Over the past year, one of the complaints that we have gotten around spam filtering is filtering out gray mail. For those of you who don’t know what gray mail is, it is marketing or bulk mail that is sent out en masse and may or may not be wanted by the recipient. Of course, there are varying levels of gray within a gray mailer. Those who are double opt-in are light gray whereas those for whom you go to a web page and download some software and have check boxes on by default, sometimes in small print, are a heavier shade of gray. More promoters still have confusing wording such as “Uncheck the box if you do not wish to receive mail from us” which utilizes a double negative. Since users are starting to get wiser and are beginning to uncheck boxes because checking the box frequently opts you in, by force of habit they don’t read too carefully and check the box and have done the opposite of what they thought they were doing. These types of mailers are dark gray. Darkest yet are the mailers who sell your email address to others. The case can be made – fairly easily in my opinion – that those who do this sort of thing are spammers.
Anyhow, the point is that for the medium shades of gray, the first three cases I listed, technically speaking you have opted into the promoter’s, advertiser’s, or newsletter writer’s communication stream. Because there are some people who may legitimately want to receive this mail, at a company wide level a spam rule to block all mail from that sender is inappropriate. For some people this type of mail will be spam (or rather, it will be called spam), and for others it will be false positives. The problem of gray mail is that it is both unwanted and wanted at the same time. As a spam filter, the rule of thumb is generally to be more lenient than too harsh and mail that plays both sides should be let in. To deal with the problem of unwanted mail to some users (which they refer to as spam), user level rules such as a blocked sender is the appropriate course of action.
The term “spam” is frequently thrown about by people, but the definition is unsolicited commercial or bulk email. It is not necessarily unwanted mail because if you opted into the communication stream, it is not unsolicited. You may not have meant to do it because they used a psychological trick, but that doesn’t mean it is spam. It just means that the people behind the platform are a bunch of ethically challenged jerks. Still, to them, there’s really no way to differentiate between a user who deliberately opted in to receive communication from the mailer and one who accidentally opted in because they were tricked. But since a user must take action to receive communication, the mail is not unsolicited. Therefore, it is not spam. Incidentally, this illustrates the value in double opt-in mail. If you use clear language and a user must take action to opt into receiving communications from you first of all by clicking a check box, and then sending them a confirmation email in which they must click the link, this removes virtually any ambiguity that the user wanted to receive mail from you. They absolutely did, and they took action twice, and you can send mail with a clean conscience and deserve to have your mail delivered, particularly if you have a 1-click unsubscribe solution.
But when it comes to unsubscribes, you might wonder “Why doesn’t a person who calls gray mail spam, erroneous or not, simply unsubscribe from the email communication?” Indeed, why don’t they? I believe that there are two reasons:
- They have been trained to not click unsubscribe.
As an industry, we in the antispam world have actually done a pretty good job at educating users not to respond to spam. Maybe not everyone knows it, but a good proportion of people do. They do this because they know that unsubscribes don’t work and that spammers use them to verify that a user’s email address is still valid and is actively monitored. This increases the value of the email address.
Since we have trained users so well, when they see a valid unsubscribe in an email, they think “Oh, this message is spam. And what’s this? An unsubscribe? I’m not going to click it because it means that the spammer knows my address is valid and the antispam vendors tell me not to do it!” Of course, we in the industry, when we say “Don’t click unsubscribe” actually mean “Don’t click unsubscribes in spam. For legitimate newsletters it is fine to do it.” Unfortunately, when it comes to gray mail many users cannot tell the difference. They are trained to be defensive. And the whole point is that even though it is technically gray, they still believe it is spam. So, if they are trained not to click unsubscribes in spam, then it their perception of the message is spam then they will not click the unsubscribe.
I don’t fault users for this, it’s not their job to tell the difference between spam and non-spam when the distinction is kind of blurry.
- Users expect their antispam solution to take care of spam/gray mail.
This is where the discussion gets interesting. When it comes to software, users are always becoming more and more demanding. I hardly need to bring up evidence of this, but look no further than Microsoft Word. Consider all of the features that were in the first version of Word compared to Word 2010 – we have things like auto-correct, grammar checks, collating, sending via mail with 1-click solution, and much more. These are all in response to user demands for such features. In similar fashion, users expect their spam filters to be able to tell the difference between spam, gray mail and wanted mail. If a user believes that gray mail is spam, then they believe that the spam filter should be able to figure that out and block it. The expectation is that a filter should not only be configured to block obvious spam, but should also be able to block non-obvious spam or borderline spam.
Whether or not this is a reasonable expectation, users want to be able to not receive the mail they don’t want to receive. It should be blocked at the spam filtering layer without them having to build a custom set of blocked senders. A simple “Report as Spam” and the message should heretofore be blocked forever from every arriving in their inbox. Thus, the requirements for a spam filter at a global level need to get pushed down to the custom level. This increases the management overhead of a filter (if content == A and recipient == B, block A). These custom rules must be evaluated and only fire if a narrow set of circumstances is met. It is much less efficient than if a given spam rule set executes across the global user base.
Anyhow, I bring all of this up because even though gray mail is opt-in, just how opt-in is it really? When we were first dealing with this issue of gray mail, we asserted that a company executive that goes to conferences and hands out business cards is seriously risking having their email address harvested and added to gray mailing lists. They were technically opting in though adding their email to that list was certainly and unethical thing to do. It’s really a bait-and-switch technique where you think you are doing one thing but ending up with quite another.
Well, as it turns out, I recently went to a conference and handed out my business card for a draw to win a prize. I didn’t win (d’oh), however, the week after I got back I did receive a sales email from the company that was sponsoring the draw.! It was a pleasure meeting me last week, and if I ever want to have my Anti-spam and Anti-virus needs addressed, I should go ahead and contact them!
Now the question is the following: Is this particular email spam or not? Did I express consent to receive the mail or not? I certainly did not do so explicitly, but one could argue that there is no such thing as a free lunch. If I am going to win an expensive prize, then the cost to me is to receive a one time communication from that company. But what if it is to receive several communications from that company? Did I sign up for that? What about the rules of the contest? Should I have read the fine print beneath the placard that said I might receive communications? I would have thought that I was handing out my business card in good faith and I was merely trying to win a prize, not provide the company with a means of populating their distribution list. After all, we’re all security professionals, we should know what constitutes best list management practices. But on the other hand, maybe I am a little naive to have this as my expectation.
So what do you think? Spam or not?