Usually the sender address is spoofed, so it's useless to report, for example, spam from "someone@msn.com" to abuse@msn.com.  If you want to learn more, or even help to combat spam, read on ...

Look at what the spammer wants you to do (but don't do it).  If it's only to reply by email, look at the domain name in the "Reply-To" address in the message headers (but do not reply).  You may be able to report the sender to that domain if you trust it (e.g., Google.com or Hotmail.com).

Look at (but do not click) links to offerings in the message - spam links do not go to legitimate companies.  Spam links may go directly to a scam site, but more often hop through a chain of redirecting sites in order to protect the landing site from immediate discovery.  Chain-redirects commonly begin with a legitimate link-shortening service such as "bit.ly".  Chains can be safely revealed by services such as WhereGoes - see our list of Trusted Security Services.

If the message pretends to be from an organization you recognize as legitimate (this is called "phishing"), then forward it (with headers) to that organization's spam reporting address - e.g., phishing@irs.gov (tip: the U.S. IRS doesn't send email, and no legitimate company sends software by email 👀).

If the message really seems to be from a legitimate company you recognize, such as your bank or phone company, we recommend using only the links, email addresses, and phone numbers that you already have on record to access that company, pay your bill, or make inquiries.  Why?  Because some "spear-phishing" emails are crafted with precision to look like the real thing, but provide phishy links, erroneous email addresses, and/or phoney phone numbers.

Don't reply to spammers or click their "unsubscribe" links: it merely informs them that your email address is valid and worth trading to other spammers.  Consider: if you didn't voluntarily subscribe, then you're not currently subscribed; thus "unsubscribing" is nonsense.

Common sense says to create filters in your email client to sandbox the spam out of your workflow; but filters are often tricky to set up, limited in scope - because they mainly analyze email headers, not the sacrosanct message body - and their sheer quantity can bog down throughput, thus your email client may limit the number of filters you can create (and "chicken-and-egg" arrangements can end up trashing legitimate email).  Or you can use an add-on service that you "train" by repeatedly identifying various emails as "spam" or "not spam" - Thunderbird can do either, but these two methods are incompatible.  A third sense says to employ specialized services such as "Spam Assassin", "Mail Washer", and "Spam Fighter".  Now you have options.

Phishing is specifically defined as an attempt to impersonate a legitimate entity - a person or business - for a fraudulent purpose.  Thus a spam email offering a non-branded video of cute puppies, which may link to a risky landing page, isn't phishing; neither is a spam advertisement from a business - legitimate or not - for its own products and services.  If you have determined that an email is specifically phishing, the Anti-Phishing Working Group accepts all phishing emails at reportphishing@apwg.org.

😞 If JavaScript is enabled in your browser ...

Following are some organization-specific email addresses to which phishing spam can be forwarded, depending on who the phisher is pretending to be - for example, if your spammer is pretending to be Chase Bank, you should forward the spam to Chase.

The lazy way:  Forward the spam in your email client after Copying and Pasting a reporting address into the "TO:" field.

But, because your mail client will modify the headers, you should use its "View Source" feature to copy the entire raw message of the spam email into your report.  The description of these steps is wordy, but after you've done it a couple of times it's fairly simple:

In your email client:

Make sure the spam email is in your "Spam" or "Junk" folder, which may limit or halt its coding tricks.

Select the spam email and therein select your email client's "View Source" feature.  In the View Source pop-up window,

Click/Tap inside the raw message (a.k.a. "source") text to set focus on it.

Select all contents (keyboard CTRL+A, or right-click/long-press and chose Select All).

Copy (keyboard CTRL+C, or right-click/long-press and choose Copy) the entire raw message.

Close the View Source window.

Start a Forward of the spam email, and at the top line of the Forwarding window:

Paste (keyboard CTRL+V, or right-click/long-press and choose Paste) the raw message you copied.

Add the reporting address into the "TO:" field.

Send the email.

At this point, you can usually delete the spam email and the forwarded copy unless the receiving entity (such as uspis.gov - the U.S. Postal Inspection Service) wants you to retain them for a certain number of days.

Some of these addresses were hard to find.  Any mid-size to large company should have an "abuse" address, and every website should have a "postmaster" address; but these often go unmonitored.

Does this effort really matter?  Not always, but some of these companies defend their reputations with a team of technicians who follow through with law enforcement to disable those phishing sites and arrest their owners.  If just one of your reports made this happen, it could prevent literally thousands of people from being scammed - there are some good feels in that.  MailChimp continues to impress: as a bulk mailer, they are tempting to spammers; but if given clear evidence, they will permanently ban that customer.