Over the past year, one of the complaints that we have gotten around spam filtering is filtering out gray mail. For those of you who don’t know what gray mail is, it is marketing or bulk mail that is sent out en masse and may or may not be wanted by the recipient. Of course, there are varying levels of gray within a gray mailer. Those who are double opt-in are light gray whereas those for whom you go to a web page and download some software and have check boxes on by default, sometimes in small print, are a heavier shade of gray. More promoters still have confusing wording such as “Uncheck the box if you do not wish to receive mail from us” which utilizes a double negative. Since users are starting to get wiser and are beginning to uncheck boxes because checking the box frequently opts you in, by force of habit they don’t read too carefully and check the box and have done the opposite of what they thought they were doing. These types of mailers are dark gray. Darkest yet are the mailers who sell your email address to others. The case can be made – fairly easily in my opinion – that those who do this sort of thing are spammers.
Anyhow, the point is that for the medium shades of gray, the first three cases I listed, technically speaking you have opted into the promoter’s, advertiser’s, or newsletter writer’s communication stream. Because there are some people who may legitimately want to receive this mail, at a company wide level a spam rule to block all mail from that sender is inappropriate. For some people this type of mail will be spam (or rather, it will be called spam), and for others it will be false positives. The problem of gray mail is that it is both unwanted and wanted at the same time. As a spam filter, the rule of thumb is generally to be more lenient than too harsh and mail that plays both sides should be let in. To deal with the problem of unwanted mail to some users (which they refer to as spam), user level rules such as a blocked sender is the appropriate course of action.
The term “spam” is frequently thrown about by people, but the definition is unsolicited commercial or bulk email. It is not necessarily unwanted mail because if you opted into the communication stream, it is not unsolicited. You may not have meant to do it because they used a psychological trick, but that doesn’t mean it is spam. It just means that the people behind the platform are a bunch of ethically challenged jerks. Still, to them, there’s really no way to differentiate between a user who deliberately opted in to receive communication from the mailer and one who accidentally opted in because they were tricked. But since a user must take action to receive communication, the mail is not unsolicited. Therefore, it is not spam. Incidentally, this illustrates the value in double opt-in mail. If you use clear language and a user must take action to opt into receiving communications from you first of all by clicking a check box, and then sending them a confirmation email in which they must click the link, this removes virtually any ambiguity that the user wanted to receive mail from you. They absolutely did, and they took action twice, and you can send mail with a clean conscience and deserve to have your mail delivered, particularly if you have a 1-click unsubscribe solution.
But when it comes to unsubscribes, you might wonder “Why doesn’t a person who calls gray mail spam, erroneous or not, simply unsubscribe from the email communication?” Indeed, why don’t they? I believe that there are two reasons:
Anyhow, I bring all of this up because even though gray mail is opt-in, just how opt-in is it really? When we were first dealing with this issue of gray mail, we asserted that a company executive that goes to conferences and hands out business cards is seriously risking having their email address harvested and added to gray mailing lists. They were technically opting in though adding their email to that list was certainly and unethical thing to do. It’s really a bait-and-switch technique where you think you are doing one thing but ending up with quite another.
Well, as it turns out, I recently went to a conference and handed out my business card for a draw to win a prize. I didn’t win (d’oh), however, the week after I got back I did receive a sales email from the company that was sponsoring the draw.! It was a pleasure meeting me last week, and if I ever want to have my Anti-spam and Anti-virus needs addressed, I should go ahead and contact them!
Now the question is the following: Is this particular email spam or not? Did I express consent to receive the mail or not? I certainly did not do so explicitly, but one could argue that there is no such thing as a free lunch. If I am going to win an expensive prize, then the cost to me is to receive a one time communication from that company. But what if it is to receive several communications from that company? Did I sign up for that? What about the rules of the contest? Should I have read the fine print beneath the placard that said I might receive communications? I would have thought that I was handing out my business card in good faith and I was merely trying to win a prize, not provide the company with a means of populating their distribution list. After all, we’re all security professionals, we should know what constitutes best list management practices. But on the other hand, maybe I am a little naive to have this as my expectation.
So what do you think? Spam or not?
That depends upon whose definition you use -- and I don't fully agree with your definition. I consider stealth "opt in" not to be opt in at all, and I consider mail generated by that to be spam. To me, if I didn't explicitly say "send me crap", then the crap you sent is spam.
On the other hand, there are plenty of people who do explicitly subscribe to stuff, and who then consider it to be spam when they decide they don't want it any more. That doesn't fit my definition of spam, nor yours, but it absolutely fits *theirs*.
Going by the CAN-SPAM Act, though, the answer to your question is that the mail in question is not legally spam -- you have established a relationship with them, which permits them to send you email.
I think the real question, though, doesn't go to the intricacies of defining spam, but the common-sense business practice of not irritating your (potential) customers. Many folks seem to have forgotten that.
Although it's not my intent to engage in a personal attack, I think you're guilty of engaging in more than a little sloppy thinking here. If someone is using psychological tricks to pad out their mailing list, and claiming that list is "opt-in", (such as the pre-checked "mail me" checkbox), that's not a grey area. That's spam. It's high on the list of email "thou shalt nots". When a user must take action to AVOID receiving email, that's spam. The fact that I handed you my business card, does not constitute permission. If you then place all the email addresses from all the business cards you collect on a mailing list, you can't then claim you have permission. It's not at all nebulous. Permission is obtained by asking for it. If you didn't in fact request permission, but simply presumed it, then you don't have it.
This is not to say that there isn't a gray area, just that it's not nearly as broad as you're imagining it to be. Permission, how to obtain it, what to expect from it, how to manage it, is, in actuality VERY clear cut, and the ENTIRE definition of spam hinges on the lack of permission multiplied by the scale of sending to a large list.
I disagree, Brian. If you go to someone's web page and download something and at the end there are Terms and Conditions, and one of those terms and/or conditions is that you have to take action in order to not receive communications, then while it is bad mailing practice, I wouldn't call it spam. The fact is that a user browsed to the page, decided to take action and then as a consequence receives communication.
The fact is that had said user not browsed to the page and decided to get free software or whatever, the mailer would not have acquired their mail address. While this mechanism of email acquisition is dark gray, it is not the same as a spammer doing a directory harvest attack and building lists that way.