In my experience, conversations about spam like this happen too often:
Client: “This person keeps getting spam emails from me.”
Me: “Let me look at the spam emails.”
When I opened the emails and looked at the header, the sender’s name matched that of my client, however the sender’s email address was an address of an internet service provider — not my client’s address.
Me: “This isn’t actually from your account. Do you happen to know anyone with the address of (email address withheld)@chartermi.net?”
Client: “Yes, that’s someone we hire for projects.”
Me: “Tell them to change their password. Their email account is the source of the spam.”
To avoid these types of conversations, here are steps that each person in an email chain — an email recipient, administrator, or email sender — can take to prevent spam.
Get spam out of your inbox
First, look for the sender’s email address, not just the sender’s name. Oftentimes, any name can be listed. The name field doesn’t have to correspond to the email address. In the case above, my client’s first and last name displayed, but the email address was someone else’s account. If you know the person whose email account the spam appears to be from, let them know so they can change their password to protect against a potential password breach. But don’t email them: call, text, or tell them in person.
Next, get spam out of your inbox. In Gmail, select the message, then tap the “Mark as Spam” button. In Inbox, select the message, choose the vertical three-dot menu in the upper right, and “Move” the email to spam.
If you continue to receive a specific unwanted message, create a filter. For example, if you receive a variety of spam messages from different addresses at “163.com,” create a filter to handle them: In Gmail in your browser, select the spam message, then choose “More” from the drop down-menu, then “Filter messages like these.” Adjust the filter settings as needed, then select “Create filter with this search.” Review the selected messages to make sure they match. Choose “Delete it”, then “Create filter.” You’ll no longer see messages that match the criteria: they’ll just be deleted. (Alternatively, you can block a sender.)
Block incoming spam for your domain
If you’re a G Suite administrator, you can block incoming spam for everyone. Login to the Admin console (https://admin.google.com), then go to Apps > G Suite > Gmail > Advanced settings, and look for the Blocked Senders option, then choose “Configure.” Add one — or more — individual email addresses (e.g., firstname.lastname@example.org) or domains (e.g., spammer.com). Either way, this keeps email from specific sender email accounts and/or domains out of people’s inboxes.
A G Suite administrator also may configure G Suite to “Be more aggressive when filtering spam.” With this setting enabled, more incoming email may be categorized as spam. If you change this setting, let people know, so they can check the spam folder more often for any potentially misclassified messages.
Stop spam at the source
Make sure your email provider supports modern email standards that help prevent spoofing and reduce spam. And use tools that it difficult for spammers to send email that appears to be from your account such as: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting and Conformance).
To verify security settings for any email account, go to https://internet.nl. In the “Test your email” box, enter an email address, then choose “Start test.” For example, I checked both my email address (at wolberworks.com), as well as the email address of an account known to be sending spam (at chartermi.net). Note the difference: I’ve taken steps to protect against spam.
You’ll need access to both the G Suite Admin console and your domain’s DNS records to configure SPF, DKIM, and DMARC. To enable SPF, add a DNS record that identifies which mail providers may send email on your behalf. (Make sure to authorize any external bulk mail service providers your organization uses.) To enable DKIM, create a public key within G Suite, add it to your domain’s DNS records, then enable DKIM signing in G Suite. With those set up, then add a DMARC record in DNS that specifies what to do when an email fails checks: no action, quarantine, or reject.
Fighting spam is a choice
As a Gmail user, you can block spam you receive. And a G Suite administrator can block incoming spam for everyone in the organization — and help prevent outbound spoofed email from your domain.
But people have to choose to use these spam defenses. Until they do, insecure accounts (like the one maintained by my client’s freelancer) will continue to inflict spam on the rest of us.
How do you fight spam at your organization? What effective spam reduction techniques have worked for you? Let me know in the comments below or on Twitter (@awolber).
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays