Why You're Getting iMessage Spam From Email Addresses on iPhone (and What Actually Stops It)
TL;DR
- iMessage delivers messages by phone number AND by email address, so spammers send from throwaway iCloud, Gmail, and disposable email addresses to bypass phone-number blocking.
- “Block this Contact” only stops that one email. Spammers rotate through hundreds of senders a week, which is why blocking feels endless.
- Smishing now accounts for about 35% of all phishing reports and jumped 40% from 2024 to 2025, with click-through rates between 19% and 36% versus 2% to 4% for email phishing.
- The fix is layered: turn on Filter Unknown Senders, choose “Delete and Report Junk” instead of “Block this Contact,” and use an SMS filter app that filters by content, not by sender.
You picked up your iPhone and there’s a text in iMessage from something like abcd1234xyz@gmail.com or some random iCloud alias telling you a package is on hold, or your Apple ID needs verifying, or you’ve won a gift card. The bubble is blue, which means iMessage and not SMS. The sender is an email address, not a phone number. You tap “Block this Contact” and an hour later another one shows up from a different email.
You’re not imagining the pattern. This is happening to a lot of people right now, and the way iMessage routes messages is the reason.
Why iMessage Spam Comes From Email Addresses in the First Place
iMessage (Apple’s blue-bubble service) routes a message to your iPhone by two identifiers: phone number or email address. When you set up an Apple ID, your iCloud email becomes an iMessage destination by default. Apple designed it this way so you could reach iPhone users from a Mac or iPad without typing a number, and so people who change phones could keep their conversations going.
Spammers found the door. Creating a throwaway @gmail.com, @icloud.com, or @outlook.com address is free and takes about a minute. Each new address becomes a fresh iMessage sender. They write a script, plug in a list of addresses, and the messages route through Apple’s network rather than through your carrier’s SMS filter. That last part matters more than it sounds. U.S. carriers (AT&T, Verizon, T-Mobile) catch a meaningful chunk of SMS-based spam at the network level. They have no view into iMessage.
The April 2025 disclosure of a phishing-as-a-service platform called Lucid put numbers on this. Researchers reported that Lucid hit 169 organizations in 88 countries using iMessage and RCS messaging specifically because those channels sidestep carrier-level filtering (The Hacker News, April 2025).
There’s also a click-through gap that explains why scammers keep doing this. Industry reports put SMS and iMessage smishing click-through rates between 19% and 36%. Email phishing sits around 2% to 4%. Your iMessage inbox is the highest-converting attack channel a phishing operator currently has access to.
What Apple’s “Block this Contact” Actually Does
Tapping the sender name at the top of the conversation, then “info,” then “Block this Contact” tells iMessage to ignore future messages from that exact identifier. The mechanism is the same whether the identifier is a phone number or an email address.
The problem is volume. A spammer running an iMessage phishing campaign is not using one address. They are rotating through hundreds. Block one, the next message comes from a different alias. You can sit there blocking emails all afternoon. The queue refills.
Ask Leo’s long-running write-up on this puts the point bluntly: using “block sender” to stop spam is “a complete waste of time and effort” because each spam message comes from a new address (Ask Leo!). The same logic applies to email-routed iMessage spam. Aura’s security team makes the same point about iMessage in particular: spammers cycle through addresses, so blocking one barely dents the next batch (Aura).
There’s a second issue. When you tap Block, you tell your iPhone about that one address. You do not report the message as spam, which is the action that actually helps Apple’s filtering improve.
The Action That Helps: Delete and Report Junk
Apple ships a built-in spam-reporting flow that does more than blocking. Per Apple’s official guidance:
If you haven’t opened the message yet:
- Swipe left on the message in your inbox.
- Tap the trash icon.
- Tap “Delete and Report Junk.”
If you already opened it:
- Scroll to the bottom of the conversation.
- Tap “Report Junk” under the message bubble.
- Tap “Delete and Report Junk.”
Here’s what changes when you report instead of block. The message and the sender go to Apple. Apple uses these reports to refine the on-device spam classifier and to identify senders mass-blasting phishing across iMessage. A February 2026 9to5Mac security write-up confirmed that user spam reports remain a primary training signal for Apple’s iMessage filter. Reporting helps every iPhone user, including you the next time the same template goes out.
Apple does not share the contents of your reported messages with the original sender. They get the message and the metadata, you stay out of it.
Step One: Turn On Filter Unknown Senders
This is the iOS feature that sorts messages from anyone who is not in your contacts into a separate folder. They don’t push notifications and they don’t sit at the top of your main inbox.
On current iOS: open Settings, tap Apps, tap Messages, scroll to “Message Filtering,” then turn on “Filter Unknown Senders.” On older iOS, it lives at Settings > Messages > Filter Unknown Senders.
This does not delete the spam. It moves spam out of your main inbox so you stop seeing it constantly and stop tapping notifications by reflex. Tap the “Filters” button at the top of the Messages app to see the Unknown Senders folder when you want to check it.
If you already had this on and you’re still getting spam in your main inbox, the spammer is likely using a sender Apple’s filter has not classified yet, or the message contains a string that Apple has flagged as legitimate (some carrier and bank shortcodes get the “known” treatment).
We covered the limits of this feature in more depth in Why “Filter Unknown Senders” Isn’t Enough to Stop Spam Texts on iPhone.
Step Two: Filter By Content, Not By Sender
This is the real fix.
Spammers can swap sender addresses forever. The wording of their messages stays close to the same, because the pitch is what converts. “Your package is on hold.” “Your Apple ID will be locked in 24 hours.” “Tap here to verify.” The body of the message is the consistent piece across every rotation of every alias.
Filtering by content means your phone reads the actual words of the message and decides whether to silence it, regardless of who sent it. iOS does not expose this natively. You need a third-party SMS filter app.
Not Today (our app) filters iMessage and SMS by keyword, by sender, and through an optional AI scan. You set a rule like “any message containing ‘package on hold’ goes to junk,” and the rule applies to every new sender, on every channel iOS lets a filter see. The other piece is our community database of 85,000+ reported numbers, which catches senders that other people have already flagged before they reach you. We built this because we kept running into the exact problem this post is about.
The general principle holds even if you pick a different app: filtering by sender is whack-a-mole, filtering by content is durable.
What to Do If You Already Tapped a Link
Stop. Do not enter anything else into the page that opened.
- If you typed a username and password into a fake login page, change that password right now, ideally from a different device. Change it on any other account where you reused the same password.
- If you typed payment information, call your card issuer and ask them to freeze and reissue the card. Use the number on the back of the card, not a number from the text message.
- If the page asked for your Apple ID or iCloud password, sign into appleid.apple.com on a real device, change your password, and review the Devices list at the bottom of the page. Remove anything you do not recognize.
- Report the message to Apple using the Delete and Report Junk flow. Report the scam to the FTC at reportfraud.ftc.gov.
If money was actually moved, our post on what to do if you’ve already been scammed covers the first 48 hours, including how to recognize the recovery-scam call that will probably come next.
One Other Thing: Stop Replying
Do not reply STOP. Do not reply NO. Do not reply anything. Replying to an iMessage from a spammer’s email address tells the sender three things: this address is read by a human, the human engages, and the email-to-iMessage route works. That makes your iCloud address more valuable on the next “verified active” list a phishing operator buys.
We covered the reply-STOP question in Stop Replying STOP to Spam Texts. Here’s What Actually Happens..
What Actually Works, in Order
Here is the order I would recommend setting this up:
- Turn on Filter Unknown Senders. One toggle, two minutes.
- Choose “Delete and Report Junk” on every spam message for the next two weeks. The on-device filter learns from the reports.
- Add a third-party SMS filter app that filters by message content. Run it alongside iOS’s built-in filter.
- Stop blocking individual senders one at a time. Save the time.
The smishing volume isn’t dropping. The FTC’s May 2026 report on imposter scams labels imposter scams the #1 fraud category for the ninth year running, with over 1 million reports and $3.5 billion in losses logged in 2025, and government-imposter reports (largely toll texts) up 40%. Apple’s filter has gotten better. A tool that reads message content gives you a second layer the platform doesn’t yet provide on its own.
Not Today is a free spam-blocking app for iPhone. We built it to catch spam before it reaches you, using keyword rules, a community database of 85,000+ reported numbers, and optional AI detection. No account required. Download on the App Store.