Darth guide how to deal with spam emails
SPAM - Don't FIGHT it, but silently AVOID it.
Yes, if you "fight it" is getting aggressive and you will not get anywhere. Avoiding is the way, you pretend that their spam tactics worked on you, but in fact, you just throw it into a bin.
I was contacted by some of my readers and they asked me to write a guide about email spam, so here it is! Yes, many Bitcoin users, today are hit with a lot of spam and many of them are not so techy with this stuff and can get scared and don't know what to do.
I will try to give you some hints and simple solutions, that any normal user can do. I was doing 20+ years of Sys Admin stuff, including to deal with spammers on the email servers I was managing all these years.
Not everybody knows how an email system works, what is behind all the communication. I will try not to enter too much into technical details.
First of all, let's categorize the spam, we have the following types:
a. Regular unsolicited email
You receive shit load of messages with a lot of garbage. Mostly because you used always your regular email address to subscribe on many different websites and some of them leaked that address to spammers or simply you fall into a spam trap website.
b. Impersonating email
When your email address got into spammers hands / lists and is used as to be "the sender" (in the "from" field) of spam emails they send to other people. Be aware! Is also used to see if your email server is having in place a system of "non-delivery-report" and how is dealing with emails that have a "trusted"/"whitelisted" address in the "from" field.
c. Phishing email
Here are also 2 sub-categories: those who knows your real email address and those who just send to various possible emails of your domain (if you use a personal one).
These are sent to fool you into clicking the links in the body of the message. All will look almost as the real senders, usually famous Bitcoin services that you possibly used. They don't know it yet, but they try to find out by making you to click on them. Almost all of them are redirecting to weird links address or trying to fake the real one, by changing/omitting a letter things like this.
d. Flood spam
When your server is literally overwhelmed by a huge quantity of messages sent towards your server and is literally stuck. In this moment you are quite fucked, you are directly attacked, somebody really wants your server down.
What to do?
So what a simple user can do to protect himself from spam attacks, in special when is dealing with Bitcoin sites, exchanges, etc. ?
There are two levels to answer to this question: basic and advanced.
BASIC STEPS (that any regular user can do):
Use aliases
When you have to use an email address to register/subscribe on a website or service, ALWAYS use an alias.
An alias is like a secondary email address linked to your main mailbox. Is like a Bitcoin wallet, with various BTC address / UTXOs. So use a specific alias for each website/ service.
Example: to create an account on a BTC exchange, use exchange-x-y-z@your-domain-name.com.
Yes, you will say, but I use gmail/hotmail etc... Stop using those public hosted email services. Use them ONLY as a garbage collectors, or specific cases when you do not want to reveal your personal domain name, avoid identity or things like that. These public domain services use them only for PUBLIC shit, to keep your private shit, private.
Many of these public domain services also offer creating alias, some of them are paid extra services.
Using your own email domain name gives you more flexibility to control all these aliases, but be careful also WHERE you use it, not everywhere is good to use your personal email domain.
Another way is to use dedicated services that manage specific aliases and redirect all emails to your real email address. There are quite a bunch of them, maybe later, I will add a list of them here. Just search on internet "email redirect alias" and you will find them. Many are free, but be aware, some could be also spam gathering services.
So, organize your mailbox, with rules, that check the "To" field, containing your "special" alias and redirect those messages to specific sub-folders you create into your main Inbox. In this way you always know from WHO and to WHICH alias was sent a spam.
If you see that onto an alias you start receiving spams, you have two simple options:
- simply remove / delete that alias, if was used for non-important stuff
- if is from important stuff, go to the website where you use it and change the email address with another alias. In the same time, inform the website owner about the leak. If the alias do not exit anymore, all spams will be sent into ether and/or rejected.
No images in email client
Either you use a desktop or mobile email client, setup your client software to NOT download the images attached to a message.
Yes, there’s an option like that in any decent email client. And will protect you from downloading any bullshit image attached, that can be hidden and can be used as a tracking algorithm. Usually they put images on dedicated servers from where are downloaded and each download is a tracking of your IP, device, OS, software etc.
Also these images hide the real link behind, the malware link, that you will click it without knowing it and … voila, you get infected or traced.
You can click manually to download images from a trusted email sender, but not by default automatically to all.
Password policies
Do not use same password on all websites/services you use!
This is one of the most important and simple rule.
A simple way to manage multiple passwords (I know is hard to remember all of them), is to use a password manager. KeePass or BitWarden are really good and can be used totally offline, on multiple devices. These password managers also have integrated a password generator, easy to create new random passwords. Why is good to have random? Because you could not be "mentally attacked" and leak from yourself those usual password you generate yourself.
Online password managers are NOT reliable! Anything that is stored in somebody else server is NOT yours!
If you still want to save a login password in your regular browser, at least go to settings and set a strong master password to open that vault, temporary. Also, set your browser to NOT save any history, cookies etc in one session, so once you close the app, all remaining shit is wiped, so all possible little cookies that can still read those stored passwords are gone at restart. But not always works 100%. So store only those that you used mostly and are not so important.
Limit your online presence
Yes, why do you have to subscribe to all the shit available online?
Limit your presence of giving your information (even if is a fake/nym one) to useless shit you find online.
Stop participating in useless quiz, voting, petitions, polls, questionnaires. Or at least select them and try to use more those without giving an email address. If something is promoted as "free stuff" just submit your email here... that means in almost all cases: gathering user data. Free stuff is NEVER free.
ADVANCED STEPS (for users with some more tech skills and knowledge)
Use your own hosted domain and/or email server
This is quite advanced but with some basic learning you can do it even if you are not a Sys Admin.
Option A - your domain, but not your server
You can only buy your own domain.com and host the email server in a VPS, there are many cheap services like that and with few simple clicks you have your own email server ready.
Yes, this will be managed by somebody else, but you can control at least the software and configuration, exactly as you need it.
There are many email solution available, I will not name them here, choose the one that suit more for your use. Important is that you have more flexibility to manage your own multiple mailboxes, aliases, access, private and encrypted email etc.
Option B - your domain, your server
This one require more tech skills, to install, manage and maintain security of a real server for your domain and email system.
With this one you could even be an email provider for your family and friends.
A simple email server like that could be even a NAS (Network Area Storage) like Qnap or Synology. Look up into their app packages, they have a simple solution for a home user email server. For example Xeams is very easy to install and configure with a QNAP NAS. Are many other email server apps out there.
If you want a more robust, advanced email system, then install one in a Linux machine, with specific software as email server. Again, there are many to use, some more advanced than others. Many are free to use.
For Windows machines, I would recommend a very simple one MailEnable. In just few clicks you have an email server on your regular Windows machine, with webmail and also access from various devices and clients.
Yes, this option (your domain / your server) require some more skills in networking, OS, how email system works, domain management, security, firewalls etc.
But don't be scared! Read more documentation and you could have your own server, even at your home, with your regular internet connection. Yes, with simple security steps you could have a secured server, there's nothing to worry on that.
Detect the real sender
When you want to create a spam list to blacklist all specific senders, you will need to find out first, WHO send it. Don't be fooled by what you see in your email client as "from" field. It can be anything that contain a @ there.
So open that message item and go to message properties. It will open the email header information panel.
There you can see the REAL communication that happen:
- the real server name / IP that sent that garbage
- the real domain name that was used to send that spam. Not always is the same as "sender". So that is an indication that the "victim" domain was hacked and their server is used as "source".
- the email address used as the sender
- the possible re-routing servers, yes sometimes could be multiple hops to "fool" your weak server anti-spam policies
So write down all these details and/or make a simple list, a text or a csv so later you could import them all into your server anti-spam policy filters.
Organize your spam policies
Now is time to get rid of these garbage spams.
So depending on the system you use, you will have to create specific blacklists and whitelists.
Also is good to have in place a NDR system. NDR = non-delivery response.
There are vary ways to use NDRs:
- just silently discard the spams
- move them into a specific mailbox / folder
- mark them as "spam" so the user can be visually alerted first time will see it in his inbox
- reply to the sender with a specific message. I usually reply with: "please send me 100k sats to following LNURL, in order to have your spam emails not treated as such". Choose wisely the correct error NDR code from the 5.x.x !
Create whitelists. Yes is a good practice to add the domains and other servers IPs that you trust to receive emails from, into a whitelist.
Also some email server software are coming directly with online spam lists filters like Barracuda, SpamHaus, SORBS etc so using whitelists, will avoid these spam filters to reject valid emails to be received.
Configure your email server
Yes, is very important the aspect of configuring properly all your email domain settings: MX records, DMARC, SPF, DKIM etc are very important so other servers will not reject your emails because of wrong /invalid/ non-existent sender.
A very good tool to use in this case is MXToolbox, so you can check your settings and also the blacklisted IP (if there's is)
Also be careful with configuring ports open for your server, if you host it in your home, so you will need full access to your home internet router and manage the ports.
A good tool to use in this case is PING.
Watch out to not be blacklisted!
Yes, if you use a shared domestic IP from your ISP, it could be previously used by other spammers or malware in some computers to send massive spam. Automatically at high levels that IP will be blocked.
But don't worry there are tools to unlock it at your level (not ISP level) and you can always inform your ISP about that and is their duty to unblock it (in the end they provide it to you and you pay for it).
Anyways, this do not exclude you from keeping your own network clean:
- all users connecting to your LAN or server, must have clean PCs and be aware of malware that can use their machines to send massive spam, in the background.
- keep your server clean, don't use it for your regular browsing stuff.
- If somebody alert you that they can't receive emails from you, you can check on MXToolbox and take the measures for it, following the instructions.
So far... this could be some basics steps to do. Of course there are many advanced things to explain, but this guide is only to offer you a starting point for to learn more and protect yourself.