers. When I read email (downloaded as POP) on one other than my main PC, I have the server settings switched to leave the messages on the server. My main PC is not set this way, and I download the messages to that one only occasionally. The main PC has all personal data on a RAID SAFE array, and I use drive cloning software to create alternating redundant backups. From time to time I also copy my email files to a date-specific back-up folder. By these various methods, I can restore my email stuff either directly or to a temporary profile. But I’ve not actually needed this, other than when performing a complete system rebuild.

    A lot of people just read that and said “wow”. And 1 in 99 of them have no backup of their mail at all, and likely no backups of their important files (like photos), address books, etc. Drives are getting really cheap. The only way for drive makers to make money in that environment is to put out really cheap hardware, which will fail. Are you really willing to lose everything? Maybe it’s time to buy a cheap external drive and back everything up every week? -rc

    Reply
  31. What to do when one’s Address Book gets stolen and is used to send spam to my many contacts? Is there a way to trace the spammer via the message header?

    One thing I noticed: My Vacation Response was set to sent the spam message from yesterday until three years from now (!) to any new email that hit my In box.

    Even if you could trace the sender, and thus whoever cracked your password, they’ll probably be overseas where it’s unlikely you can touch them. But this does show the importance of having a REALLY good (and long!) password, and checking all of the other settings on your account (especially cell phone and alternate email address — ways to contact you). -rc

    Reply
  32. Here is a feature gmail needs but has not yet implemented:

    I have many email accounts which forward to one account for spam filtering and pick up.

    Earthlink got worse and worse and perhaps a couple of years ago changed their system so that many legitimate messages were being classified as spam and many spam messages were getting through.

    So I did switch to gmail and for the most part am pleased with it. It captures tons of spam every day.

    The problem is wading through all those spam messages to find the occasional misclassified legitimate email.

    It would be much easier if one could go online to gmail spam periodically and sort the messages by sender and/or subject line. Spam tends to come in batches so one could then quickly scan through the blocks of spam and spot the occasional message from a valid sender or with a valid subject. But so far gmail has not provided this capability.

    Thank you for your helpful information on spam management.

    That would indeed be useful. I don’t have to review all that much thanks to my prefiltering step (maybe 10-20/day), but that sounds like it would help. -rc

    Reply

Leave a Comment