Usually a spam sender address is spoofed, so it's useless to report, for example, spam from "someone@msn.com" to abuse@msn.com.  If you want to learn more, or even help to combat spam, read on ...

Look at what the spammer wants you to do (but don't do it).  If it's only to reply by email, look at the domain name in the "Reply-To" address in the message headers (but do not reply).  You may be able to report the sender to that domain if you trust it (e.g., Google.com or Hotmail.com).

Look at (but do not click) links to offerings in the message - spam links do not go to legitimate companies.  Spam links may go directly to a scam site, but more often hop through a chain of redirecting sites in order to protect the landing site from immediate discovery.  Chain-redirects commonly begin with a legitimate link-shortening service such as "bit.ly", but may as well be something barely legible.  Chains can be safely revealed by services such as WhereGoes - see our list of Trusted Security Services.

If the message pretends to be from an organization you recognize as legitimate (this is called "phishing"), then forward it (with headers) to that organization's spam reporting address - e.g., phishing@irs.gov (tip: the U.S. IRS doesn't send email, and no legitimate company sends software by email 👀).

If the message really seems to be from a legitimate company you recognize, such as your bank or phone company, we recommend using only the links, email addresses, and phone numbers that you already have on record to access that company, pay your bill, or make inquiries.  Why?  Because some "spear-phishing" emails are crafted with precision to look like the real thing, but provide phishy links, erroneous email addresses, and/or phoney phone numbers.

No matter how incensed you may be at spammy intrusions, don't reply to spammers or click their "unsubscribe" links: it merely informs them that your email address is valid and worth trading to other spammers.  Consider: if you never voluntarily subscribed, then you're not currently subscribed; thus "unsubscribing" is nonsense.

Common sense says to create filters in your email client to sandbox the spam out of your workflow; but filters are often tricky to set up, limited in scope - because they mainly analyze email headers, not the sacrosanct message body (wherein lies the most obvious garbage) - and their sheer quantity can bog down throughput, thus your email client may limit the number of filters you can create (and "chicken-and-egg" arrangements can end up trashing legitimate email).  Or you can use an add-on service that you "train" by repeatedly identifying various emails as "spam" or "not spam" - Thunderbird can do either, but these two methods are incompatible.  A third sense says to employ specialized services such as "Spam Assassin", "Mail Washer", or "Spam Fighter".  Now you have options.

Phishing is specifically defined as an attempt to impersonate a legitimate entity - a person or business - for a fraudulent purpose.  Thus a spam email offering a non-branded video of cute puppies, which may link to a risky landing page, isn't phishing; neither is a spam advertisement from a business - legitimate or not - for its own products and services.  If you have determined that an email is specifically phishing, the Anti-Phishing Working Group accepts all phishing emails at reportphishing@apwg.org.

😞 If JavaScript is enabled in your browser ...

Following are some organization-specific email addresses to which phishing spam can be forwarded, depending on who the phisher is pretending to be - for example, if your spammer is pretending to be Chase Bank, you should forward the spam to Chase.

The lazy way:  Forward the spam in your email client after Copying and Pasting a reporting address into the "TO:" field.

But, because your mail client will modify the headers - which disclose the path from the scammer to you - you should use its "View Source" feature to copy the entire raw message of the spam email into your report.  The description of these steps is wordy, but after you've done it a couple of times it's fairly simple:

In your email client:

Make sure the spam email is in your "Spam" or "Junk" folder, which usually limits or halts coding tricks.

Select the spam email and therein select your email client's "View Source" feature.  In the View Source pop-up window,

Click/Tap inside the source (a.k.a. "raw message") text to set focus on it.

Select all contents (keyboard CTRL+A, or right-click/long-press and choose Select All).

Copy (keyboard CTRL+C, or right-click/long-press and choose Copy) the entire raw message.

Close the View Source window.

Start a Forward of the spam email, and at the top blank line of the Forwarding window:

Paste (keyboard CTRL+V, or right-click/long-press and choose Paste) the raw message you copied.

Add the reporting address into the "TO:" field.

Send the email.

At this point, you can usually delete the spam email and the forwarded copy unless the receiving entity (such as uspis.gov - the U.S. Postal Inspection Service - spam@uspis.gov) wants you to retain them for a certain number of days.

Guidelines, so that your reports are more useful to your recipients:

Banks, stores, and government entities - such as Amazon, American Express, Best Buy, Chase, Ledger, Navy Federal, PayPal, Wells Fargo, U.S. Internal Revenue Service, U.S. Postal Service - want to know about any phishing email posing as them.

Service providers - such as Apple, AT&T, Comcast, Go Daddy, Google (Gmail, GMX), Mailchimp, Microsoft (Hotmail, Live, Office365, MSN, Outlook), SurveyMonkey - want to know only about phishing email which is routed through their services.  So, for example, Google will want to see a phish mail, claiming that "your Gmail address will be cancelled" or "your Drive storage will be lost", if it was sent by someone@gmail.com; but not if it was sent by someone@abcxyz.com.

Short-link services - such as Bitly and TinyURL - want to know about only phishing email which uses their services in forwarding links - such as https://bit.ly/[tokens], https://tinyurl.com/[tokens], etc.  Although 𝕏/Twitter has a short-link service - https://t.co - it will typically find and neutralize malicious links before you even see them.

Some of these addresses were hard to find.  Any mid-size to large company should have an "abuse" address, and every website should have a "postmaster" address; but those often go unmonitored.  If you ever receive any spam purporting to be from or about LauverSystems.com, tell us about it here!

Does this effort really matter?  Not always, but some of these companies defend their reputations with a team of technicians who follow through with law enforcement to disable those phishing sites and arrest their owners.  If just one of your reports made this happen, it could prevent literally thousands of people from being scammed - there are some good feels in that.  MailChimp continues to impress: as a bulk mailer, they are tempting to spammers; but if given clear evidence, they will permanently ban that customer.