Filtering Spam

Contents:


Introduction

    This document deals with using Outlook Express ("OE") to filter and read email. (Although this document refers to OE, Starting with Windows Vista, the name of the email program is simply Windows Mail, but this is essentially the same as OE in regards to filtering.)

    If you use OE as your mail reader, you can use its built-in filtering tools to block spam very effectively based on the following:

    • Who the email is from,
    • Who it is addressed to,
    • Specific words in the Subject,
    • Specific words in the body of the email, and
    • If there is an attachment.

    OE offers some other criteria, but the preceding are the ones most useful for spam blocking. Also note that Windows and anti-virus and anti-spam programs may be automatically filtering spam for you, but they usually do a VERY haphazard job, often blocking legitimate mail while letting spam through.

    Actions you can take when an email matches one of your filters include:

    • Delete it locally (i.e.: move it to the Deleted Items folder).
    • Delete it from the server without downloading it.
    • Move it to a specified email folder.

    Again, there are other options, but these are the main ones for dealing with spam.

    Your Email Server:

    A "server" is just a computer. An "email server" is a computer that manages email. (It can do other jobs, as well.)

    Your Internet Service Provider ("ISP") has an email server. All email on the Internet that is addressed to anyone @ your ISP's domain name (e.g.: sbcglobal.net) goes to the ISP's mail server.

    You can read this email using an email reader, such as Outlook Express ("OE"), or you can log onto your ISP's web site and use your browser (such as Internet Explorer) to read email (if your ISP offers this capability, which most do).

    Most ISP's provide some degree of spam filtering at their servers before it gets to you, including filtering "rules" such as OE has, although I have not seen any as good as OE's.

    In fact, we have had problems with SBCGlobal filtering out legitimate email as spam, so it is best to go online to your ISP's email pages and turn off any filtering they do if you are going to be setting up your own filters as described in this document.

    Using This Document:

    While this is a moderately lengthy document and may seem somewhat complicated at times, it isn't really that bad, especially since the payoff is to put an end to spam in your Inbox.

    For easiest use of this document, you may wish to print it out and use it for reference while creating your spam-blocking Rules.


A Simple Example

    Let's say you get spam emails from Max Insurance Co. and you want to block them.

    In OE, click Tools -- Message Rules -- Mail. You'll see three tabs at the top:

    • Mail Rules, which is what we will be creating,
    • News Rules, which are for using newsgroups, and
    • Blocked Senders.

    Blocked Senders would be great if it meant that emails from a specific sender would actually be blocked, but such is not the case. Instead, what happens is that emails from Blocked Senders are moved to your Deleted Items where you still have to deal with them (as we shall see later).

    So instead, in Mail Rules, click the New button to start a new Rule for blocking a spammer by name.

    1. Under Conditions, click the top check box, which says Where the From line contains people (people to be named later, that is).

    2. Under Actions, scroll down until you see Delete it from server and click that check box.

    3. Under Rule Description, click the underlined text (contains people, in this example).

      Type in all or part of the name as it appears in the From field of the email, Max Insurance, in this example, then click Add and OK.

    4. Under Name Of Rule, enter: "From Max Insurance -- Delete From Server", then click OK.

    Voila! You will never see an email from Max Insurance again. This is better than using Blocked Senders because it does not show up on your computer at all. It is deleted from the server without your ever seeing it.

    The best part is that you do not have to create a new filter for each emailer you want to block. Just click on the Rule you created, click on the underlined text in the Rule Description box, and you can add as many more names to this rule as you wish.

    When you add more names to this rule, you will want to change the Name Of Rule from "From Max Insur..." to just "From -- Delete From Server". (Naming each Rule makes it easier to go back later to add more names or words to different types of Rules.)

    As we go on to create more Rules (filters), you should be aware that (1) OE processes Rules in the order they are listed, and (2) OE will continue to process more rules which may affect what you have already done unless you also select as an action Stop processing more rules. The importance of these two items should become clearer as we go. Also, if the action you have selected for a rule is to delete it from the server, then other rules (obviously) can have no affect on the already-deleted message.


Subject Line Rules

    Say you get lots of spam with the Subject: "Own a Rolex", "Cheap Rolexes", etc.

    You can create a Rule to block these emails the same way you did to block specific emailers in the section above, except that under Conditions, you click on Where the Subject line contains specific words.

    Then when you click on contains specific words under Rule Description, enter "Rolex". Give this rule the name "Subject, various -- Delete from server".

    Notice that you don't have to enter "Rolexes", because the Rule looks for the specified text in the Subject line, whether a word is by itself or part of another word.

    Again, you can add as many words as you want, such as various body parts, "quit smoking", "lose weight" -- whatever you usually see in the Subject lines of spam you receive. And remember that you can easily add more words as new spam arrives.


Get a Domain Name

    Unfortunately, spammers keep adapting, so blocking senders and filtering out by subject words is less effective because spammers vary the so-called sender's name and put random words in the subject.

    This section describes a more effective, though more complicated, line of defense.

    The "www" name you enter to get to a web site is its "domain name". For example, in the address http://www.microsoft.com/log-in.htm, "microsoft.com" is the domain name.

    Any email addressed to anything @microsoft.com will go to Microsoft's mail server. Microsoft can choose what happens to the email sent to that domain based on the the name in front of the domain name, such as routing tech-support@microsoft.com to its tech support department, or routing BillGates@microsoft.com to Bill, *IF* Microsoft chooses to do so. More likely, it chooses to send email sent to either of these addresses to the Trash bin where they don't have to deal with it.

    Likewise, if you have a domain name, you can create as many different email addresses as you wish, such as creating a different address every time an online store or other web site asks you for an email address by changing the text before the "@". Then you can decide, based on that text, how to handle email which comes to your domain name .

    So --- the purpose of your getting a domain name is not to create a web site with it (although you can if you wish), but to get email sent to the domain name.

    Your domain name can be anything you wish -- TheBigEasy, HSV-Golfer, RetiredFolks, MyDomain, or whatever -- but you do NOT want your own name in it because you want to control your email by how you use your name IN FRONT of the "@". For example, if your name is John Smith, you may give Amazon.Com an address like jsmithAmazon@MyDomain.com.

    Where to get a domain name:

    You can click on this link to go to Directnic.com (or go to Google and search for domain name registration) to search to see if the domain name you would like is already registered by someone else.

    For example, the name Isabella.com is already registered by someone, but Isabella1.com is not. HSV, HSV1, and HSV2.com are all registered, but HSV3.com is not.

    When you search for a name, you will notice various name endings, such as .COM, .ORG, .INFO, .WS, etc. I prefer to stick with .COM, even if I cannot get my first choice of a domain name with it because .COM is what most people are familiar with, so they may add .COM by habit even if it doesn't belong.

    When you find a domain name that you want which is not already owned, you can register it through Directnic for $15 per year. If you want to set up a web site, you might want to compare Directnic's prices and features to another company's such as 1and1.com, who has a good price for both registering domain names plus providing web page hosting services.

    After you register your domain name (with Directnic or someone else), you need to find on their web site the place for telling them where to route your email.

    For example, if your ISP is SBC Global and your email address is jsmith@sbcglobal.net, and you get a domain name of MyDomain.com through Directnic, then you want to go to Directnic and tell them to forward email addressed to MyDomain.com to jsmith@sbcglobal.net.


Making Up Email Addresses

    Continuing the example where your name is John Smith and your domain name is MyDomain.com, let's say that you buy from BigOnlineStore.com and they want an email address so that they can send you a receipt, so you give them an address like jsmithBOS@MyDomain.com.

    Let's say that they "share" their email list with their "partners" (also known as selling the list, in effect) and you start getting all kinds of spam from different companies, but all addressed to jsmithBOS@MyDomain.com. All you have to do is block it by creating a rule that any emails with "jsmithBOS" in the "To or CC Line" should be deleted from the server.

    Of course, the next time you buy from BigOnlineStore, you will not get an emailed receipt from them because you have blocked the email address you gave them. To circumvent this problem, see Restricting Use Of An Email Address under More Sophisticated Rules, below.

    Trustworthy online stores will not sell or "share" their customers' email addresses, so if you start getting spam with an address you gave to a particular store, you should consider not doing business with them again.

    Any time you give out an email address to a different store, you should make up a new email address just like the example above.

    This is a good time to point out that many emails, even from spammers, have links for supposedly stopping email from them. Spammers love it when you click these links because that lets them know that they have found a good email address which they can sell over and over again. Just what you wanted, right?

    It is better to just delete their emails from the server when they come.

    The fewer people you give a specific email address to, the fewer you have to send change notices to if that email address starts getting used by spammers.

    For example, you could give your family something like jsmithFamily@MyDomain.com. Then if some spammer picks up that address and begins inundating you with spam, you can block that address and tell your family members to change your email address to something like jsmithMyFam@MyDomain.com. But in actual practice, you will probably never get spam at email addresses just given to friends and family.

    Spotting fake emails made easy:

    A common scam is for someone to create a phoney web site for, say, CitiBank Visa, and send you an official-looking email telling you that they need you to verify your account data.

    Because they can easily download CitiBank's logo and other graphics from the real web site, it is easy for them to make the email and their phoney web site look legitimate. So if you are unaware of the scam, you go there and type in your credit card number and other info and the scammers get to go on a shopping spree at your expense.

    But if you routinely give a unique email address to each company, chances are that the scammers are not using the correct email address for the company they pretend to be, so you can easily spot that the email is fake.

    For example, if the email is supposedly from CitiBank, to whom you gave the email address of jsmithCityB@MyDomain.com, but it is addressed to jsmithBadCo@MyDomain.com, the you know you are being scammed because CitiBank would not be using an address other than the one you gave THEM.

    So the biggest advantage of having a domain name is that if you become a spam target, you don't have to get a new internet account, just change your OE filters.

    Oh, and by the way -- once you get a domain name, never give anyone your ISP email address that your domain email is routed to, such as jsmith@sbcglobal.net. You want to get/keep that address clean. But if it DOES start getting spam, you can actually block email addressed specifically to your ISP address (@sbcglobal.net) in the To/CC fields, and your domain email (@MyDomain.com) will still get through.


"Message Body" Rules

    Spammers are constantly adapting. You may block emails with "Viagra" in the Subject line, and they start using subject lines like: "Here is that stock we talked about". (In fact, phrases like that have become so common with spammers that I block emails with "we talked about" in the Subject line.) But when you click on the message, it isn't about a stock, but an ad for Viagra.

    Your last resort is to look for the same text in the body of the email message as you look for in the Subject line.

    The downside to this approach is that OE must first download the message to look at the body of the message, meaning that if you say "Delete it from server", it will, but it will leave the already-downloaded message in your Inbox. This also means that it does no good to say "Delete it from server" for any Rules after a Message Body rule, since the message has already been downloaded, so put Message Body rules after any rules for which you want to delete messages from the server.

    Also, we repeat that spammers continually adapt, so if you say to delete messages with the word "VIAGRA", they will spell it with a "1" (one) in place of the "I" (i.e.: "V1AGRA") or they may space the letters differently, like "V I A G R A" or use other characters like "V*I*A*G*R*A", and so on.

    They also have started putting pictures of the text in the message rather than the actual text. OE cannot find text in a picture, so it gets through.

    We must also adapt by using more sophisticated Rules.


More Sophisticated Rules

    Restricting Use Of An Email Address

    Let's say that you order from Amazon.com and give them the email address jsmithAmazon@MyDomain.com and then you start getting a lot of spam to that email address. (This is an example. I have never had a problem with Amazon.com.)

    You don't want to block the address because you don't want to block out Amazon.com. you could give Amazon.com a different email address, but then the same situation might arise again.

    The solution is to block only those emails which have Amazon in the address (e.g.: jsmithAmazon@...) but which do NOT come from Amazon.com (i.e.: don't have Amazon in the From line).

    Fortunately, Message Rules has the following features:

    1. You can set more than one Condition ("To or CC" and "From") for each rule and
    2. When you add a name to watch for on the "From" line, you can click on the "Options" button and then click on the option "Message does not contain the people below".

    So create a rule that says that:

    • If the "To or CC" line contains jsmithAmazon AND
    • If the "From" line does NOT contain Amazon,
    • Then delete it from the server.

    Rejecting Attachments

    Many viruses are spread via email attachments, even from emails supposedly from family or friends. We have advised our family and friends that we will not open attachments without advanced discussion of what is in the attachment -- and even then we are wary because they may have picked up a virus and not be aware of it. More than one person has told me that he picked up a virus from a family member's email attachment.

    There are two ways to treat emails with attachments:

    The first Rule is that

    • If an email has an attachment AND
    • Neither the To nor CC line contains your name,
    • Then delete the message from the server.
    You never want to open an attachment from someone who is sending anonymous emails (ones without your name specifically in the To/CC boxes).

    The second Rule is that

    • If an email has an attachment but
    • Either the To or CC line DOES contain your name,
    • Then delete the message locally (i.e.: not from the server).
    This will put it in the Deleted Items folder. Chances are that you still don't want to open it, but you can look it over before emptying the folder.

    Alternatively, you can let the email go to your Inbox and if you recognize the sender and if the attachment is a picture or some type of document, ask them to resend the email and paste the picture or text into the body of the email instead of attaching it.

    If you absolutely must get an attachment from someone, such as a membership list from a club, you can create a rule to accept any email from specific people and to stop processing more rules, then put that rule at the top of your filters.

    Made-Up Names @ Your Domain

    As we have seen, if you have a domain name like MyDomain.com, then any name put before the @ will find its way to you. Spammers will generate a ton of emails putting various names in front of your domain name in hopes that you are a big company and that some of these names will reach your employees who happen to have one of the names they used.

    For example, you will see a bunch of emails in a row from the same source addressed to "Bill@MyDomain.com", "Bob@MyDomain.com", "Butch@MyDomain.com", etc. You want to delete these without deleting emails addresses which you have given out (e.g.: jsmithAmazon@MyDomain.com).

    Trapping these requires the use of two Rules:

    1. Always put your name as part of every email address you give out, such as jsmithSears@..., jsmithWalMart@..., etc. So the first Rule is that if the To/CC lines have jsmith AND @MyDomain.com then "Stop processing more rules", which causes the email to show up in your Inbox.

    2. The next Rule is that if the To/CC lines have @MyDomain.com, then delete it from server. Since the previous Rule already accepted any Smith at MyDomain.com, then any email that makes it to THIS rule must be addressed to someone other than Smith at MyDomain.com, so kill it.

    By the way, this is why you do not want your actual name as your domain name, such as www.jsmith.com. Then made-up-name emails, like "Bob@jsmith.com" would still have your name in them.


    The Catch-All Rule

    The last rule should be to delete any message which does not have your name or your domain name in the To or CC fields. This does not delete it from the server, it simply moves these emails to the Deleted Items folder. You can then scan these message headers to look for legitimate messages without having to have them in your Inbox.

    You may sometimes get mail like this if you are part of some group and emails sent to the group only show the group's name in the To: line, not the individuals' names.

    Notice that spam not only clutters up the Inbox, but when you delete the spam, it is just moved to the Deleted Items folder where you have to delete it again to actually get rid of it. By having rules move suspicious emails to the Deleted Items folder, you only have to delete them once -- from there.

    Plus, you can quickly delete all messages in the Deleted Items folder by right-clicking on the folder name and saying to Empty The Folder. (Note that none of the other folders have this option.)


How NOT To Delete Real Email

    A risk in blocking spam is that your Rules might eliminate some legitimate messages.

    One way to help prevent this is to make the first rule one which says that if the From Line contains people, Stop processing more rules and list your friends' and family's email addresses and/or names.

    Then if your uncle sends you an email saying that he wants you to have his $25,000 family heirloom Rolex and where should he send it, that email won't be routinely deleted along with all the ones trying to sell you fake Rolexes.

    Another safety net is to not use "Delete it from server" -- at least not right away. Frankly, I don't think that this is a big risk if you follow the suggestions in this document. And on the remote chance that a legit email does get filtered out, if it was at all important, the sender will probably try again to reach you (perhaps by phone).

    When you delete an email from the server without downloading it, you never see the email. It's like it was never sent to you.

    When you simply delete an email (not "delete from server"), all that happens is that it is is put into OE's Deleted Items folder rather than into the Inbox. You will still see it in the folder and you must empty the Deleted Items folder to actually get rid of it, which is safer, but a bit of a nuisance.

    For most real spam, deleting it from the server is preferable when you are 100% sure that a rule is not going to block legitimate email. For example, a Rule which blocks spammers by name is unlikely to block legitimate email.

    But to be safe, before implementing Rules which delete email from the server, you may wish to double-check the Rules first by creating a folder for each type of blocking. In OE, right-click on Local Folders and then New Folder and add the following:

    • Block From
    • Block To
    • Block Subject
    • Block Message

    Then for each of these types of Rules, instead of "Delete it from server", click on "Move it to the specified folder" and enter the appropriate folder. You must also check "Stop processing more rules" when doing this.

    For a couple of weeks, check these folders to make sure that no good emails are going to them. Once you feel comfortable that you are not screening out any real emails, change the Rules to say "Delete it from server".


Using Rules For Real Email

    Rules can also be used for managing legitimate email. For example, if you want to save all emails from your family, create a Family folder and make a Rule that says if a message is From a family member (by name or email address), move it to the Family folder.

    Other folders you may want to direct email to include

    • Organizations you belong to,
    • Web sites you regularly order products from,
    • Your home business or hobby for which you get emails,
    • Each spouse or other user.

    I subscribe to Netflix and they send an email every time they send you a DVD, every time they get one back from you, and more. I simply route all of them to a Netflix folder. This saves them for future reference if needed, but I don't have to be bothered by them in my Inbox.

    A folder name will display in bold when it has unread email in it, so you can easily tell where you have new email. While clicking on different folders to read email seems like a nuisance, it is actually less trouble than reading emails in the Inbox and then dragging them to the folders you want to save them in.

    And while OE lets you set up different "Identities" for controlling email, using Rules is quicker and easier.


Routing Email To Different Computers

    If you and your spouse have your own computers on a home network, you can use the OE Rules to route email to the appropriate computer if you have a domain name and give out email addresses with your individual names in them.

    For example, if Betty Smith gives Amazon.com an email address of bsmithAmazon@MyDomain.com and John gives them jsmithAmazon@MyDomain.com, then you can create a rule on Betty's machine which says:

    If To/CC contains "jsmith" then don't download it from server.

    and a rule on John's machine which says:

    If To/CC contains "bsmith" then don't download it from server.

    Now John's machine won't download Betty's email, and vice-versa.

    If you want all email EXCEPT email specifically for John to go to Betty's computer, then instead of the above, make a rule which says not to download to John's PC any email EXCEPT mail with "jsmith" in the To/CC.

    Of course, we then must be careful not to give out something like "BandJSmith@MyDomain" since the "JSmith" part of it will route the email only to John.

    One sure way to avoid that is to use fake initials for routing emails to different computers. For example, any email addresses Betty Smith gives out which she wants routed to just her computer could use xsmith instead of bsmith

    As a last alternative, you could each get your own domain (such as GolferGirl.com and GolferGuy.com and route email based on those domain names rather than on the text before the "@". This is what my wife and I do.

    One last routing option:

    Normally, when OE gets an email from your ISP's server, it deletes it from the server. If you have two machines and want both machines to see all the email, an easy way to do this is to click on Tools -- Accounts -- Properties -- Advanced, then click on Leave a copy of messages on server.

    Do this only on one PC and leave OE running on that PC all the time so that it will automatically download all messages. (This assumes you have DSL or a cable modem which is on all the time, not dial-up.)

    Start OE on the other PC only when you actually want to download the email to that machine and then close OE on that machine when you are done; otherwise, it may download and delete messages before the secondary PC has a chance to download them.


Troubleshooting Rules

    You can only have two types of problems with Rules:

    1. Spam gets through which you think should be blocked.
    2. Real email is getting routed to Spam folders.

    The Rules DO work if set up correctly, so the solution to both of these problems is usually to double-check your Rules.

    If you see Spam which should have been deleted from the server, check to make sure that if you have any Rules which check for text in the body of the email, you have it AFTER any Rules which say to delete email from the server.

    This is because OE must download a message to check the text in it, as previously noted. It will delete it from the server, but it will leave it in your Inbox.

    If you have a problem with not getting legitimate emails from people, it may be that your ISP's spam filtering is turned on and is blocking them. You can use a web browser to check your email online where you should find a folder for blocked spam. Search that folder for the missing ligitimate emails. Either turn off their filtering, or use their filtering rules, if any, to specifically accept email from people whose names you enter.


Summary

    Following is a sample list of Rules you could use. The text in bold is the suggested name for you to give the rule:

    1. From -- Accept -
      Names/emails of friends, family, and specific organizations to exempt from the rest of the Rules that follow. Because this rule comes first and rules are executed in the order listed, none of the following rules will affect emails from people listed in this rule as long as you check Stop processing more Rules in this rule (and in all other rules, normally).

    2. To/CC has "xSmith" -- Do Not Download -
      Leave for wife, where x is her initial(s).

    3. Has Attachment, but To/CC <> "Smith" -- Delete from server -
      I should rarely get email attachments, and NEVER without my name in the To/CC. If there were someone I wanted to get attachments from, I would precede this rule with one specifying that sender's name, sending the message to my Inbox and tell the system to Stop Processing More Rules.

    4. Has Attachment, and To/CC = "Smith" -- Delete locally -
      Probably not legitimate, but you can look at the message (NOT the attachment) before deleting it.

    5. From -- Delete from server -
      Specific emailers to block. Since spammers normally use random names, this will not be effective against them since you obviously cannot list every possible name to block, but it is an easy way to block email from companies you don't want to hear from anymore. (Such companies may offer an option to opt out of their emails, but if that doesn't work, then use this rule. Never click on an opt-out link in spam from unknown senders.)

    6. Subject -- Delete from server -
      Emails to block based on specific words in the Subject line.

    7. To/CC -- Delete from server -
      Email addresses for me/us that I have given out but now wish to block.

    8. To/CC has "MyDomain.com" and "Smith" -- Accept -
      Emails that have both my domain name AND my name in the To/CC.

    9. To/CC has "MyDomain.com" (but not "Smith") -- Delete from server -
      Emails that have my domain name, but NOT my name must be names made up by sender (e.g.: bill@mydomain.com, bob@mydomain.com, etc.), so kill them.

    10. Message Body -- Delete it. -
      Specific words in the message, like Rolex and Viagra, trigger this one.

      WARNING: Rules including and after a Message Body test cannot say Delete From Server because a message must be downloaded to check the Body.

    11. Subject = Fwd, !!, *" -- Delete it. -
      Spammers frequently use "Fwd", "!!" and "*" in their Subject Lines. If you have friends or family who do, make sure they are in the first rule, above. Any others will end up in the Deleted Items folder where you can still scan them before deleting them.

    12. To/CC <> "Smith" -- Delete it.-
      The catch-all -- my name is not in the To/CC lines in any form. Probably spam, but look it over (in your Deleted folder, where this rule will put it) before deleting.

    If all of this sounds like a lot of trouble, you just have to weigh it against how much of a nuisance you consider spam to be.

    Initially setting up the Rules takes a little effort, but you will rarely see any spam any more. If a new spam-mail slips through, modifying your Rules to catch it too takes almost no effort, and it actually feels good to know that you can do something about at least one annoyance in your life!

    It has been years since I originally wrote these rules and I virtually never get spam in my Inbox. Many virus checking programs come with spam blocking software, and every once in a while it tells me it has moved an email to the Spam folder, but about as often as not, the supposed spam is legitimate email which I end up moving back to the Inbox.