Ask HN: Why is spam email still a thing?
If you've had an email account for a while you probably know what I'm talking about. Open your spam folder and undoubtably it's filled with poorly written and worded emails still advertising "free sex", "you've won", "open for a gift card" or otherwise.
These emails are so bad and there is almost no chance of them finding their way through a spam filter, why are people still sending them?
193 comments
[ 2.7 ms ] story [ 215 ms ] threadMost likely because the cost to send per email is so low as to be essentially free.
As well, there may be some amount of 'Nigerian email' issue here. I've heard it said that the "Nigerian prince with 65M needs help moving money to your country" emails are so poorly worded on purpose to specifically filter out individuals who are not good marks for exploitation. I.e., if the recipient fails to notice the poor wording and grammar then they may also be easier to exploit. It may be the same with the spam. If an individual responds to the spam, then the spammer knows they have possibly found a very gullible individual that can be easily exploited.
Gmail will every now and then let absolutely ridiculous emails through the spam filter.
Badly spelled, bogus URLs, with $$$$ all over the place and All CAPS and just so clearly to any human a phishing attempt or just general scumminess and gmail takes a look at it and says “yup everything seems legit here. On to the inbox!”
This is absolutely key. The marginal cost of sending the spam is nil, but the marks self-select.
And you don’t need a lot if them to make a good income, especially if you’re in a developing country. In most of subsaharan africa, median income is under $1000. In some countries it’s under $500.
The last thing the scammer wants is for the mark to back out after the scammer has invested resources into them, and before they have realised any gains.
Effectively, insufficiently gullible marks reduce their profit margins.
Then, in order to get the hash, they have to paypal me 20 cents.
If my attention is not worth 20 cents to them, then they should not be contacting me in the first place.
Further replies to the same thread should be free for some period of time (e.g. a month or so).
http://blog.nawaz.org/posts/2018/Sep/solving-my-email-proble...
See discussion:
https://news.ycombinator.com/item?id=18100807
According to the sibling comments, it does not only work, but some people are already using it in practice.
Maybe you could train it on a central database that keeps track of which conversations get the most consecutive replies from scammers.
You might not even need GPT. Maybe just the act of responding with a reasonable amount of text would create a large filtering burden for scammers.
I have to believe someone has tried this.
[1] https://spa.mnesty.com/
So something similar with a bit of variation thrown in should turn that spammer advantage on it's head with the 65million spam emails getting 1million replies instead of 100.
https://devpost.com/software/test-7gzse1
It hooked into your email client, identified scams in a very mediocre way, and then sent back a autogenerated (not GPT-3 response).
The big problem is privacy. I am not sure how to effectively solve that one. Why I did not win, lol.
It will get harder and harder to separate genuine (human-generated) content from AI-generated. Eventually I think we will have browser extensions designed to detect AI-generated content and it will result in another arms race.
There are risks. You don't want people to get into echo chambers. But that's happening anyway.
[0]: https://cr.yp.to/im2000.html
Or per address/domain?
What's the best "altruistism wins" way?
Paid addresses, like ETH network?
Sadly, better SPAM filter technology won't be the end of SPAM. SPAM will lose its efficacy when old, unfiltered inboxes stop being used. And they will stop being used when the (largely) older demographic stops using them as a result of the passing of time.
There is a way to reject suspected spam, which is to do it at the SMTP level (refuse to deliver) so that the sender gets a non-delivery notice.
Accepting everything (pretending to deliver it) and then silently dropping some of it is generally a nonstarter.
False positives in spam detection are really bad, so you want to tune your algorithm to have really low false positive rates--which means you get high false negative rates in turn. Having a spam folder to filter non-black-holed spam into allows you to introduce another level where false positive rates can be higher without being catastrophic.
I'd love to never have to ask "did you get my email message?"
Ie. The first step verifies the from/to addresses, then the message body is sent. So, if the message body is clearly spam and you reject the message body all you've done is confirmed to the spammer that they are sending to a legit email address and they need to change their message so it no longer is rejected as spam.
As bad as the current system is it leaves spammers with uncertainty over whether their message made it through the spam filter.
I mean; I have to assume the engineers in charge of this @ Google are making the right call, but the cynic in me can't help but worry they are making the call in a way that benefits them at the cost of a healthier SMTP ecosystem. (ie, "Lets make email just unreliable enough that folks switch to Google Email 100%, or use some other Google Product for messaging ...")
You can reject the message anytime after TO/FROM/DATA w/o signaling which of those 3 caused it the message to be rejected.
That is incorrect. After the last DATA command from the spammer, your mail server can look at the mail and, if it’s spam, just say
This rejects the mail and makes it bounce to the sender.> I'd love to never have to ask
Yeah, me too. But email is a best-efforts delivery system; email delivery can fail for reasons other than spam-filters.
Instead, just simply say "500 FOAD." after DATA and be done with it on the non-zero chance the sender actually has something important to say, and needs to decide if they need to use another channel.
1. People will continue to use an easy tool even if it has become ineffective, because it’s available. It doesn’t take many spammers to send 100,000,000,000 emails. Direct mail isn’t what it used to be, but it’s baked into the systems for every car dealership and so it continues. Spam is probably 1000x less effective than it was in 2002, but most spammers aren’t running A/B tests either.
2. Just like direct mail, it’s easy to think that no one looks at spam because I don’t. In fact, there really are a lot of people who look at every coupon in the Captain D’s flyer. Same thing with spam…even if the open rate is 0.1%, that could still be 1 in 1000 people.
It's probably something like less than 1 in 10,000 emails getting a click, which is depressing when you consider all the computing resources wasted by receiving email servers and then by all the recipients which need to filter out the noise (for example I still at least scan subject lines of items in my Gmail Spam folder).
So with that considered, spammers clearly completely lack empathy for their fellow human beings, they have zero care on the cost of their practice, as long as it makes them a few bucks. Sure, there are people who do far worse things, but that fact in no way redeems spammers.
I'll start by saying I in no way excuse like or can stand spammers, I think action should be taken against them as they've destroyed every communication medium in existence.
But I have some friends that come from some third world countries in Africa and similar places. From their perspective the few bucks to us makes them some of the richest and well to do people where they are at, and all they are doing is taking it from fat rich wealthy Americans and Europeans that already have too much money, even if the person is close to destitute by our standers from the perspective of many people in the third world if they have a roof over their head and know where their next meal is coming from, to mention nothing of ac and a car they are living an unimaginable lifestyle.
My point isn't to defend scammers it's just to point out that many of them arent malicious simply trying to survive in a difficult world, I would argue many of us here on Hm would do the same if faced with the choice after all how many people here already go to work on ad or surveillance tech of dubious ethical vlaue because the pay is insane.
The kind I'm referring to are single organizations which aim to send out 10s or possibly 100s of a millions of spam emails _every day_. I would expect there to be at least dozens of organizations at this scale. They're the ones who use botnets, open relays, and weird characters in their emails to get around filters.
> Apparently enough people ultimately click the links to make it worth it for the spammers, otherwise it would have stopped.
Each generation has to learn new. Every day, there is somebody new to try out spamming. Every day somebody got their first mail address and their first spam.
Most of those spammers will quit soon again, some will improve and have some small win.
It's always been an economic numbers game. You might send 1 million spams that costs you $100, but you might get $400 in return from whoever paid for the spam campaign. If you're running your own spam operations for your own "products", you get more profit, but the risk and difficulty is higher.
I also have a theory that spies use spam as a form of steganography. If spam naturally contains a lot of variable information, and it comes from random places and is sent literally everywhere, it's not hard for a spy to receive an encoded message dropped into their mailbox without anyone even knowing what their e-mail address is.
Not to even mention those crap sites that allow you to signup with email without verification, looking at Instagram...
That means, as has been stated in this thread a bunch of times, that sending spam is essentially "free", especially since they like to use exploited email accounts to do the sending if possible.
I am all for a re-envisioning of email from the ground up, tbh.
Maybe something like Webrtc?
It could probably happen quickly if a few big players came together and made the push. Unfortunately the only innovation in email these days is occurring in ways that help user lock-in. E.g. IMAP is stagnant, Gmail added 'dynamic emails' that only work in their ecosystem.
I get spam from Google Apps customers, Office 365 customers, Mailgun customers, and more, despite these providers' terms of service. I get spam on my LinkedIn spamtrap address, my FreeBSD ports spamtrap address, and more. I'm seriously considering a switch to whitelisting, which is what I had to do on my phone to deal with all the robocallers. It's insane with motivated evil people will do for a little money.
Sure, it might end up in the spam box. But so do real emails. So, spammers still get their emails viewed. As do phishers.
https://www.bankinfosecurity.com/tricked-rsa-worker-opened-b...
https://www.wired.com/story/the-full-story-of-the-stunning-r...TL;DR: Email is fundamentally broken because it was designed in a time when you could leave your doors unlocked at night.
It isn't a design choice, it is a choice that we make every time we send an unsigned email.
Lots of people complain about the “insecurity” of email, but as long as you want this feature (sending anyone a message knowing nothing more than just their email address), there will always be spam.
And if this is a feature you can do without, then there are lots of alternative communication systems, or you can always use signatures in email.
But then again, there are still laws on the books saying the only way to securely transmit a document is by fax machine. So even if somebody reinvents a backwards compatible email system tomorrow that solves all the problems, people will be to afraid to use it.
If you are sending good mail to a double-opt-in, highly intentful marketing list, then you will receive minimal spam complaints. If you are sending to people who don't want it (they didn't check the opt-in button), it doesn't muddy the water because it is spam.
That being said, there are legal requirements (CANSPAM) [1] for mail senders around the unsubscribe link, but there are no legal requirements around the report spam button, so either kind of works.
[0] https://support.google.com/mail/answer/6254652?hl=en [1] https://www.ftc.gov/tips-advice/business-center/guidance/can...
What I find most interesting about email is how some people will mark email as spam literally months or years after we sent the original email. We send over a billion emails a month (not spam) and people’s behavior around email is fascinating.
You’ve described what happens when you report spam, but not what happens in the future when more people get upset over email and reflexively report all marketing email for accounts they chose to sign up for, and opted-in to marketing email for (by agreeing to the terms), and potentially still need transactional emails for. The average person doesn’t know the difference between transactional email and marketing email, and if you follow @Old_Thrashbarg’s advice to report any email you didn’t expect as spam before adjusting your settings, then eventually we might lose those settings as companies and providers all come to the conclusion that people can’t be bothered.
You’re also suggesting that there’s some broad segment of good marketing email that people don’t consider unsolicited or even spammy, which is by and large not true. There is practically no such thing as highly intentful ads that most people want, aside from the occasional short-lived viral campaign. By definition, marketing is a push initiated by the company to sell their wares, and most people would prefer not to watch ads given the choice.
Don’t forget that Mailchimp, Mailgun, Gmail, Hotmail, and almost every other service you can name here is actively making their income from email marketing. As much as we want to, it’s going to be difficult to block all marketing email, and they all have a vested interest in delivering email, especially from the people who are paying for the service.
NextDoor also used to violate the CanSpam Act by requring you to log in to unsubscribe, but they fixed that a couple of years ago.
I hate it when companies allow people to signup with email addresses that aren't theirs, never validate the email address, and then start spamming me. I mark all of those as spam. The latest offender is Chime.com (I have a common-ish FirstLast@gmail that I'm phasing away from.)
Except that Comcast/Xfinity itself is violating the CAN-SPAM act. I constantly get product offers and other junk from them, despite being clearly marked as "unsubscribed from all" when I click the unsubscribe link.
They are also a local monopoly and I have no affordable alternative for "basic broadband".
There does not seem to be any facility to report this to any regulatory agency of the US government or my state government.
[1] Or set it to bounce, but I prefer /dev/null as bouncing increases the chance I'm becoming part of a back-scatter issue.
[2] At some point soon I'll get around to cycling those addresses to something else again, I haven't for a while, then the current ones will be redirected to spam training.
[3] Including some newsletters specifically targetting people who have interacted with crowd-funding so some project's team has given my address out against my wishes⁴. I wish we could give them specific addresses when supporting, so I could tell who (I don't cycle the main address I use for such things often enough to tell).
[4] Though those have saved me money: if I think of supporting a project I search the junk file first and if it has been mentioned by “backer-update”, “grant @ t.k.p.”, “kickstartech”, etc, I'll walk away - but only one has lost my help thus far that way and doubt anyone else is doing it so this petty little victory probably means nothing in the grand scheme of things.
Bouncing doesn't cause backscatter, provided it's a real bounce; that means a bounce that is a rejection by your mailserver, performed during the SMTP transaction. The message commonly known as a "bounce message" is technically known as a delivery status notification. The actual bounce message is composed by the sender's mailserver, and can't cause backscatter.
Basically, a bounce sent after the SMTP server has said "Message accepted for delivery" is a bogus bounce, and causes backscatter. Sending bogus bounces is a reprehensible practice (and quite useless).
It sometimes happens because mail gets accepted then put into a local queue for processing (anti-spam checks and other scans) and the fake bounce sent after that. A badly designed system (and such do exist) will do this even for messages they could immediately reject based on the invalid incoming address.
It can also happen because there is an intermediate SMTP server between the sender and receiver, the intermediate has dropped the connection to the sender before the final destination rejects, so if you want to bounce at all it has to be a fake bounce.
I don't know without checking (and I've been too lazy to test!) if my mail services properly bounce based on target address or fake bounce, so I err on the side of not causing disruption if it is the bad one. I'll be replacing Zimbra with something else (probably self-built from standard parts as my needs are much more limited than when I picked Zimbra many years ago, just mail, nothing else) for my main mail service soon, this will be one of the things to make sure I get right.
I'm sure the business owner really thought he was promoting his business well but who buys bulbs in such quantities to make this worthwhile?
From my understanding, that is a feature. It acts as a filter for the top % of more gullible targets.
Google proved they could beat spam around year 2000, but now suddenly they are now letting messages through with headers that a toddler could tell you are fake.
They know it' spam, we all do. But they let it in anyway because there's some secret economic or political dynamic we aren't privy to.
I would be curious to see if anyone here has added such barriers and what their results were. What methods did you use to make spam expensive for spammers and how did it affect your legit customers and prospects?
Unfortunately, there are probably businesses where even with that cost, it would still be profitable to spam - just look at physical mail or any other type of physical advertisement, or heck... even online advertisements still have to pay money for impressions.
"Why do Nigerian Scammers Say They are from Nigeria?"
This approach suggests an answer to the question in the title. Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.
https://www.microsoft.com/en-us/research/wp-content/uploads/...
It is sad because I think it isn't just gullible people generally, but those who did not grow up with computers and won't understand that "This is your bank informing you of a security breach" is bogus are unfairly hit.
Other thing is that the cost of sending massive numbers of emails is basically nothing so why not? If only 100 people out of an email list of 100M click through, that might pay you for this month.
Also FWIW, people to whom I send email regularly tell me that their email systems mis-classify my emails as spam. I've spoken with several networking specialists, and they all shrug their shoulders and say: "It's the server level spam filtering ... it's not very good." GMail in particular is known to be aggressively negative towards email originating from anywhere other than another GMail account.
So in answer to your no doubt intended to be rhetorical question, I use spam filtering in my email system, not on the server.
I have/work with three different companies ... two of them use Google based email systems, one (my own) does the filtering "in house". One of the G-based systems performs well, the other has multiple false positives every day.
I'm sure it performs well for the majority of people ... it's likely that the emails I send and receive are atypical, and Google performs badly because they are not "normal".
Everyone has to decide where that trade-off lies. In my context, I simply cannot trust Google, or any other server-side filtering, for important email. As others have said, it simply means the spam folder is a second inbox.
As I say to my clients about so many things: take advice, understand the trade-offs, make a decision, deal with the consequences.
This just isn't correct. Gmail does indeed have a HUGE market share at around 20-30% depending on source but with every business using mail for notification and business communication you will note that an even smaller minority of mail comes from other gmail accounts. If Gmail actually worked like that it would have ceased to work entirely and lost most of its users. If I understand correctly the actual issue is all the major players vs very small players like people running their own server.
In that scenario the users whether it be on yahoo, google, msn what have you get 99.999% of their intended email while the person running their own email server will have a much larger miss rate a bigger problem and one that can't be solved on the client side at all.
From the perspective of the end user who is neither aware nor concerned about small servers issues server side filtering works very well. Looking at my spam folder it seems to be filled not with nigerian scams which don't even make it to my spam folder but with emails from people who have send me emails which have some degree of legitimacy but which I have repeatedly deleted unread like political emails requesting contributions. From my perspective it works great.
Please: I've experimented with this for over two decades, and continue to do so. I know that lots of people say that server-side filtering is fine. My direct personal experience is that for me it is not fine, including the spam filtering provided by Google's email service. I do not deny that for other people it's fine, I'm just saying ... don't deny my experience.
I regularly have emails to my GMail from colleagues end up in the spam folder. Perhaps as many as 5 or 10 per week, enough that I have to trawl through the spam folder every few days to make sure I've not missed something important.
Similarly, reasonably often when people reply to me, often after being prompted with a second email, or even a phone call, people tell me that emails from my "other" ISP to their GMail provided mailboxes have ended up in the spam folder.
It happens in waves ... it can be fine for months, and I start to think it's all good and I can trust it, and then there's a spate of emails going to spam when they really shouldn't. It's simply unreliable.
So for incoming email I do my own filtering. I can do nothing about my outgoing emails ending up in someone else's GMail spam folder except to be aware that it happens, and to keep track of when I'm expecting a reply. With some colleagues I've gone to a "positive acknowledge" system to preempt what have been expensive problems in the past.
* What's your DKIM/SPF/DMARC setup like? That all needs to be on point to get delivery to gmail to be reliable.
* Are you using a provider like Sendgrid, Mailchimp, etc. to send mail? Are you on a plan that gives you a dedicated IP address or is it part of their shared pool? The "it happens in waves" sounds a lot like a common problem with the shared pools where spammers send a bunch of mail through a service, the IP gets blacklisted, and it takes them a couple days to notice and remove it from the pool.
* do you have any "noisy" alerts or similar going out to people? Not necessarily spam, but eg, sometimes users getting frequent notifications, daily summaries, etc. will sometimes just flag them as "spam" rather bother to turn them off or manage them properly. At some point, that trains Gmail's filters to increase the spam likelihood on your entire domain.
* No, I'm sending email from my domain on my domain host. That has a single IP address shared among all their customers, but it's a very small ISP, and there are no spammers, and the IP address is not on any blocklists.
* No, I send standard email "by hand", and I know that people are not marking them as spam.
It's nice to see you go through these things because these are exactly the things I've gone through several times, so it serves to confirm that I've addressed the right things.
You say:
> ... look at the SPF/DKIM/DMARC related DNS entries with dig ...
I don't know how to do that.
> ... verify that they are correct.
I wouldn't know what it means for them to be correct.
As a further example, in trying to use postmark's service I get this:
OK, that's fine. Then: I have no idea how to do that, and suddenly I'm down the rabbit hole of things that other people think are obvious and easy, but leave me with no idea of what to do.I really appreciate your feedback, and I'm passing it on to the people I pay to do this for me. The thing is, that's my ISP, and you tell me I shouldn't trust them.
> ... now you need to understand a lot about DNS and those mail related standards and do a significant amount of work to stay on top of the configuration to have a snowball's chance in hell of your mail getting through.
That's exactly what I pay someone else to do, and they are doing it correctly (as best I can tell).
So ... I just have to live with it. As far as I can tell, short of simply giving up entirely and using Google, I've done everything I can.
Is solipsys.co.uk your domain (from an earlier comment)? If so, I can see right away that there's no DMARC entry for it. That means that it's vulnerable to spoofing (I or any attacker could easily send an email to someone making it look like it came from your domain, eg, as part of a phishing attack). Gmail definitely penalizes domains without DMARC, making emails more likely to be classified as spam.
I am, for many reasons, so thank you for understanding that.
> If you want to keep believing that your ISP knows better than them, then I guess you're going to.
It's not that I believe my ISP knows better than Google, it's that I believe they are doing what they have been told is necessary.
> ... solipsys.co.uk ... no DMARC entry for it.
I will raise a ticket and get it dealt with, and as a part of that I can get the entire issue looked at more closely.
Thank you.
Based on what you've said here I don't know what you mean by "self-hosting". I have a package that I purchase from a company that provides me with my email and web hosting. I pay them, I configure my web client to connect using the details they provided, they deal with the configuration.
They are qualified in this field, they have certifications.
Everyone here seems to be using terms that obviously mean something to them than is different to what the terms imply to me. I have machines that connect to my email, hosted by the ISP with whom I have the contract. To me, that doesn't mean "self-hosted" ... I don't do any configuration of DKIM/SPF/DMARC/etc. That's all done by the people I pay.
So ... I really don't know what you're talking about. I suspect you know too much to be able to communicate effectively with me, who knows nothing. It's plausible that the field of discourse is simply too technical.
Thank you!
A lot of people think it's laughable that anyone would fall for "simple obvious scams" but I've met a good handful of older family and their more elderly friends who either fell to a scam or were only stopped once someone at a store questioned them as to why they were buying lots of gift cards all at once. In some cases scammers will work on people over a long period of time to gain their trust.
I've had people in my close family fall into debts to those folks, they target the weakest and literally go heaps and bounds to extract as much as they can from their 'mugus'.
Not fun at all :S
After all the marginal cost of sending out extra emails is basically free. It's not as if he needs to only select the most gullible people to save on costs.
At least, that was the impression I got from an old lady who lived near me, who managed to shout down a stream of people telling her that her 'secret agent boyfriend from plymouth' she was sending all her money to wasn't real.
I think there's a bit of a parallel to cults like scientology - the more incrementally ridiculous you make the story, the higher the feeling of shame is when you have to own up to being fooled, making some people go in deeper rather than back out.
"Your post advocates a:
( ) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
*Specifically, your plan fails to account for:*
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
*and the following philosophical objections may also apply:*
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
*Furthermore, this is what I think about you:*
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!"
[1] https://craphound.com/spamsolutions.txt
Gmail's spam filters would break horribly for me every few years, either flooding my inbox with spam, or filing obviously-not-spam emails in the spam folder.
With Fastmail, my experience is that all spam goes to the spam folder, and only a few questionable newsletters get put in the spam folder by "mistake".
And well, that could answer the OP's question, people didn't give up because there are a few providers that will receive their email and show it to users. Take any Exchange service as an example, if your email is technically formed enough to be received (many real senders will be rejected here), it will be received, and it's up to the user to forbid that one instance of spam, like if it's the 90's.
Hard to say how much of it is that my Gmail account has been around a lot longer and part of multiple email leaks.