Last updated: April 18, 2017
General tips for spam avoidance
When sending email or supplying your email address to an unknown or untrusted individual or organization, use an email address other than your main address. Consider setting up a "throw away" gmail or yahoo account. (TMDA users: use a custom and/or expiring address- see TMDA).
Never open a piece of spam email
Never respond to a piece of spam email
Never follow the link to unsubscribe in a spam email (legit companies are OK)
How is spam detected and handled?
ALL email sent to you is scanned and scored by spam scanning software: SpamAssassin- the most popular scanning software for detecting spam. SpamAssassin works by passing the email through hundreds of tests to determine if it's spam (or not). Depending on the results of these tests, an email is assigned a numerical score; the higher the score the more likely the email is spam. However, it is up to you to decide what to do with the email based on the score it receives. There are a couple levels of action the server can take on an email with a spam score:
Based upon the score an email receives, the server will handle it in one of a few ways:
Rejection: The email is rejected immediately and delivery is refused (the sender is notified). You will not see the email.
Tag: You will get this email and: a) The subject of the email will be rewritten to include: [SPAM-X] (X=the spam score), b) the original email will be placed into an attachment and replaced with a report showing you what tests that lead to the score it received.
Allow: You will get this email, and the email headers will include the spam score. No other action taken.
This system is optimized to help determine what is spam and what isn't. How you deal with that information is up to you. It's up to you to setup filters which will place spam-tagged email in a separate folder (or in the trash).
How do I control how my email is handled based on its spam score?
It is up to you to decide what action to take on an email based upon its spam score. Generally speaking, anything with a score of 3-5 (or higher) is likely spam. These are the default/suggested spam scores associated with their actions:
Rejection: >=8 You cannot directly control this level, but you may ask the mail administrator to set this level for your email account, or for your entire domain. If you lower this setting (below 2-3), you risk missing legitimate email which receives a higher spam score.
Tag: 5-7 You may directly control this level via Webmail
-> Settings -> Junk -> General Settings -> Score Threshold. If you lower this setting, more mail will be tagged as spam. It will still reach your inbox, but you can filter it out by setting up mail filtering
in your mail client.
If you are going to set your rejection level low, you are encouraged to first lower your tag setting to that level first, monitor email for a few weeks, add anything you get that is over that score to your whitelist, then when you are not receiving any legitimate email tagged as spam, proceed to reject spam above that level.
Some of my legitimate email is being marked as spam, how can I stop that (whitelist)?
If you receive an email which gets a spam score high enough to be tagged (or rejected), you may add that sender (or domain) to your whitelist, effectively exempting that sender from spam checking.
To add an email address to your whitelist, go to: Webmail
-> Settings -> Junk -> Address Rules
Choose "Accept Mail From" from the dropdown list and enter the email address, or you may enter a wildcard that will allow all email from the domain: (ex: *@amazon.com)
Click "Add Rule" then click "Save" (important: don't forget to click Save)
I keep getting email from the same address and it's not being marked as spam, how do I block it (blacklist)?
If you receive an email which gets a low or no spam score, you may add that sender (or domain) to your blacklist, effectively blocking that sender from sending you any email.
To add an email address to your blacklist, go to: Webmail
-> Settings -> Junk -> Address Rules
Choose "Reject Mail From" from the dropdown list and enter the email address, or you may enter a wildcard that will allow all email from the domain: (ex: *@spammer.com)
Click "Add Rule" then click "Save" (important: don't forget to click Save)
How do I get emails tagged as spam out of my inbox (filtering)?
I received an email that wasn't tagged as spam, but I want to know what score it received
If you're curious about the spam score of an email, you can look in the message headers to see what it's spam score is.
What you're looking for is a line that looks like this:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham version=3.2.4
In this example, the email has a score of negative 2.6 (which is obviously not spam) and some other information about the tests run. If you see that a lot of your legitimate email has scores in the 3's and 4's then obviously setting a reject score of 2 or 3 would result in those emails being rejected. You'd either need to raise the reject score or take steps to ensure those legitimate emails receive a lower score (see whitelist
I don't like the spam subject tagging, can I change it to something else?
Yes, you may. For example maybe you'd prefer: "[SPAM]
" or "*SPAM*
" or "*JUNK*
This may be changed via: Webmail
-> Settings -> Junk -> General Settings -> Subject Tag
Too much email is arriving with low or no spam score. Can I teach SpamAssassin what is spam?
Yes. First, if you keep getting email from the same place, you should add the sender or domain to your blacklist
. You can also move the spam email into your Junk folder (IMAP clients only) and any email placed there will be scanned and taught to SpamAssassin as spam.
I'm still getting too much spam, is there any other option? (TMDA)
You can choose to use a service called TMDA (Tagged Message Delivery Agent).
With TMDA, YOU choose what email gets through or not buy creating and maintaining a whitelist of addresses and domains allowed to email you. When an email is received, TMDA compares the sender against lists which you create/manage and then decides whether to reject or accept the email for delivery to you. If the sender is on your whitelist, the email is delivered to you. If the email is on your blacklist, the email is rejected (the sender is notified). If the sender is not on your list, the sender is sent an email asking them to confirm the email they sent to you by simply replying to the email.
If the sender replies to the confirmation email, the sender will be placed on your whitelist, and the original email (and all subsequent email sent from the sender to you) will be delivered. In other words, the sender only needs to respond to the confirmation email once. This method works well because spammers who receive the confirmation email will either not respond to or not receive the confirmation email at all. Therefore only legitimate senders will be able to send you email. Further, you have ultimate control over who you accept email from and you can add and remove people from the whitelist/blacklist at any time via a convenient web interface.
Before enabling TMDA for your email account, you should consider:
Pros: 100% spam proof. You control all your incoming email. You can retrieve, accept and whitelist unconfirmed email in the Pending folder via the web interface
Cons: This may "annoy" or confuse some people who send you email- they may not want to or understand how to respond to the confirmation email (in which case their email will not automatically be delivered), see below for a solution. Emails sent from companies (i.e. not a human being) will likely not be responded to (i.e. Amazon sends you an email about your purchase, in response a confirmation email is sent to Amazon, that email likely won't be reviewed or responded to so the original email will not be automatically delivered), see below for a solution. Spam (or mail awaiting confirmation from the sender) is placed in a special folder which you can review from a convenient web interface. This "Pending" folder will be periodically pruned after a certain amount of time (if you don't check it occasionally you may lose legitimate email, permanently).
If you want to use TMDA, you'll want to give your sender's a leg up by pre-populating your whitelist with email addresses from people (and organizations) that you regularly communicate with. You can easily do this by looking through your address book and also open up your deleted emails, sort by sender and make note of the various senders you'd also like placed on the list. This process is made a bit easier with the "wildcard" feature builtin to the whitelist. For example, let's say you get emails from several addresses at amazon.com: email@example.com, firstname.lastname@example.org, email@example.com
Instead of putting all those addresses into your whitelist, you can put a wildcard entry that will accept any email from any address at amazon.com. Examples of valid whitelist entries and wildcard entries are shown here
If you'd like to proceed with TMDA, here's what you need to do:
- Login to the TMDA management tool: https://secure.yeppernet.com/cgi-bin/tmda.cgi There you will see instructions about how to setup TMDA. Don't forget to populate your whitelist. You can find it under 'Lists', 'Whitelist'.
- To review email sent to you awaiting confirmation from the senders, login to the TMDA tool and go to 'Pending'. From there you can delete things, or release them to your inbox or whitelist them (which adds the sender to your whitelist and releases the email to your inbox).
- Eventually lots of spam will accumulate in your Pending box. Please check and clear it out (delete all email) periodically. Email left there for more than a few months will be purged.
- If you want a custom address, please identify what you'd like the domain to be (e.x. @yourfirstname.yourdomain.com). If you'd like to update your email address (to the new custom address) with companies or mail lists prior to putting the whitelist in place, please notify us when this is complete. Otherwise, best to include those senders in your whitelist if we're implementing the whitelist right away.
Can I setup a unique address for each company or person I want to receive email from?
For those with more advanced needs, there's an additional level of flexibility you can give yourself:
You can use a custom email address for each person or company you receive email from.
Let's say Fred Smith's domain is smithfamily.com
A special wildcard email address is setup that allows Fred to receive email at any
email addres @fred.smithfamily.com
So, for instance when Fred makes a purchase at amazon.com he tells them his email address is firstname.lastname@example.org
And when he makes a purchase at AcmeCo.com he tells them his email address is email@example.com (or firstname.lastname@example.org or email@example.com)
All email sent to any address @fred.smithfamily.com is automatically delivered right to Fred's mailbox- no confirmation emails are sent.
This method is ideal for companies or individuals you trust who are not likely respond to a confirmation email since email sent to firstname.lastname@example.org automatically gets delivered- you never have to worry about these emails not getting to you (or sit in the spam folder awaiting confimration).
This method is also ideal for companies or individuals you don't trust since if Fred starts to receive spam from email@example.com, not only will he know that AcmeCo.com likely leaked his address to a spammer, but he can selectively delete all email sent to firstname.lastname@example.org (this can be done by the server or you can setup your mail program to filter mail sent to email@example.com right into the trash).
Can I create a temporary email address?
Yes. This is easy with TMDA
. You can create an email address which 'expires' after a certain amount of time, or one that must come from a certain sender, or one that contains a keyword (so you know who sent it). For example, let's say you want to order a product from a company that you think will sell your address to spammers. So, generate a dated email address which you will give them in lieu of your real address. Make it expire in 30 days. That way, if anyone tries to email you at that address after 30 days have passed (well after you've received your order and you have no further business with this company) those emails will be treated like someone who's never emailed you (and go through the confirmation process).
In order to generate these addresses, (first activate TMDA if you haven't already, then), login to the TMDA web interface
, go to the 'Addresses: Generate Dynamic Return Address' link and follow the instructions to generate an email address.
How do I add addresses or domains to my TMDA whitelist?
Login to the TMDA web interface
and go to Lists -> Whitelist
To match only firstname.lastname@example.org:
To match email@example.com, but not firstname.lastname@example.org:
To match email@example.com, but not firstname.lastname@example.org:
To match both email@example.com, and firstname.lastname@example.org:
Why is forwarding my email to my gmail account bad?
If you receive spam email (which is forwarded onto your gmail account) gmail will tend to treat and label this
server (which handles email for your domain, and others) as a "known spammer". The impact of this label is all email, including legitimate email may be delayed or refused by gmail's servers entirely. This will cause delays in the delivery (forwarding) of your email, as well as others using this server who wish to email people with a gmail address.
Therefore, you are encouraged to disable forwarding and setup your gmail account to check your email account, downloading mail off this server into your gmail account.
To see how to do this, please review the mail configuration help tool
Don't forget to disable forwarding here: mail administration
If you opt to continue forwarding your email onto your gmail account, your Rejection level may be lowered considerably to ensure very little spam is forwarded to gmail.
Why doesn't SpamAssassin catch all spam?
Spam is a classic cat and mouse game- spammers are constantly adapting their approach to circumvent spam scanners that catch and identify their emails, and spam scanners are constantly adapting to new strategies employed by spammers. SpamAssassin is updated daily so we are always using the latest tools to catch as much spam as possible. Ultimately, some will always get through though.