Anti-spam techniques


Various anti-spam techniques are used to prevent email spam.
No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email as opposed to not rejecting all spam email – and the associated costs in time, effort, and cost of wrongfully obstructing good mail. This leads to combinations of the many techniques in order to achieve the best protection against spam and the potential harms that may come with it, while keeping the emails that should be seen intact.
Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by email administrators, those that can be automated by email senders and those employed by researchers and law enforcement officials. They are often used in conjunction with one another.

End-user techniques

There are a number of techniques that individuals can use to restrict the availability of their email addresses, with the goal of reducing their chance of receiving spam.

Discretion

Sharing an email address only among a limited group of correspondents is one way to limit the chance that the address will be "harvested" and targeted to receive spam. Similarly, when forwarding messages to a number of recipients who do not know one another, recipient addresses can be put in the bcc: field so that each recipient does not get a list of the other recipients' email addresses.
When identifying spam, the email of the sender might be slightly off from that of an official company. Winning competitions and rewards, job offers, and anything revolving around the banking world are among the top spam subjects. Writing might lack professionalism and correct grammar. Artificial intelligence can be used to create the messages and may have an automated or robotic style of language. It has been found in the modern day that over half of the spam emails sent involve artificial intelligence in some form. Besides creating the spam message entirely, AI may also be used to revise writings of errors, making them appear more authentic. As time goes on, it is very possible that the AI can become harder to detect and employ other methods that makes spam more likely to make it to recipients' inboxes and successfully deceive readers. As it stands currently, out of the most-used email service providers, Yahoo has best been able to prevent AI-generated spam from penetrating through their integrated security systems. In contrast, Gmail and Outlook had allowed more from a set of the same emails to go through their spam detectors.

Address munging

Email addresses posted on webpages, Usenet or chat rooms are vulnerable to e-mail address harvesting. Address munging is the practice of disguising an e-mail address to prevent it from being automatically collected in this way, but still allow a human reader to reconstruct the original: an email address such as, "no-one@example.com", might be written as "no-one at example dot com", for instance. A related technique is to display all or part of the email address as an image, or as jumbled text with the order of characters restored using CSS.

Avoid responding to spam

A common piece of advice is not to reply to spam messages as spammers may simply regard responses as confirmation that an email address is valid. Disabling read receipts can help too, as even opening spam could signal activity. Similarly, many spam messages contain web links or addresses which the user is directed to follow to be removed from the spammer's mailing list – and these should be treated as dangerous. Even deleting a spam email can confirm validity and activity of the account. In any case, sender addresses are often forged in spam messages, so that responding to spam may result in failed deliveries – or may reach completely innocent third parties. Some phishing campaigns use professional networking platforms such as LinkedIn to gather personal and employment details, enabling attackers to craft convincing messages that appear to come from coworkers, recruiters, or human resources departments. These impostors acting as job recruiters can lead to scams, extorting money or personal information. Interacting with such phishing attempts – including clicking links to "unsubscribe" or "verify details" – can confirm address validity to attackers and expose users to credential theft or malware. Even successful removal of subscriptions has meager results at best, and it is overall more likely to cause further issues rather than resolving any. These highly targeted, social engineering-style phishing messages are often based on publicly visible LinkedIn information and can bypass traditional spam filters, making user vigilance especially critical. Calling the customer service of the supposed sender trying to gather this information and investigate the email's legitimacy if it is real should be through contact information on the ostensible sender's official website or somewhere else that is verifiable, as a number within the email may connect to the spammers or their associates.

Contact forms

Businesses and individuals sometimes avoid publicizing an email address by asking for contact to come via a "contact form" on a webpage – which then typically forwards the information via email. Such forms, however, are sometimes inconvenient to users, as they are not able to use their preferred email client, risk entering a faulty reply address, and are typically not notified about delivery problems. Further, contact forms have the drawback that they require a website with the appropriate technology.
In some cases contact forms also send the message to the email address given by the user. This allows the contact form to be used for sending spam, which may incur email deliverability problems from the site once the spam is reported and the sending IP is blacklisted.

Disable HTML in email

Many modern mail programs incorporate web browser functionality, such as the display of HTML, URLs, and images.
Avoiding or disabling this feature does not help avoid spam. It may, however, be useful to avoid some problems if a user opens a spam message: offensive images, obfuscated hyperlinks, being tracked by web bugs, being targeted by JavaScript or attacks upon security vulnerabilities in the HTML renderer. Mail clients which do not automatically download and display HTML, images or attachments have fewer risks, as do clients who have been configured to not display these by default.

Disposable email addresses

An email user may sometimes need to give an address to a site without complete assurance that the site owner will not use it for sending spam. One way to mitigate the risk is to provide a disposable email address — an address which the user can disable or abandon which forwards email to a real account. A number of services provide disposable address forwarding. Addresses can be manually disabled, can expire after a given time interval, or can expire after a certain number of messages have been forwarded.
Disposable email addresses can be used by users to track whether a site owner has disclosed an address, or had a security breach.

Ham passwords

Systems that use "ham passwords" ask unrecognized senders to include in their email a password that demonstrates that the email message is a "ham" message. Typically the email address and ham password would be described on a web page, and the ham password would be included in the subject line of an email message. Ham passwords are often combined with filtering systems which let through only those messages that have identified themselves as "ham".

Avoid sites that share to third parties

Certain sites may have a financial incentive to spread email addresses to third parties, who then can send spam. To avoid this, a user can read the privacy policy when using a site for the first time; the site owner must explain what can and cannot be done with a user's email address. A social media platform may grant other companies licenses to use personal information of the platform's users, such as email addresses. Platforms of this nature typically have privacy policies.

Up-to-date software

Timely updating software provides better protection against cybercriminal activity, including viruses and malware. This can prevent spammers from getting an email to begin with, along with safeguarding devices from the malicious files that may accidentally be installed from spam mail.

Reporting spam

Tracking down a spammer's ISP and reporting the offense can lead to the spammer's service being terminated and criminal prosecution. Some online tools such as SpamCop and Network Abuse Clearinghouse are potentially helpful but not always accurate. Historically, such reports have not played a large part in abating spam, since the spammers generally move their operation to another URL, ISP or network of IP addresses.
In many countries consumers may also report unwanted and deceptive commercial email to government agencies. In the US, the Federal Trade Commission, an agency of the Department of Commerce, has taken action against spammers. Similar agencies exist in other countries.

Automated techniques for email administrators

There are now a large number of applications, appliances, services, and software systems that email administrators can use to reduce the load of spam on their systems and mailboxes. In general, these attempt to reject the majority of spam email outright at the SMTP connection stage. If they do accept a message, they will typically then analyze the content further and may decide to "quarantine" any categorized as spam.

Authentication

A number of systems have been developed that allow domain name owners to identify email as authorized. Many of these systems use the DNS to list sites authorized to send email on their behalf. After many other proposals, SPF, DKIM and DMARC are all now widely supported with growing adoption. While not directly attacking spam, these systems make it much harder to spoof addresses, a common technique of spammers also used in phishing and other types of fraud via email. Using any combination of these will help prevent emails from being mislabeled as spam or junk.