RE: [Asrg] Implicit Consent (was: Another criteria for "what is spam"...)

Vernon Schryver <> Thu, 05 June 2003 18:37 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id OAA10257 for <>; Thu, 5 Jun 2003 14:37:13 -0400 (EDT)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id h55IamX29625 for; Thu, 5 Jun 2003 14:36:48 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h55IamB29622 for <>; Thu, 5 Jun 2003 14:36:48 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA10212; Thu, 5 Jun 2003 14:36:43 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19NzZb-000252-00; Thu, 05 Jun 2003 14:34:51 -0400
Received: from ([] by ietf-mx with esmtp (Exim 4.12) id 19NzZa-00024z-00; Thu, 05 Jun 2003 14:34:50 -0400
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id h55IT3B29113; Thu, 5 Jun 2003 14:29:03 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h55ISrB29051 for <>; Thu, 5 Jun 2003 14:28:53 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA09896 for <>; Thu, 5 Jun 2003 14:28:48 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19NzRw-00020X-00 for; Thu, 05 Jun 2003 14:26:56 -0400
Received: from ([]) by ietf-mx with esmtp (Exim 4.12) id 19NzRv-00020U-00 for; Thu, 05 Jun 2003 14:26:55 -0400
Received: (from vjs@localhost) by (8.12.10.Beta0/8.12.10.Beta0) id h55ISk0I005644 for env-from <vjs>; Thu, 5 Jun 2003 12:28:46 -0600 (MDT)
From: Vernon Schryver <>
Message-Id: <>
Subject: RE: [Asrg] Implicit Consent (was: Another criteria for "what is spam"...)
References: <DD198B5D07F04347B7266A3F35C42B0B0FD02A@io.cybercom.local>
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
List-Archive: <>
Date: Thu, 05 Jun 2003 12:28:46 -0600

> From: "Peter Kay" <>

> I would say that if you sent verisign an email ( and that email was NOT
> asking to no longer receive emails) that, yes, there is an implied
> consent to communicate with verisign. And yes, if they "flooded" you
> with messages about their products, it is NOT UBE (I still may not like
> it, and I may even hate it, but its not UBE).

I strongly disagee with that notion.  It is not justified by the
need to make the crime of spam well defined.  Instead, you need
only require that Verisign have evidence that a reasonable person
would agree is a solicitation for bulk mail.  A message saying
"tell me how to use PKI" would probably qualify as a solicitation,
particularly given the educational facade of the Verisign spam.
However, there is no honest justification for treating a message
asking "Is the enclosed cert for Microsoft Corporation for the
organization in Redmond or a repetition of the infamous fraud?" as
a request for Verisign's familiar spam.

> ...
> It also means that if, on the signature of your email, you EXPLICITLY
> state you do not want to receive any bulk email, and they ignore that
> EXPLICIT request, its UBE.

In the real world, absolutely no one wants all bulk mail.  Absolutely
everyone who knew it would be effective would add that phrase to their
signatures.  That is another way of stating the obvious fact that bulk
mail is not implicitedly solicited by any and all communications from
the victim.

> There's a difference between mail we don't want to get, bad practices of
> various vendors, and UBE.  If we can keep this thread on defining the U
> and B along nice, thick black lines, then we have a clear definition of
> UBE. 

Again, it is impossible and undesirable to draw thick black lines that
separate spam from non-spam, except for our computers that we know
are too stupid to see the real, fuzzy lines.  Any line thick enough
to be seen by computers will overlap some hard cases and so controversial
cases.  It is impossible to avoid all controversy about whether mail
is spam, just as it is impossible to avoid all controversy and even
injustice about all cases of burglarly and insider trading.  There
will always be gray areas.  Simplistic definitions cannot work and
only give aid and comfort to spammers.

> We can never claim that people will never receive an email that they
> don't like or want,  we can't help ISPs figure out how not to lose money
> accepting email, and we can't stop your uncle from sending you stupid
> jokes, but we can certainly look at an email and say, "yes, that's UBE"
> or "no, that's not UBE".

Yes, but there will always be fuzzy cases where reasonable people
will disagree, just as with insider trading and burglarly.

> And then we can make sure our technology solutions are in-line with the
> scope of the problem that UBE defines.

That is just as true of technical spam defenses as burglar alarms and
the SEC's insider trading detection systems.  The techncial machinery
can do a good job, but it can never be even as imperfect as we are
(at least not until we have truely thinking and understanding computers).
There will always be cases where the machinery gets it wrong, as well
as cases where we can't agree on what's right.

Insisting that the machinery be absolutely in-line with what we think
is spam is equivalent to the obvious nonsense that false positives
and false negatives will never happen.

Vernon Schryver
Asrg mailing list