This document serves as a quick and dirty explanation of how spam email is generated and how we protect against it, it is not a penultimate reference, for that read GEN Antispam Maxim.

Back in the 1980's when the 'internet' was in its early days, anyone with an IP Address could send email anywhere, as anyone. You could, for example, send an email from rewards@google.com to your colleague telling them they've won a £1m and they'd have no way to know if it was genuine or not (not that we'd ever do that of course).

By the early 2000's it had become clear that spam was a major issue and we had to find a way to stem the flow and this came in the form of blacklists. Early blacklists like spamcop relied on email users to report spam, and then the senders IP address would be added to the list. This worked great at first, but spammers soon realised that all they needed to do was to change IP address every few thousand email's and they would never be blocked.

In 2014, SPF (Sender Policy Framework) was introduced to combat this, and it did it by allowing the owners of a domain, for example google.com to specify what IP addresses are allowed to send email from google.com. As more and more ISP's adopted SPF, the spammers found less and less of their email's were delivered - and spam died out right? well no, read on.

SPF meant that spammers couldn't just send spam from any IP address, and over the years blacklists had become better and better, so instead spammers started compromising accounts and servers. This was done by phishing, which meant they sent an email to a person tricking them into giving up their email password - I'm sure you've seen them, an email from your "IT Department" telling you that your email password needs changing, and these are surprisingly effective, allowing the spammers to send tens of thousands of spammy email's before anyone notices and puts an end to it.

For what its worth, GEN monitoring email traffic by domain, by mailbox and the NOC team are alerted of any sudden spike in traffic which is then investigated, but we're fairly unique in this and most ISP's are slow to act maybe taking days or weeks to spring into action, and with modern internet speeds a spammer can send more than five thousand email's a minute.

DKIM needs a mention here, which by itself doesn't stop spam, but was introduced before SPF in 2011 as a way of 'authenticating' email as originating from a given company or domain, it was adopted slowly because of its technical requirements, and many people couldn't see the benefit, even today the majority of domains don't use it, but we do and our mail gateways sign all outgoing email.

Another standard designed to prevent SPAM that has been incredibly slow to proliferate is DMARC, which serves almost no purpose really except to publish a policy telling receiving email servers if you want them to reject email that fails SPF or isn't DKIM signed. SPF by itself already specifies the servers IP addresses allowed to send email, so DMARC really doesn't bring anything else to the table, regardless we still support it and publish DMARC records for our hosted domains.

If you've made it this far, well done, I wrote this and I'm not sure I'd make it this far, but hopefully you get an idea of how spam and antispam work, and why its so important to (a) use a really strong email password and not the same password you use for anything else, and (b) why you should never click any links in any email telling you your email password needs changing or has expired or some other vailed threat.