Networking and IT Solutions for Kansas City Businesses
Networking and IT Solutions for Kansas City Businesses

Networking and IT Solutions for Kansas City Businesses

How to reduce spam messages and spam mail in three easy steps

What is spam mail?

Spam mail

Spam mail has three components.  Spam mail is not requested.  Spam mail is irrelevant or inappropriate.  Spam mail is sent to a large number of recipients.  To be classified as spam mail, an email message must meet all three components.  An email from an old high school friend may be not requested and irrelevant or inappropriate, but if sent only to one person it is not technically spam mail.  An advertisement that was requested through sign-up, even though irrelevant at the time and sent to a large number of recipients is not spam mail. Spam messages and spam mail are the emails you never want, whether these messages arrive in your inbox or are caught by a spam checker and directed to junk or clutter or auto deleted, it is spam messages pushed at you by someone through some program that do not bring you value.

Why do I receive spam mail and spam messages?  

Spam mail is prevalent. By some estimates, 70% to 80% of all email is spam mail.  Many spam mail messages are intercepted by a spam checker, but many more are still delivered. The vast majority of spam messages are sent because of greed and because they work.  There are two categories of how spam mail plays in to the greed of the sender: overtly and covertly.

Overt spam mail consists of spam messages that seek to get the recipient to make a legitimate, conscious, purchasing decision.  It is a numbers game.  It is fishing by casting a really-wide net.  If the spam messages sender can convert 1 of every 1000 spam messages sent into a sale, then why not send 10,000 or 100,000 or 100 Billion?  Even if the conversion ratio decreases, it does not decrease proportionally, so there is always incentive to blast out more spam mail.

Covert spam mail consists of spam messages that seek to trick the recipient to give electronic permission to download something or release information.  Since a click is considered giving permission by security protection systems, the spam mail sender presents information to get the recipient to click a link to deliver what is known as the payload.  This can be a virus, a trojan horse, a command and control console, a backdoor, or any other number of malware related programs or scripts.  These spam mail messages are a key focus of spam checker software and services. Regardless of the payload, the logic in sending the spam mail is the same as the overt spam mail marketing senders.  It is a numbers game and the more spam messages sent, the more likely someone is to be tricked to click.

Spam mail is prevalent because it is very inexpensive to send, thus there are few financial barriers to deter the spam message sender.  The spam message writer simply writes one email.  They steal or purchase an email list and build or contract an email delivery program.  The time and expense are small and are fixed expenses not variables to the number of spam messages sent.  Since this is the case, it is in the spam mail sender’s interest to send as many spam messages as possible.

While sending spam is illegal, it is very difficult to enforce that law against those who choose to abuse it.  The small local storefront that feels the temptation to expand their mailing list beyond those who have expressly given permission to send marketing materials is far easier to get caught by safeguards of spam checker services and by the law than the off-shore sender of a billion spam mail spam messages.  The local company is likely using legitimate mail management services which are designed to uphold the laws.  They are more likely to end up with names that are identifiable by source because of where they copied them and thus more likely to come under review.  Because they are within the reaches of the system and laws, they are at a disadvantage. 

The other challenge for spam checker software and services is in the interpretation of what message constitutes spam mail.  Just because a message is sent to a large audience does not mean it is spam.  In a time where celebrities and some brands have millions of fans, a wide distribution list does not make a message spam mail.  It is also very challenging for spam checker services to identify if a message has been requested or not.  As a result, spam checker programs either over-block or under-block, but never correctly block.  Over-blocking means messages that are desired are being blocked.  These will often come through to the recipient but be flagged as suspicious of being spam mail and/or moved to junk or clutter or spam folders.

Three ways to reduce spam mail and spam messages

There are as many strategies to reduce spam mail and spam messages as there are spam mail and spam message senders.  Some involve third party spam checker services and other professional spam mail reduction tools and filters.  The three discussed here are ones that anyone can do using the tools and strategy available through the software you use for your mail host.

Limit sharing your email address with spam mail senders

You likely have a professional email address that identifies you with your company.  You may also have a personal email address that you use with friends and family.  There are a number of services provided by online companies such as Google, Microsoft and others that provide the ability to create a free email address.  There are also email address creation opportunities that come with most internet service provider subscriptions.

The idea behind this strategy is to create what are called stand-in, throw-away email addresses.  These are free email addresses that you use online. Whether you are registering for a newsletter, signing up for coupons, making a purchase or anything else that may require you to provide an email address on a website, use a stand-in address. Any of the free email addresses available from Google, Microsoft of others can quickly and easily be set up to forward to your primary business or personal email address.  

Following this method, you add email addresses, but do not add any additional mailboxes to check, since email from any of these addresses forwards to your main account.

However, if the website database where you register your email is compromised, or if they inappropriately elect to sell your data to a sender of spam mail or spam messages, you simply delete the email account and create a new one.  

Start by creating 3 or 4 free email addresses.  They can be as similar as changing the number of the end of the email address.  Once created, sign in and forward the mail to your main address.  With most services you will be able to see where the mail coming in to your inbox originated, so you can identify where spam message are coming to and act quickly.

You should also use something other than your primary email address on online brochures and websites or hide the information on a secure page requiring the user to sign in or, at a minimum, behind an online widget called a captcha.  If you list email contact information on your website or blog, there are programs spam mail and spam message senders use called web-crawlers which go from site to site trying to find email addresses and pull the address back in to a spam mail database.  Since email addresses follow a common format including the @ symbol, they are relatively easy to crawl.  The spam mail sender or someone who sells email addresses to those sending spam messages will launch the program and crawl for email address across millions of websites. 

There are safety methods available on websites to limit or prevent this type of web-crawling for spam mail.  One method is to require a sign-in before the information is made available.  This is useful for things such as membership databases such as chamber of commerce or professional organizations, churches or schools.  This prevents the information from being crawled since it is only available to those with a sign-in.  

If the webpage needs to make an email address available to the general public and not just those who are registered users, a widget called a captcha can be used to discourage access by those sending spam mail and spam messages.  A captcha can be as simple as an “I’m not a robot” check box or as complex as entering a code or solving a puzzle or math problem.  Once checked, entered or solved, the email address then appears.

However, even in these situations, it may be wise to use an alternative email address that is different than your primary because the security may be weak, or passwords used by other users may be weak and become compromised.  An alternative email may be an alias to your primary account, again, by adding a number at the end of your primary address.  On services such as Office 365, there is no additional cost to create these aliases. 

Spam Checker and Spam Blocker Services

Another tool to use in reducing spam mail and spam messages is to utilize a spam blocker service. There are a number of third party services which can fulfill this function.  All mail is first directed to their service where it is reviewed using advanced computer algorithms.  Spam messages are removed and only the messages deemed to be not spam mail are delivered to the inbox of the intended recipient.

The two most popular email hosts, Office 365 and Google’s gmail, both have built in spam mail blocking service.

In Office 365, the spam mail blocking service is called Exchange Online Protection or EOP.  Like third party protection, EOP reviews every incoming mail message to identify which messages would be considered spam mail. In addition, the built in protection can also be tuned for better protection tailored to the patterns a particular mail recipient may be seeing.

Connection Filtering in O365

Connection filtering in Office 365 provides the ability to identify all incoming messages from a particular sender or sender’s domain as being spam messages.  Using the junk mail message settings, a spam mail message that was received as not being spam can be recategorized and used as the identifier to direct all future messages from not spam mail to categorized as spam messages. 

Connection filtering also gives the ability to “whitelist” a sender or sender’s domain so that mail messages by-pass the built-in spam filtering.

Spam Filtering in O365

In the Security and Compliance Center of Office 365, the SCC, there are controls for Threat Management settings.  This provides anyone using Office 365 to adjust spam mail controls in several ways. 

Redirection

Using the SCC, spam mail can be redirected into other folders such as junk and clutter, but also folders identified by the email account holder.  

Prepending

Suspected spam messages can be adjusted so that the subject line includes additional words in front of the stated subject, such as “possible spam”, to warn the recipient

Bulk-Mail Filtering

Using a 1 to 9 scale, bulk mail acceptance can be adjusted in the SCC Threat Management portal.  A setting level of 1 allows most bulk mail to come through, while a level of 9 would block almost all bulk messages.

In addition to these settings, there are additional ways Office 365 Exchange Online Protection can be tuned.

Google Gmail also provides some level of spam mail blocking and spam filtering.  However, the main complaint of Gmail is not that is missing spam but that it is treating legitimate email as spam.

Within the gmail web console, a user can click an email message to see details.  If it is spam or phishing, click the three dots at the top right of the screen and select the report as spam or report as phishing.  In addition, there is an option in that same menu to block the sender.

Over-riding Google’s spam checker when it is over-blocking mail and treating it as spam messages is a little bit more complicated.  This involves signing in to the settings menu of the Google console, going to the Filters and Blocked Addresses tab and setting up a new filter to never send a sender to spam.  It is counterintuitive that the way to stop filtering spam mail and spam messages is to create a new filter, but that is how it works.  Refer here for more details

Other tools available in both Microsoft Office 365 and Google Gmail to address spam mail and spam messages are to redirect, unsubscribe and report.  These tools are also available for bulk mail messages sent through popular services such as Constant Contact and MailChimp.  At the bottom of each legal marketing message, by law, there must be an “unsubscribe” link.  If you no longer need information from a mailing list you signed up to receive or feel like the volume of email is more than you need, be courteous and unsubscribe.  Do not report these emails as spam messages.  However, if you did not sign up for emails and you are getting spammed, both unsubscribe and block the sender and report them as spam.  Another helpful tool is to redirect the marketing emails or other ongoing mailing list items into a sub-folder or series of sub-folders.  Google Gmail is starting to do this automatically with the Social, Updates and Promotions folders, but you can create other folders as well and automatically move messages out of your inbox by using settings/settings/filters in Gmail or Rules in Office 365.

Hardening your business email

If you are a small business with your own email domain, there are steps and settings that can be taken to “harden” your domain to protect your entire organization.  These spam filtering and spam message blocking settings are probably best left to a trained and certified IT professional to configure, however, you should be aware of the basics to ensure they are being set up and secured correctly.  The three we will discuss are SPF, DKIM and DMARC.

The SPF record is a Sender Policy Framework record.  It is the information communicated to the mail servers in the world that indicates which hosts are authorized to send email on behalf of a given domain.  One method spam mail senders will use to trick recipients is called spoofing.  When they spoof an email address, they pretend they have an account on a domain that they do not have.  For example, sending an email with the spoofed return address of @microsoft.com or @google.com, may encourage more opens than some email address that does not seem legit.  However, setting an SPF record alerts the email hosts who is and who is not authorized to send email from a given domain.  It a text record linked to your domain host and/or registrar that lists all legit hosts for sending email.  Because of the volume of spam mail and spam messages, this record is being used as a spam filtering tool and some/many email hosts will now reject email as spam if it comes from a domain without an SPF record.

DKIM stands for Domain Keys Identified Mail.  Google explains, “DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get these messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.”  As with the SPF record, the DKIM helps inhibit email spoofing.  It also prevents an email relay host from intercepting, changing and then forwarding an email making it appear as if it was unaltered.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.  Like SPF and DKIM, this is another level of authentication that identifies the reliability that email is originating from a legitimate host, but on the receiving end instead of on the sending side.  Basically, your DMARC settings tell your receiving mail host what to do when an email is received that fails in the areas of SPF and/or DKIM.  At the highest level, the DMARC policy may tell your server to do nothing and pass the spam mail through like any other, or, it may tell the server to reject the spam message all together, or it may do mail filtering and send the message on but only after prepending it or tagging it to go into a specific junk or clutter folder.

How to send mass email without being categorized as spam

While the primary topic of this paper has focused on mail filtering, spam mail and spam messages, for many small business owners and marketing managers, the challenge is not how to stop spam, but how to keep email from being identified as spam.

First, it is important to use the proper tools when sending email.  While you can address an email to 25, 50 or 100 email recipients, it is unwise and will trigger spam filters, even if it does not meet the technical definition of spam.  There are a number of very good and inexpensive services that are designed to legally and legitimately send mass emails, such as Constant Contact, MailChimp and others.  Not only are these companies set up to help send messages without falsely triggering spam filters, they also ensure the proper information is on each email, such as sender contact information and opt-out links, that are required by United States Law.  

Practice list hygiene. This step is challenging from small businesses trying to get their message out, but it is not only a good technology practice, but it also builds stronger relationships with your prospects and clients.  The temptation is to get an email address and then drip mail to them over and over again because, “they may some day need something.”  This is pestering a prospect and is seldom the best way to build loyalty. Email marketing experts explain it is better to have a small list of loyal fans who look forward to getting your information, than a large group who become more and more annoyed or who report you as a sender of spam.  They recommend making it more difficult to sign up for your mail list, making a 2 or 3 step opt-in to begin with.  They also recommend, at least on an annual basis, purging your list by sending a re-opt-in message to everyone and only continue to send to those who “re-up” to your list.  

Be legit – don’t be a spammer.  It is tempting to short-cut your list development by buying a list or copying it out of directories or other databases.  It isn’t worth it.  Email security firms will often set up something called a honey-pot to find people who violate this suggestion.  They create an email address that never signs up for any legitimate lists and circulate the address so that it gets picked up by those who skim email address from the web and sell them.  Any email sent to this address is, by default, sent from someone sending unsolicited email, i.e., a spammer.  Sending one email to an address like this will get your domain blacklisted and get you kicked off the legitimate mail services, possibly forever.

Finally, test your messages so they are not seen by the systems as spam mail or spam messages.  The email marketing services will give you a score of whether or not your message will be identified as spam.  You can also use the free service at isnotspam.com to test a message.

Conclusion

Spam mail and spam messages clog our inboxes, cause workload for mail hosts and servers, clog the internet pipes and have become a hotbed for bad actors who desire only to cheat, steal and destroy.  At the same time, email marketing is an amazing tool for both businesses and consumers and one we want to protect and encourage.  Proper spam mail and spam message controls can help.  Spam filters can augment other protections and resisting the temptation of joining the crowd of spammers can help get your message to those who desire to hear, read and learn.