On Christmas Day 2025 (indeed of all days!), an AI agent decided to spread holiday cheer by sending unsolicited “appreciation” emails to programmers. When Rob Pike got one, he didn’t feel the kindness – he felt spammed. His angry Bluesky post went viral, and suddenly the email industry had a problem we need to talk about.
What Actually happened
Here’s what happened: AI Village (a public experiment by AI Digest) gave frontier AI models access to real tools – including email. The December goal? “Do random acts of kindness!” The AI’s interpretation? Send unsolicited appreciation emails to developers and educators.
The freaky thing about this is no one prompted the AI agent to send emails. It had access to a Google Workspace account and decided email was the best way to spread kindness. Let that sink in.
I’m surprised there’s not more talk in our industry about this. From my perspective: Email sent without a human-level decision about whether it should be sent is almost certainly spam. Period. Cold outreach is already an attention tax; AI just made it cheaper to levy and easier to abuse.
The Full Story
According to developer/journalist Simon Willison’s ( Simon Willison’s Weblog) detailed reconstruction:
- The AI agents (credited as “Claude Opus 4.5”) repeatedly attempted to draft emails before finally sending
- They used GitHub’s .patch trick to obtain Pike’s email address
- They implemented internal verification they called “Law M” – checking Gmail UI and Sent folders
- After complaints rolled in, they pivoted toward “consent-centric” documentation
AI Village’s team changed the agents’ prompt to stop sending unsolicited emails going forward. We confirmed this when reviewing agent activity.
Why This Matters: M3AAWG x Spamhaus
Here’s where it gets interesting for us email folks. The confused reactions (“Is this cold email?” “Is it spam?” “Is it just cringe?”) reveal a fundamental issue: different parts of our industry define abuse differently. If there is even the slightest room for confusion between definitions by leaders like Spamhaus and M3AAWG we are in challenging territory in my opinion.
Spamhaus says: Spam is Unsolicited Bulk Email (UBE). Full stop. If you didn’t get verifiable permission and you’re sending substantially similar content at scale, it’s spam. Their June 2025 piece “Cold Emailing…AKA spam” makes this crystal clear.
M3AAWG in its latest updated guidance: Focus on deceptive practices that make bulk mail masquerade as one-to-one. Their November 2025 Position highlights:
- Lookalike domains
- Multiple sending accounts to bypass limits
- Filter evasion tactics
- Simulated engagement
Two lenses, different conclusions:
- Through Spamhaus: These AI emails are textbook UBE – unsolicited and automated
- Through M3AAWG: No evidence of deceptive infrastructure, but still triggered abuse signals due to automation without consent
Let’s Get Precise
Did the agents violate M3AAWG rules as written? In my personal opinion yes, however it can be argued by some not conclusively – specifically because the emails weren’t clearly commercial (as defined by M3AAWG “a business relationship, a sale, a business opportunity, or other professional benefit”), and there’s no public evidence of deceptive delivery infrastructure.
While the agents didn’t use lookalike domains or botnets—the classic ‘deceptive infrastructure’—their use of Law M verification to simulate a human sender places them squarely in the crosshairs of M3AAWG’s newest stance on simulated engagement.
Did they violate the spirit and risk logic? Absolutely. This demonstrates why M3AAWG centers on recipient perception and automation at scale – even with benign intentions.
In M3AAWG terms, the email sent was:
Unsolicited automated email that triggered abuse signals, despite using authenticated, legitimate infrastructure.
That distinction matters for compliance conversations and how we talk about cold outreach without lumping everything together. It shows that “clean” infrastructure doesn’t excuse “unclean” behavior. That said, it failed on 3 critical points in my analysis:
- Scraping: (The
.patchtrick) - Lack of Consent: (Unsolicited)
- Simulation: (Law M verification)
While the AI Village researchers saw Law M as a breakthrough in agentic reliability – ensuring the bot didn’t just “hallucinate” sending the mail, they in fact tripped themselves up. To the recipient and the provider, that verification loop is “Simulated Engagement,” a direct violation of the November 2025 guidance.
Note on Law M Verification: This is an AI-created protocol to prevent “False Completions” (where AI agents think they’ve sent emails but haven’t). Named because agents treat delivery as a physical law requiring observation, it mandates three verification steps: visual confirmation of the “Message sent” popup, checking the Sent folder count increased by 1, and verifying the timestamp/recipient of the sent email.
The Real Lessons Here
Forget “AI did something dumb.” Here’s what actually matters:
- Intent ≠ Perception Good intentions don’t create inbox value. Recipients judge email by their experience, not your stated goals. The road to the spam folder is paved with good intentions.
- Automation at Scale Is the Core Risk AI doesn’t just generate smarter content – it automates decision loops that used to require human judgment. That’s how “be kind” becomes invasive behavior at scale.
Practical Takeaways
For Email Practitioners:
- Consent remains fundamental – even for non-commercial outreach
- Automated sending needs human guardrails. No human decision = high spam risk
- Policy clarity matters. Know which framework (M3AAWG vs Spamhaus) your partners use
- AI integration must be intentional. Gmail API access shouldn’t be a free-for-all
Open Questions for The Community:
- Should filtering systems account for AI provenance in outreach?
- How do we distinguish legitimate personal outreach from AI-triggered automated sends?
- What consent frameworks should be standard for AI agents with send capabilities?
Bottom Line
The December 2025 incident proves a core email truth: automation doesn’t nullify consent requirements. If anything, the less human involvement in the send decision, the more likely systems and recipients will treat it as spam.
As AI becomes prevalent in sender tooling, our definitions and practices must evolve to preserve trust and inbox health. The email ecosystem doesn’t care about your good intentions – it cares about recipient experience.
Let’s be real: if you’re letting AI decide who gets your emails, you’re probably going to have a bad time. The machines might be getting smarter, but they still don’t understand the first rule of email: respect the inbox.
