A suppression list is a list of suppressed e-mail addresses used by e-mail senders to comply with the CAN-SPAM Act of 2003 (United States of America). CAN-SPAM requires that senders of commercial emails provide a functioning opt-out mechanism by which email recipients can unsubscribe their email address from future email messages. The unsubscribed email addresses are placed into a "suppression list" which is used to "suppress" future email messages to that email address.
A suppression list contains valid email addresses. Suppression list abuse occurs when a third party takes a suppression list and emails messages to the email addresses in the list. The original sender of the email messages who provided the opt-out mechanism may be liable for suppression list abuse.
Additionally: Suppression files are to be used when you are emailing a particular campaign. Email addresses in suppression lists are NOT to be included while emailing; those people have chosen not to receive emails for that product. Alternately, in terms of email marketing, Suppression lists contain email ID's that have already chosen to OPT-OUT from getting email updates of that particular product.
Protection and tracking
A variety of technological means are used to protect suppression lists and track suppression list abuse. These include neutral third party scrubbing of email lists, distribution of MD5 hash suppression lists and distribution of "seeded" email lists.
The best practice in distributing these lists is to avoid sending the email addresses themselves as plaintext, but instead send a list with one "hash" per line, each hash generated from an email address using a one-way cryptographic hash function.
Internal mailing lists can be scrubbed by using the same hash function to generate one "hash" for each email address on internal mailing lists, and if the internally generated hash matches any of the hashes on the suppression list, then the corresponding email address on the internal mailing list *should* be removed.
Because the hash is one-way, it's not possible for a person to recover the original email address if that person only has the code, making it impossible for that email address to accidentally or deliberately be *added* (rather than removed) from internal mailing lists.