Grey spam: Did I really sign up for this?
Wednesday, May 16th, 2007 at 4:34 pm by Editor
Have you ever noticed that after you sign up to receive “special offers” from your favorite airline you’re suddenly flooded with emails? In just the last nine days my inbox was flooded with 170 solicited e-mails – what I call “grey spam.”
As you can imagine, here at McAfee we get a lot of calls from customers who are concerned about the volume of spam showing up in their inbox. It often turns out to be grey spam. What do I mean by that? Basically, any email you receive after voluntarily providing your e-mail address so you can receive company news, special offers, etc.
Let’s face it, we’ve all been tempted by great online offers. But down the road I end up spending several hours of my precious time trying to unsubscribe from annoying and unwanted emails. Something has to change.
While many companies make it easy for us to receive information, most companies make it hard to opt-out.
Sample vendor opt-out clause
These sites are tricky, so what can you do?
• Make sure you uncheck boxes to receive information in the first place (they are often checked by default, and often way down low on the screen). And a word of warning – you’ll need to read the wording very carefully so you don’t unwittingly agree to receiving emails in the future
• Realize that if you don’t enter all of the fields correctly – e.g., while making a purchase – your original selections to opt-out will automatically be reset to the defaults again
• Under the CAN-SPAM Act there are no legal requirements for businesses to send you a confirmation note that you actually did unsubscribe. Be sure to follow-up to make sure this actually happens
• If you really want to follow the grey spam trail – use a unique email address for each Web site that you transact with. That way you’ll be able to trace who has been using and sharing your email address
• Finally, a free tool like McAfee’s SiteAdvisor will give you some insight into the number of emails generated from Web sites you share your information with.
While legislation including the CAN-SPAM Act, is rarely a deterrent for “real” spammers who are creating an estimated 400,000 to 450,000 new IP addresses to blast out spam every day – it may deter grey spammers. But this will never prevent certain grey spam from hitting your inbox if at some point you accidentally, or intentionally, opt to receive these messages.
Eliminating this problem will take a coordinated effort between Internet service providers, security companies like McAfee, and possibly even a governing body for the marketing industry. I believe that a united call for standards will ultimately help everyone. Individuals receiving properly targeted messages are far more likely to do what the sender is hoping for, e.g., purchasing low-fare airline tickets, rather than just hitting the delete button.
I will advocate for changes. In the meantime, remember that every move you make online can have a consequence.
- Posted in CSO / Risk Management
Thank you for the insight on “grey spam.” It was very helpful to a semi-literate computer user. Some folks have suggested that by opting to “unsubscribe” you are actually setting yourself up for even more e-mails. True? Lately, I have been simply adding unwanted e-mails to my “block sender” list rather than unsubscribing. Good idea? Please share your thoughts on the value of unsubscribing – especially from the influx of e-mails like the penny stock offers.
I *highly* recommend you do block sender for emails like “penny stock offers” unless it comes specifically from your broker. The grey spam I am talking about is coming from a relationship you have with a vendor/service online and not truly “unsolicited” email.
You point out something very important. Unsubscribing to truly unsolicited email can be disastrous. It is confirming your identity with a vendor/service you don’t have a relationship with and likely to increase the amount of true, non-grey spam you are getting.
So to answer your question; if you don’t recognize where the offer is coming from – don’t unsubscribe. Block. If you are certain you never want to receive an email from the sender you should just block. If the sender is a service/product/forum/site you do use and do want to have a relationship with but don’t want newsletters, updates or other emails then you should unsubscribe.
Thanks for the great question.
I’d love to see some evidence that unsubscribing gets you more spam. I get north of 6200 spams/day myself, and my data seems to indicate that the list selling and trading seems to be focused more on the co-registration guys, the sweepstakes vendors, etc. I see little evidence that any sort of legit sender leak addresses wholesale. Though a lot of the spam I get is the “enlarge your member” total bogus no-clue-who-the-sender-is type (a la the penny sock spam), so can’t really tell if they’re reselling an already fraudulently obtained address of mine. I agree that it seems logical that unsubscribing from those is at best worthless, and at worst, confirms an address.
As far as making it easier to unsubscribe from legit mailings down the road, two things actually exist that help this.
First is ISP feedback loops. Report spam at an ISP with a report spam button, and it’ll get you unsubscribed (and vote against the sender — enough votes, and they get blocked). Senders comply because they want to stay in the ISP’s good graces. For the most part, this works.
Second is the list unsubscribe header. Any random jerk can add this header, but registered, validated senders are eventually going to see this show up mapped to an interface button, like “report spam.” Windows Live Mail is the first to dabble with it, and it shows some promise. Consider it a sort of “trusted unsubscribe.”
[...] on this theme of unwanted grey mail, as previously blogged by our CTO Chris Bolin and my colleague Schalk Cronje, I’ve written a short whitepaper to offer you some [...]