How to Limit Spam in G-Suite and Gmail

Basic Behavioral Safeguards

  • Guard your primary email address. Don't give it out to anyone you don't know; don't leave your business cards in fishbowls; don't register for newsletters or to be contacted with this email address. Don't register for free stuff. Don't give this email address to anyone but your closest associates. Keep it a secret.
     
  • Use a fake email address for uncontrolled email. Set yourself up with a free a generic Gmail account. Direct anyone you don't know or trust, or, your newsletter subscriptions, whatever, to this account. If you must, get a separate set of business cards developed that has a different telephone number and email address than what you regularly use. Remember, keep your primary email address a secret. 
     
  • Don't plaster your email address anywhere on the Internet. It shouldn't be on your website, it shouldn't be left in comments on discussion threads, it shouldn't be easy to scrape-up from the web and add you to a list.
     
  • Learn to recognize spam. You must learn to visually identify spam.
     
    • It'll most often come from senders you don't recognize with complicated email addresses. You don't know these people - don't even open it.
       
    • It will also contain a subject line that tries to convince you to do something - you're a winner, you're about to lose something, you could win millions, your account is in jeopardy, provide personal information about you - it's a call to action, and it's trying to get you to read the email. It's always too good to be true.
       
    • In the body of the message, it will often have misspelled words or awkward phrases and grammar because the person who composed the email isn't fluent in your language. It will also try to sell you something. This is obviously spam.
       
    • There may be attachments. Don't touch them. Don't download them.
       
    • In the body of the message, there will be hyperlinks that are designed to take you somewhere immediately on the web. If you received a questionable email from somebody you don't recognize, promising you impossible things, where their use of language and grammar are suspect, and it's got weird attachments, well, don't click on the hyperlink. This is obviously spam.
       
    • When you receive this crap, delete it, flag it as spam, or create a filter against it (see below).
       
  • Don't forward chain messages. Don't forward anything to anyone that you don't trust. That's just spreading the spam around and rolling in it because you like the smell.
     
  • Don't open spam; don't reply to spam. Obviously. Just delete the spam. You don't owe anybody anything. Just delete it.

End-User Safeguards and Filters

  • Use a web-based mail system. Web-based mail systems are updated automatically by the vendor and have the most recent rules to protect you. Also, content isn't downloaded your computer - you're viewing email in a safe space. If you use an email client like Microsoft Outlook or Thunderbird or Apple Mail, you're counting on this application's rules to protect you, and you're downloading the spam and its harmful attachments to your PC. This situation is even worse if you're using an outdated mail client like MsOutlook 2007 - a product that has exited mainstream support from Microsoft and never receives any security updates.
  • Flag or report spam. In the Gmail interface, if you select an email message, you have the option to flag the object as spam. Do so. This adds to a personal filter that can help filter spam from your inbox in the future. If you just delete it, Google doesn't know to screen for it in the future.
Screenshot 2017-01-18 at 10.17.29 AM.png
  • Create a filter. When selecting the message in Gmail, you can opt to create a filter off of the email message. Filters are a powerful tool that you can use to keep spam email from hitting your web inbox as well as the inbox on your phones and mobile devices. When you do create a filter, you'll be prompted with a dialog that looks like this:
  • In the filter rules, you're saying "If I receive anything from this email address"... Instead of an email address, you can also add any identifying "has the words" in the appropriate box (words like "sweepstakes", "viagra", whatever. The email address usually suffices. You can also modify the email address to be any alias from any domain you don't recognize by expressing it like *@spammerdomain.com - this says, "If I receive anything from spammerdomain.com ..." Then, create a filter off of these selections. Don't be too tight on these selections - you don't need many criteria - just enough to create a useful filter off of.
  • When you push on to create the filter, you would want to check "Skip the Inbox" and "Delete it", applying the filter to all of the other messages found in your inbox. Press the CREATE FILTER button to save the filter.
     
  • Editing your Gmail Filters. Over time, you may have many filters that you would want to look at and troubleshoot. You can find all of your filters to edit or delete them by going to the GEAR ICON in the upper right, then Settings; then to the Filters and Blocked Addresses tab. The list allows you to edit or delete any of your filters.

Administrator Safeguards

  • The G-Suite / Google Apps Spam Controls. These controls can be applied to an entire Google Apps domain and are found within the APPS > G-Suite > Settings for GMail > Advanced Settings section of the administrator console.
  • Whitelist Hosts. Administrators can approve a whitelist of senders by IP addresses or host names. Remember that these are exceptions created for the entire domain so that it affects every user within the domain.
     
  • Inbound Gateway Declarations. If you use 2nd or 3rd party spam filters through other gateways, they can be declared here.
     
  • Spam Control. Here, you can setup more aggressive spam filtering and a set of rules of how to manage spam for the domain. If content from a trusted party continually arrives flagged as spam to your user community, you can create exceptions through the Approved Senders List; if you want to spam to be quarantined rather than delete it, you can declare that here. 
  • Blocked Senders List. If your organization is constantly receiving spam from a known source or email alias, you can provide blacklists for the organization here.

Conclusion

Spam is a constant problem on the Internet and it's not likely to go away. It exists as a consequence of how easy it is to email anyone in the world, and, how extraordinarily gullible we are as humans.

Technical controls can only do so much to identify and filter spam - ultimately, it comes down to user behavior and user-controlled filtering that brings spam to-heel. That means you - as a user - have to modify your behavior, think critically, and leverage the tools that are at your disposal.