Ask Slashdot: Why Can't Google Block Spam In Gmail?

An anonymous reader writes Every day my gmail account receives 30-50 spam emails. Some of it is UCE, partially due to a couple dingbats with similar names who apparently think my gmail account belongs to them. The remainder looks to be spambot or Nigerian 419 email. I also run my own MX for my own domain, where I also receive a lot of spam. But with a combination of a couple DNSBL in my sendmail config, SpamAssassin, and procmail, almost none of it gets through to my inbox. In both cases there are rare false positives where a legit email ends up in my spam folder, or in the case of my MX, a spam email gets through to my Inbox, but these are rare occurrences. I'd think with all the Oompa Loompas at the Chocolate Factory that they could do a better job rejecting the obvious spam emails. If they did it would make checking for the occasional false positives in my spam folder a teeny bit easier. For anyone who's responsible for shunting Web-scale spam toward the fate it deserves, what factors go into the decision tree that might lead to so much spam getting through?

WTF?

[rodrigoandrade]

Spam folder in my Gmail catches 99.9% of all spam I receive.

As a bonus: it's also excellent about learning what I mark as spam, and dealing with false positives.

Re:WTF?

[jeremiahstanley]

I'll second this sentiment. Gmail catches an obscene amount of spam sent to my account accurately and with so few false positives it blows my mind. I've dealt with lots of anti-spam software and some hardware and Google does a fantastic job.

Pro tip: you have to just start flagging things with the convenient "this is spam" button and in a short time their filters figure it out.

OP might just be getting a lot of legitimate list traffic that they signed up for. That isn't spam, you asked for that and need to hit 'unsubscribe'.

Re:WTF?

[naughtynaughty]

I agree. Perhaps the author believes Google should not only try to figure out what is and isn't spam but also delete it so we never see it. If so, I disagree as I much prefer Google's excellent spam filter that still allows me to wander through the spam folder looking for something that it miscategorized and train Google to no longer consider it as spam.

Re:WTF?

[just_another_sean]

As other's have stated using the Report Spam feature should make 99% of spam a thing of the past by putting in the spam folder.

The Original Submitter did not say but based on their description of running their own MX I would guess they are using IMAP (or maybe POP) to pull down their gmail to a local client and thus missing out on the opportunity to mark them as spam...

I occasionally check my gmail from a local client but use the web interface enough to help the spam filter figure me out by marking messages as spam or phishing (or on very rare occasions marking something as Not Spam).

Re:WTF?

[rainmaestro]

Same here. I see maybe one legit piece of spam a week in my Gmail inbox. Now if they can just figure out how to predict if an email is unwanted marketing from and block that, I'd be even happier. Sick of having to manually unsub.

I have email accounts with about 10 different domains. Some are related to work and use various filtering tools, some are with free services. Between all my accounts I see maybe half a dozen spams a week. From an end-user perspective, spam for me died out years ago. I'm always amazed to hear about people who are still inundated with it.

Re:WTF?

Then stop buying the penis pills and Google might actually believe you think it's spam.

Re: WTF?

The only way that I will accept your 50% claim is if you convince me that you have many pen pals in the Nigerian Royal family.

Re:WTF?

[pz]

I have found that essentially every time I give my email to a legitimate retailer, they automatically assume that this means they can send me marketing email on nearly a daily basis. However, most retailers also honor the unsubscribe requests, and if you are vigilant about clicking through unsubscribe and marking real spam as such, GMail does a really very good job. Also, I've found that when I unsubscribe to lists that I really don't read (including marketing email that I might have thought could be interesting but no longer want), the total volume of spam goes down.

I cannot explain the OP's experience, as it runs completely counter to mine.

Re:WTF?

This is not technically spam. You can disable every single one of those lists by click "unsubscribe" at the bottom or going to your Google account settings for that service and disabling those messages. I have never received a mail from any Google service on my Gmail account, because I always pre-emptively opted out. And this has been my main email account for about 5-6 years now. And I have an Android phone that I have set up with that account, and a Youtube account that I occasionally post videos to, so it's not like I am somehow not using their services actively.

Real spam is not only unsolicited, but impossible to unsubscribe from, because they really and truly don't give a shit, and any system those fuckers have that appears like it might be an unsubscribe function is really just a system to confirm there's a real person behind the email address. This is the stuff Gmail is really really good about blocking. Stuff about penis pills, viruses, scams. Gmail catches 100% of these for me, and its false positive rate is probably 5% or lower for me, and the false positives are almost always automated messages from signing up for a new site or something similar, and never something written by a human or that I receive on a regular basis and actually desire.

In your particular case, it's your fault you're getting those messages from Google's services, and if you took like less than 5 minutes to actually untick some boxes you'd never receive those messages again.

Re:WTF?

[ArmoredDragon]

I joined gmail way early into the beta, so I got an email address that was simply my last name with first initial. Nothing else. Very simple, which I thought was great rather than adding a bunch of crappy letters/numbers to it.

Problem is, I end up getting subscribed to mailing lists all the time because a lot of people with the same last name and a similar first name don't pay the fuck attention to what address they're typing in.

The worst ones are the politician mailing lists. It's very rare that their unsubscribe feature even works at all, and when it doesn't, there's absolutely nothing you can do about it. Sure I add their address and name to my filters, but those fuckwads share your email address with each other. For example, I first got subscribed to Jim Dabakis, and he's since passed it to a bunch of other politicians in his fucking party so that they can send me messages from their stupid campaigns that are in another fucking state that I don't even care about. So periodically I get political emails from Democrats in Utah, and there's nothing I can do about it. Now I have no fucking idea how many lists I'd have to unsubscribe from, assuming that is even possible.

Oh and they keep asking me for campaign contributions, which is SPAM by definition because it's very much an unsolicited advertisement, except every law that makes spam illegal conveniently excludes the very politicians who wrote those laws.

So what can I do about it? Jack shit.

Though there are a few times where I've done some things that aren't very nice with this. For example, somebody bought a Hyundai in Vancouver Canada (a place I don't live anywhere even remotely close to) and then gave them my email address. The dealership sent me one of those surveys that makes or breaks the salesman and counts towards the dealership itself with Hyundai, so I gave it the most negative review I possibly could. Somebody from there sent me an email asking if I was sure I wanted to submit a review like that, and that it would have to be submitted anyways if I didn't respond, but they'd like to "speak with me" about it first, so I just ignored them. Serves them fucking right for not verifying who owns the address.

Another time some girl I don't even know sent me her nudies, but I just ignored the email.

Re:WTF?

[swilly]

I agree. I can't remember the last time I had spam reach my Gmail inbox. Google is incredibly good at finding spam.

In fact, my complaint is the opposite, Gmail is too aggressive in flagging mail as spam. I get notifications from Fidelity about my account, and most emails are fine but things like dividend payments are consistently flagged as spam. I always flag them as "Not Spam", they match an existing filter, and I've even forwarded them to Google for review, but none of that has helped.

I occasionally have other emails incorrectly flagged as spam, but its pretty rare. The Fidelity messages aren't time critical, so this is more of an annoyance than a problem. I wish Google (or Fidelity) would get better at recognizing the difference between spam and legitimate emails that happen to be sent to a lot of people.

Re:WTF?

Same here. I subscribed way back when it was in beta as well, only my address is my first and last name. Same problem with fucking morons that don't know their own GMail address.

Lately I've taken to responding to messages I receive for other people. I've cancelled items ordered over the internet because I receive a confirmation email. I've cancelled hotel reservations....that one was funny...I wish I could have been there when the jackass tried to check in. I've even responded to quite obvious business emails where someone was looking for feedback on a project and I told them it was complete shit, they were incompetent and they and their team was about to be fired.

Confuse my email address for yours because your too fucking lazy to learn the difference....then enjoy the consequences.

Re:WTF?

[ruir]

Not a good policy, I never give my email to a merchant. They often resell list of contacts, wether you allow it or not. Also for some temporary uses, I often give mailinator accounts.

Re:WTF?

[Archangel+Michael]

"I cannot explain the OP's experience, as it runs completely counter to mine."

I can explain. I'd rather not have to. But it basically comes down to (IMHO), "I don't know how to Gmail"

Re:WTF?

[NeoNormal]

Problem is, I end up getting subscribed to mailing lists all the time because a lot of people with the same last name and a similar first name don't pay the fuck attention to what address they're typing in.

THIS! I have a rather regional last name... it's not common. But every moron out there seems to think it's theirs. I've done a lot of the same things that others have done... responded, canceled, ignored, etc. I've even tried to get the sources of these to require a confirmation link be sent to the subscribing email... no luck there either.

Also, GMail is very good at catching SPAM, in my experience. Every once in a while, I'll get a few that I report and from then on, I don't see them anymore.

Re:WTF?

[ganjadude]

why cancel?

step 1 - change shipping address
step 2 ???
step 3 Profit!!!

Re:WTF?

[west]

I too have initial + last name@gmail.com and get a fair amount of misdirected email. I make some effort to find the right address (had to call someone who accidentally had her cell phone bills sent to me... Happened about 2 weeks after the XKCD cartoon.)

But I don't assume laziness, stupidity or malice when someone uses the wrong address. It's just a mistake. And people are almost always grateful when you help correct their mistake.

It must be a miserable world where everyone else's mistakes are due to critical character flaws. You have my sympathies.

Re:WTF?

[mjwx]

Real spam is not only unsolicited, but impossible to unsubscribe from

Technically, spam is unsolicited commercial email. So the ability to unsubscribe from it is immaterial. If you didn't sign up for it, it's spam. The only caveat here is that in many countries, if you cant unsubscribe from it, it's also considered spam but these are separate conditions, either one classes the email as spam.

The problem is, a lot of companies use sneaky methods to get you to opt-in. The most common is the pre-checked box saying "Yes I'd love to receive your delicious spam, email me thrice daily" when you sign up for a service.

I've never seen any of the Google advertisements that the GP claims, so I think it's safe to assume I didn't tick a box that he did. Google are pretty good about unsolicited advertising (most of the tech giants are... I guess even MS hates spam as much as we do).

Spam on Gmail?

I realize that this is not a helpful response, but my Gmail account never gets spam, it's all properly filtered into the spam folder. Been years since I even gave spam a second though, actually. I imagine that most peoples' situations are similar.

Re:Spam on Gmail?

[TheTerseOne]

Totally agree. Maybe once a month a single 'spam' message ends up in my inbox, and maybe 2 or 3 non-spam ends up in my spam folder. But even the ones that end up in the spam folder are from mailing lists or subscriptions. I've never had an actual hand-written e-mail from a person I know, writing to me about something we actually need to discuss, end up in the spam folder.

That's interesting

[93+Escort+Wagon]

This has not been my experience at all. I've found Google's email filters to be significantly better than anyone else's.

I can think of several other reasons not to use gmail - but spam filtering is not on that list.

GMAIL SPAM is fairly accurate

[spacepimp]

I think more likely what occurs is that they need to be extremely careful about false positives. So they push everything into a SPAM folder. But if you miss a critical email because Google accidentally thought something was spam when it wasn't, then Hello lawsuits. From a legal perspective, blocking anything going into their inboxen is a risk.

Re:GMAIL SPAM is fairly accurate

[TubeSteak]

But if you miss a critical email because Google accidentally thought something was spam when it wasn't, then Hello lawsuits.

I'm betting you've never read the TOS of your e-mail provider.

For Gmail, the short version is that that they make no commitments about anything, including reliability.

When permitted by law, Google disclaims all warranties and liability for damages.
To the extent permitted by law, Google limits its total liabilities to the amount you've paid them.
Also, you agree that Santa Clara County, California is the controlling jurisdiction for any dispute.

I'm not saying you can't sue Google over misdirected e-mails, just that it'll be a tough case to make and you'll have to rely on California or Federal laws.

WTF?

[mcook838278]

Agreed, I run both my companies network (mx, spf, all that jazz) and my personal through gmail, and I get maybe 1 spam message per month on each account tops. I often open them as it is usually an interesting trick that the spammer used (that google will pick up immediately and I'll never see again)

Article is stupid

[Nimey]

Google does an excellent job of catching spam. The submitter's problem isn't that, it's that he's got other numpties giving out his email address and then he's not using the Google-supplied tool (that little "mark as spam" button) to mark unwanted email so that Gmail learns his preferences. Instead, he's Dunning-Krugered together his own solution that barely works.

Submitter's problem is PEBKAC.

Re:Article is stupid

[BitZtream]

If the story wasn't so sort, I'd say it was Bennett Haselton talking out his ass again.

You vs everyone

[gurps_npc]

You personally only get mail from a specific kind of account. Your spam filters are set up to deny lots of emails that are obviously not someone you are interested in. For example, I bet you can kill any email that contains chinese.

Google can not do that because while for YOU an email in Chinese is a huge red flag, it means nothing to the chinese american student living in New York who still gets emails from her cousin in Hong Kong.

Most of the decisions you make are like this one. For you, country, language, etc. etc. are indications of spam, but they are not true for the general population.

So a spam filter designed for your personal use will always work a lot better than one designed for all users of google.

as a former mail site admin...

[drama]

I'm not sure what this guy is doing, but when I ran my own mail server (which I did personally and professionally for well over a decade), spam was a huge problem for me. No combination of spamassassin, rbl's, heuristics signature checks, virus, etc... Nothing got me past 85-90% blockage. And I did everything right. And it was a constant unending fight.

When I switched to Google apps for my personal domain, my life changed. Google catches a HUGE amount of spam. Things still get through occasionally, and definitely get worse as black Friday and Christmas campaigns kick into high gear. But the majority of the spam I get is from legitimate business that decides to put me on their mailing lists without my permission.

The op either has on blinders, or is baiting.

Re:as a former mail site admin...

[keytoe]

I'll echo this experience. I used to run my own MX, and it was constant work to stay current enough to keep spam to barely acceptable levels. Constant work.

Since switching to Google apps, however, I almost never see spam. I even run a wildcard for my domain (with a blacklist for egregious offenders - every company gets a unique address) and still it's 1000 times better than when I was doing it myself - for no time investment at all. All for 'free' (letting Google read my mail is the true cost).

Not sure what the OP is talking about.

Opposite Experience

[MikeDataLink]

I've had the exact opposite experience. GMAIL's filters are so much better than any service out there. I get less than 1 SPAM email a month into my actual inbox.

Re:Because they don't want to.

[w_dragon]

There are lots of legitimate sites that send emails on behalf of someone not on the domain. A lot of 'email this content to someone' links work that way. Maybe Microsoft understands how email is used in the real world far better than you do.

If you think Gmail is bad...

[Dishwasha]

switch over to Yahoo mail

The arms race continues

[dbosso]

I've seen a lot of recent spam campaigns that get through my basic scanning using the following tactics:
1. Careful design to not trigger Spamassassin content rules, including blocks of text to fool the bayes filter.
2, Careful omission of any identifying headers except for completely valid SPF and DKIM headers with appropriately configured DNS.
3. Real Linux mail servers dropped onto virtual hosting providers.
4. Fresh IP addresses and domains - never used domains that are not blacklisted yet and IP addresses blocks from the hosting providers that take 10-30 minutes to get blacklisted
Then they use snowshoe spam tactics to trickle them out until they're blacklisted and then move to the next domain and address.

If your address is on the lists that the perpetrators of these campaigns are using, it's really hard to avoid spam right now. Not impossible, there are some countermeasures, but vanilla Spamassassin and your standard appliances are going to have problems. I can imagine google is going to have an easier time with this because of its size and volume (=more information), but it's far from trivial.

-db

Re: Because they don't want to.

You have to be careful not to break mailing lists etc. there are plenty of systems which mess up the headers.

That's the WRONG way to do it

[damn_registrars]

Catching spam and filtering it is the wrong way to deal with the spam problem. At that point the spam has already been sent, already taken up storage and CPU time somewhere, and already cost you money (yes, even with a "free" email account like gmail it still costs money somewhere). And if you add in the costs of filters, with the admin time and storage they consume, it is even worse.

As I have said many times before, the only effective way to deal with spam is to approach it from an economic angle, as spam is an economic problem. Spam isn't sent out to piss you off, it is sent to make money. The spammers don't need you personally to buy anything, they just need someone else to buy something. The ROI on spam is incredible as the cost is almost nothing to send to billions of addresses, and only a couple of suckers are required in order to make money off the venture.

If you want to actually help end the spam epidemic, stop talking about filters and other crappy "solutions" that only accelerate the arms race with the spammers. The way to stop spam is to remove the profit motive. This has been done successfully already; if you can prevent the spammers from getting paid they won't send spam because it won't be worth their time. Groups have succeeded in this and the effect has been dramatic. By contrast filters just encourage spammers to employ more creative measures to get their messages through - many of which result in reducing the S:N ratio of filters.

Article is valid, answers are stupid

[dshk]

The submitter does NOT complain about Google's ability to catch spam! He asks why Gmail does not REJECT obvious spam. Rejecting an email means that - in this case the Gmail - server does not even accept it. In such cases the sender gets back a Delivery Status Notification from his own server, telling him that his email did not go through because of such and such error. An important point here is that the email is not lost without any notification. The sender can try to contact the recipient in another way. Actually this may be better than putting the email into a spam folder if that is not monitored regularly, or at all. Yes, this is a valid question, but almost none have undersood it.

Re:Article is valid, answers are stupid

[Lehk228]

because that alerts the spammer that they are detected and they need to change up their messsage/delivery

anyone still runs their own mail servers?

[ConstantineM]

I was actually thinking of the opposite trend since a couple of years ago: even people fully capable of running their own mail servers are all using gmail these days; I think we're easily at the breaking point where noone really knows how to run a mail server anymore.

Re:false positives

[radarskiy]

" It cannot just mark all advertisement as spam"
Advertisements in email are competition, not revenue. Google's incentives and your own are aligned.

Re:Because they don't want to.

[psmears]

... and may chance you didn't read my post: (There was a LOT more to my presentation that just this; this single part presented here to convey the concept).

The trouble is - the single part that you presented is clearly broken (eg it doesn't work well with the way many mailing lists work), so if it conveys the concept of your whole presentation, people are naturally going to assume that the whole presentation was broken...

Refine your definition of spam

[christopherfinke]

Some of it is UCE, partially due to a couple dingbats with similar names who apparently think my gmail account belongs to them.

This isn't spam; at worst, it's bacn with a case of mistaken identity.

As someone whose full-time job is preventing spam (I work on Akismet, which checks about 380MM Web comments per day for spam), my general response to these kinds of questions is this: Fighting spam is hard because what's spam for you is not always spam for someone else, and spammers are continually changing tactics -- what worked to prevent spam yesterday may not work as well tomorrow, so it's a constantly moving target.

In my experience, GMail's filter is just ok. I see about 50 spam per day end up in my spam folder, 3 or 4 that make it to my inbox, and maybe one false positive per month (when I bother checking). That's a 94% success rate with a 0.3% FP rate (based on my ham email activity), assuming that they're not instantly discarding blatant spam that wouldn't even merit ending up in the spam folder (which they very well might be doing). If Akismet had this same success rate filtering comments on my blog, I'd have to manually mark 230 comments as spam each day instead of Akismet's missed spam average of about one per day. I don't complain about it though, since fighting spam is hard (see above).

Re:Because they don't want to.

[nine-times]

And related ... there should be the ability for me to restrict where my email is access to/from and where it was sent from. I'm not going to Russia -- so why can't I block all access to my account from Russia?

Yeah, it's not quite a solution to spam, but I've had periods where I get a lot of spam in Cyrillic or Chinese/Japanese characters, and it would have been nice to be able to at least say, "If the email isn't using the Latin alphabet, treat it as suspect because I don't read any languages that use any other alphabets."

I've always thought part of the key to putting a dent in spam would be to make cryptographic email signatures ubiquitous. Then we could check the signature against a valid authority, and if an authority is vouching for too many spammers, then you yank its status as "a valid authority". Then it becomes the authority's job to self-police. Of course, getting people onboard with something like that is impossible.

Now how does your solution in checking "origin" compare with something like SPF? What is it checking the origin against?

And what if one of your friends goes to Russia on vacation and wants to send you an email?

Reading Comprehension Sucks

[fdamstra]

The OP wrote, "I'd think with all the Oompa Loompas at the Chocolate Factory that they could do a better job rejecting the obvious spam emails. If they did it would make checking for the occasional false positives in my spam folder a teeny bit easier." In other words, he's saying that he wants Google to reject the mail before it gets to his spam folder. He's not complaining about the efficacy of their spam filters, but is instead suggesting that Google should find a way to reject it before it even hits his spam folder.

Former Google Engineer - my internal perspective

[brunobowden]

Disclosure: my name is Bruno Bowden and I managed the engineering team on Enterprise Gmail many years ago at Google before leaving to work in venture capital. My profile is www.linkedin.com/in/brunobowden. Though I didn't work on spam fighting directly, I interacted a great deal with the spam team while I worked there.

One of the main architects of the spam fighting system - Brad Taylor - published a scientific paper on "Sender Reputation in a Large Webmail Service" - http://www.ceas.cc/2006/19.pdf. This has a lot of detail about the system. We keep much of the internals secret as it reduces the chance that a spammer can reverse engineer and work around the system. If you'll allow me to be vague, the number of signals it uses was stunning to me. There's a mixture of hard wired tests (e.g. is the sender in someone's address book), reputation (domain and content), machine learning and anything else we can make work.

One of the principle improvements came when we switched to user classification through the "Report Spam" button. People have different opinions on what constitutes spam, so individual filtering is far more effective. It also avoids the politics of certain lists of domains and IPs from third parties which can be controversial. Even then it has challenges, as sometimes users will mistakenly pick out a phishing email and mark it "Report Not Spam". Because of that, Gmail now adds a red warning banner to indicate more strongly what is a likely a phishing attempt. In general, Google has tried to be very supportive of encryption, e.g. DKIM for authentication (and SPF) to STARTTLS for privacy. I would also like to mention the abuse team that works hard to prevent gmail being used as a source of spam, shutting down accounts as soon as possible after suspicious email is sent, then helping affected users to recover their account.

In general, the Gmail has received a lot of compliments on the spam filtering, I'm sure the team will be grateful for the positive comments here on Slashdot. There are still things that can confuse the system, e.g. receiving forwarded email (which might be missing source IPs) or genuine email that is sent to the wrong address. Though the system isn't perfect, I know the team will continue to work hard on it.

Re:Juggle multiple gmail accounts

[pz]

More GMail tricks, that may help you: when you have account

someaccountname@gmail.com

all email of the form

someaccountname+anysuffix@gmail.com

goes to your account. The plus sign is a literal character, not a concatenation operator. The only downside to this is that some email validation suites don't allow plus signs in user IDs, even though RFC 5322 allows them. Sometimes I use the format

someaccountname+onlinestore@gmail.com

when giving my email address to OnlineStore.com so that it's clear from where particular messages should originate.