Ham vs. spam: What’s the difference? (and why it still matters in 2026)

How to spot the difference between legitimate bulk email and malicious spam in today’s AI-driven threat landscape

Key takeaways

• Ham is legitimate bulk email you’ve consented to receive, while spam is unsolicited email sent without your permission.
• Not all unwanted email is spam. If the sender has a lawful basis to contact you and includes a working unsubscribe option, the message may still be considered ham.
• The CAN-SPAM Act sets the rules for commercial email in the U.S., including accurate sender details, honest subject lines, a valid postal address, and a functional opt-out.
• AI is making unwanted and malicious email more convincing, more personalized and easier for attackers to generate at scale.
• When an email looks suspicious, don’t click. Verify the sender, inspect links carefully, and report the message to your security team.

What is spam email?

Spam is any unsolicited bulk email — messages you never asked for, sent indiscriminately.

Wikipedia defines spam as “the use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately.” That definition holds true across the industry, though legal frameworks vary by country.

In the United States, the CAN-SPAM Act of 2003 — enforced by the Federal Trade Commission (FTC) — sets the legal standard for commercial email. It applies to all commercial email, even messages sent to a single recipient, not just bulk campaigns.

CAN-SPAM Act: 7 core requirements for legal commercial email

Any commercial email sent in the U.S. must comply with the following rules:

1. Accurate header information — The “From,” “To,” “Reply-To,” and routing fields must not be deceptive or misleading.
2. Non-deceptive subject lines — Subject lines must reflect the actual content of the email.
3. Clear identification as an advertisement — Messages must avoid misleading recipients and may need to be clearly identifiable as promotional depending on context and jurisdiction.
4. Working opt-out mechanism — Every email must include a functional unsubscribe link or reply address.
5. Conspicuous opt-out notice — The recipient’s right to opt out must be clearly presented.
6. Honour opt-outs within 10 business days — Senders must stop sending within 10 days of receiving an opt-out request.
7. Valid physical postal address — The sender must include a legitimate physical address.

Enforcement note: In 2024, the FTC took action against Verkada, citing violations of the CAN-SPAM Act alongside broader data security failures — a reminder that enforcement remains active. Penalties can reach up to over $50,000 per violation.

For the full compliance guide, see the FTC’s CAN-SPAM resource.

What is ham email?

Ham email is legitimate, desired email — even if it feels annoying or unwanted in the moment.

The term “ham” was coined by the SpamBayes project around 2001 and is now widely understood to mean: email that is generally desired and not considered spam.

The key word here is desired — not necessarily enjoyable, but something you technically consented to receive.

Two ways you may have signed up for ham email

You can end up on a bulk mailing list in two ways:

• Directly (opt-in): While downloading free software, signing up for a new online service, or updating an existing account, you actively checked a box saying: “Yes! I would like to receive information and offers from you and your partners.”
• Indirectly (pre-checked opt-in): The same scenario, but the opt-in checkbox was pre-ticked by default. You were on the list unless you actively unchecked it. This practice is legal in many jurisdictions, including the U.S., but increasingly regulated in the EU under GDPR.

In both cases, the sender can legally mail you — as long as they comply with applicable regulations.

Because you technically consented, email security systems may classify these messages as ham, not spam. This is why network administrators often report seeing high volumes of “spam” when much of it is, in fact, unwanted-but-legitimate bulk mail.

Ham vs. spam: Key differences at a glance

How to tell the difference between ham and spam

When evaluating a suspicious email, check these three things:

1. Examine the sender’s email address

An email address has two parts:

• Username: The text before the @ symbol
• Domain: The text after the @ symbol

Does the domain match a company or service you recognize? Does it align with previous communications you’ve received from that sender? If the domain is unfamiliar, proceed with caution.

2. Inspect the unsubscribe link — without clicking it

Hover over (but do not click) the unsubscribe link or button:

• If the link domain matches the sender’s domain — it’s likely a legitimate ham email. You should be able to safely use the unsubscribe function, but it’s always good to use caution with links in an email.
• If the link domain does not match the sender’s domain — do not click it. This may indicate a phishing or malicious email using the appearance of a legitimate unsubscribe to redirect you to a harmful site or install tracking cookies.

When in doubt, forward the message to your IT security team or your organization’s postmaster@[yourdomain] address.

3. Assess whether you have a prior relationship with the sender

Ask yourself:

• Did I create an account with this company or service?
• Did I download software or accept terms that included marketing consent?
• Have I purchased from or engaged with this brand before?

If you’re receiving promotional emails from a legitimate retailer you’ve used, the most effective action may be to contact the retailer directly and request removal from their marketing list. Reputable brands do not knowingly spam — the issue is often downstream marketing firms or third-party agencies they’ve contracted.

Security reminder: Never click an unsubscribe link if you don’t recognize the sender at all. Malicious senders routinely weaponize unsubscribe links to confirm active email addresses, install malware, or redirect users to phishing pages.

Why the ham vs. spam distinction matters more than ever in 2026

The email threat landscape has changed dramatically since this topic was first covered in 2013. Here's what's different now:

AI is generating the majority of spam

According to Barracuda’s own threat research, AI-generated spam surged to become the majority of spam detected in April 2025, representing a significant spike compared to prior months. Generative AI tools enable attackers to produce highly convincing, personalized, and grammatically polished messages at massive scale — making them harder to detect.

One in three emails is malicious or unwanted

Barracuda’s 2026 Email Threats Report, which analyzed nearly 3.1 billion emails, found that one in three email messages is either malicious or unwanted spam. Email remains the number-one attack vector for cyberthreats.

The gray area between ham and spam is being exploited

Attackers now exploit the structural appearance of legitimate bulk email — including CAN-SPAM-compliant formatting, professional branding and plausible unsubscribe links — to disguise phishing attempts and malware delivery. A message that looks like ham may actually be a carefully crafted cyberattack.

This makes user awareness and advanced email filtering more critical than ever.

How malicious senders exploit the gray area

Sophisticated threat actors use several techniques to blur the line between ham and spam:

• Spoofed sender domains: Using a domain that looks like a legitimate brand but contains subtle variations (e.g., barracud@.com vs barracuda.com)
• Weaponized unsubscribe links: Legitimate-looking opt-out buttons that redirect to phishing sites or trigger malicious downloads
• Tracking pixels: Tiny invisible images embedded in email that confirm your address is active when you open the message
• Legitimate infrastructure abuse: Sending malicious messages via compromised legitimate email accounts or trusted platforms (e.g., Google Docs notifications, DocuSign alerts) to bypass filters
• AI-generated personalization: Using publicly available data to craft contextually relevant messages that appear to come from known contacts

Barracuda insight: Our Threat Spotlight series provides ongoing analysis of the latest real-world attack techniques. These include multi-step phishing campaigns, device code phishing, and advanced phishing kits that actively evade multi-factor authentication.

How to protect your organization from unwanted and malicious email

Whether you’re dealing with ham, spam, or something more sinister, here’s a practical framework:

For end users

1. Never click unsubscribe links for emails you didn’t subscribe to. Forward to your IT or security team instead.
2. Hover over links before clicking to verify the destination URL matches the claimed sender.
3. Report suspicious emails to your organization’s security administrator — do not delete without reporting.
4. Check for sender domain consistency across the From field, reply address, and any embedded links.
5. When in doubt, contact the purported sender directly via their official website — not via any links or contact details in the email.

For IT and security teams

1. Deploy AI-powered email filtering that can distinguish between bulk ham, spam, and targeted malicious email — not just rule-based filtering.
2. Implement DMARC, DKIM, and SPF to authenticate inbound mail and block domain spoofing.
3. Run regular Security Awareness Training so employees can recognize modern phishing, including AI-generated attacks.
4. Monitor for compromised accounts — attackers frequently use account takeover to send spam and phishing from trusted internal addresses.
5. Review email filtering policies to reduce false positives on ham without increasing exposure to malicious mail.

Barracuda Email Protection uses AI and machine learning to detect targeted threats, including phishing, business email compromise (BEC) and malware, across Microsoft 365 and Google Workspace environments.

Protect your inbox with Barracuda Email Protection

Barracuda Email Protection uses AI-powered threat detection to block spam, phishing, malware, business email compromise, and account takeover — before they reach your users.

• Run a free email threat scan
• Read the 2026 Email Threats Report
• Explore Barracuda Email Protection

Frequently asked questions

What is the difference between ham and spam in email?

Ham email is legitimate email that a recipient has knowingly or unknowingly consented to receive, such as newsletters or promotional messages from brands they’ve interacted with. Spam email is unsolicited bulk email sent without the recipient’s consent. Both can be unwanted, but spam — and especially malicious spam — poses a direct security risk.

Is ham email dangerous?

Ham email from legitimate senders is generally not dangerous. However, attackers increasingly mimic the format of ham email (including CAN-SPAM-compliant opt-out links and professional design) to deliver phishing attacks. Users should always verify sender domains and hover over links before clicking, regardless of how legitimate an email appears.

What is the CAN-SPAM Act?

The CAN-SPAM Act is a U.S. law enacted in 2003 that establishes rules for commercial email. It is enforced by the Federal Trade Commission (FTC) and requires commercial senders to include accurate header information, non-deceptive subject lines, a working opt-out mechanism, and a valid physical address. Violations can result in penalties of up to $53,088 per email.

How do email spam filters classify ham vs. spam?

Email security systems use machine learning models trained on large datasets of labelled emails. Messages labelled “ham” are used to train the filter on what legitimate email looks like. Messages labelled “spam” train it to detect unwanted or malicious messages. Modern systems — including Barracuda’s — also analyze behavioral signals, sender reputation, link destinations, and content patterns to make real-time classification decisions at scale.

What percentage of email is spam in 2025?

According to Barracuda’s 2026 Email Threats Report, which analyzed nearly 3.1 billion emails, one in three emails is either malicious or unwanted spam. Broader industry estimates suggest that approximately 45–50% of global email traffic is spam, though figures vary significantly based on measurement methodology.

What should I do if I receive suspicious email at work?

Do not click any links or download any attachments. Forward the email to your IT or security team without opening any embedded links. Most enterprise email security platforms — including Barracuda Email Protection — include one-click incident reporting functionality to simplify this process.

Originally published October 2013. Substantially updated for 2026 to reflect the current threat landscape, AI-driven spam trends, and modern email security best practices.