Don’t tolerate unsolicited spam

Unsolicited emails are very commonly used by marketers, salespeople, scammers/phishers, and more.

If you don’t play by the CAN-SPAM rules at a minimum, such as not including an unsubscribe link, I’m gonna spend a few minutes to report you to the platform/host you’re using. Even if you do play by the CAN-SPAM rules — what you are doing is unethical and disrespectful.

By reporting unsolicited emails, you’re doing your part to maintain digital boundaries that benefit everyone. Your inbox—and the broader internet ecosystem—will be better for it. Clicking the “Report spam” button from your email client isn’t good enough.

A recent example:

Unsolicited spam email

This email incorrectly assumed that I was the developer for a time tracking app
It included a screenshot for a different app/search term (that wasn’t the time tracking one they thought I owned)
They did not include an unsubscribe link

Reporting an unsolicited email

View the email headers

First, you’ll need to get the email headers. This requires you to be on a regular computer rather than a mobile device. The email headers allow you to find out what server was used to send the email. Getting the email headers is different on each client:

Gmail: Click the More menu (three dots in the right corner) then choose “Show original”.
Mail.app on macOS: Choose View > Message > All Headers.
Outlook (Web): Click the More menu (three dots in the top right corner) then choose “View” > “View message details”.

You’ll need to include these headers when sending your abuse report.

Find the email platform/provider

Sometimes it’s really easy to see which platform was used to send the email, but sometimes there’s a lot of headers. A quick way to find out what platform was used to send the email is to copy and paste the headers into an AI chatbot like ChatGPT or Claude and ask:

What email server/platform was responsible for sending this email?

When you’ve found the platform, do a search for “[platform] report abuse” to find out how the platform prefers to receive abuse reports. Some will ask you to fill out a webform, while others want you to send them an email.

Reporting spam from common providers

Send the full original email, with the headers, to the relevant abuse email:

Amazon: See the following section
Constant Contact: [email protected]
Google: See the Google section
HubSpot: [email protected] (or Hubspot’s abuse webform)
Klaviyo: [email protected]
Mailchimp: [email protected] (or Mailchimp’s abuse webform)
Mailgun: [email protected]
Salesforce: [email protected]
Sendgrid: [email protected]

Hi there! I received an unsolicited email coming from your servers. Here is the original email:

(paste the original email including all the headers)

Reporting spam from Amazon

Use Amazon’s webform to report abuse (requires signing in to Amazon). Or email [email protected] for emails sent from SES, or [email protected] for emails sent from EC2.

Amazon actually cares about their platform and does not tolerate abuse. They will respond to reports within days, usually with a message similar to this:

This is a follow-up message regarding the abuse report that you submitted to AWS. The content or activity you reported has been mitigated. Due to our privacy and security policies, we are unable to provide further details regarding the resolution of this case or the identity of our customer.

We strive to resolve reports of abusive content or activity to the satisfaction of both the reporters and our customers. If you believe the reported content or activity persists, or are not satisfied with the resolution of this case, please reply directly to this message with more information. Your response should include the relevant URL(s) or most recent activity logs that indicate that the content or activity persists, as well as a clear, succinct explanation of what you’re asking of us and our customer.

Thank you for bringing this matter to our attention.

Regards, AWS Trust & Safety

Reporting spam from Google

Google doesn’t care. Maybe consider other means, such as writing a review for their business (Google and Trustpilot are best for visibility) or tagging the company on social media.

Reporting spam from scraped GitHub emails

GitHub also doesn’t care. I’ve been an open-source contributor for over a decade. My email addresses can be found on my GitHub profiles, in my Git commits, and within various files on projects with meta data (such as package.json and composer.json).

GitHub’s terms of service states:

You may not use information from the Service (whether scraped, collected through our API, or obtained otherwise) for spamming purposes, including for the purposes of sending unsolicited emails to users or selling personal information, such as to recruiters, headhunters, and job boards.

I fairly regularly receive low effort unsolicited emails from scraped GitHub data, like this one from a YC startup:

Unsolicited spam from scraped GitHub data

When I’ve reported accounts who have scraped my email from GitHub, I haven’t had any luck on them acting on the abuse reports. Example response from GitHub’s support team:

We do expect our users to comply with our Terms of Service, which prohibits transmitting using information from the GitHub (whether scraped, collected through our API, or obtained otherwise) for spamming purposes. I’m happy to look into it further to see if we can contact the reported user and let them know that this type of activity is not allowed.

It took GitHub 131 days to send me that response after making a report. Best of luck getting GitHub to care about their own terms. Spend the few minutes to report them anyway. Maybe one day GitHub will have folks working there that do care about abuse.

Companies should be accountable for their marketing practices

Spend a few minutes to look up the email addresses of someone who might care at a company. Shoot them an email and ask them if they condone the shitty behavior. Does the company partner with other organizations? Consider reaching out to their partners.