Verifying email addresses

Over at CircleID Aviram Jenik posts about using email addresses as identification and how that can go horribly wrong if the website does no verification. In his case, the problem is a user who has made a purchase using Aviram’s gmail address and Aviram now has access to the other users personal information. As he explains it:

Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

I have recently been going through a very similar situation. It appears that someone in the UK signed up at an address harvesting website with my email address. This Mr. Laura Corbishley gave win4now.co.uk full authority to sell my email address to all and sundry, and they have. Emailinform got my address first and has been sending me email “because [I] opted in at win4now.co.uk. In the process of trying to track down this spam, I did “recover” my password at win4now.co.uk and took over the account.
I am suspicious of the signup at win4now.co.uk for a couple reasons.

  1. “Mr.” Laura. Sure, it is possible someone missed a pulldown window. Possible but unlikely.
  2. The postal address is Solihull, Warwickshire. But, according to Royal Mail Solihull is no longer in Warwickshire for purposes of mail delivery. The correct address is West Midlands. Another possible error, but how many people do not know their snail mail address.
  3. I have never received any mail from win4now.co.uk. I have only received mail from emailinform.

I know this is fairly common, people sign up bad addresses at website, either maliciously or accidentally. Even more frustrating is the inability to contact a real human at win4now.
I checked out their privacy policy. At the very top of their privacy policy it says:

This Privacy Policy Statement explains the data processing practices of win4now.co.uk. If you have any requests concerning your personal information or any queries with regard to these practices please contact our Privacy Officer by e-mail at privacy@win4now.co.uk) and sent mail to privacy@win4now.co.uk.

Fair enough. I sent email to their Privacy Officer. In the email I explained that one of their users had fraudulently used my email address to signup and I was now receiving spam. I requested that they remove my email address and notify everyone that they had sold my address to that there was no permission with that address and to remove it from their list as well.
Win4now sent me an email back that had the following at the very top:

IMPORTANT NOTE: Please do not respond to this email, it is auto-generated and replies are not monitored.

They provided a short FAQ and no indication that there is any human actually reading the privacy mail. Having an unmonitored privacy address is bad, but the auto-ignore goes out of its way to ignore privacy questions. The text of the message answers some questions, none of which seem to address their privacy policy.

  • Q: I have a problem using my Win4now password
  • Q: I do not want to receive any more new competition emails
  • Q: I would like to update my details
  • Q: I would like to unsubscribe from Win4Now
  • Q: I am having problems viewing the website
  • Q: I would like to know if I am a competition winner

None of those questions relate to privacy. At the bottom of the email there is another address I can send mail to, but at this point it is clear to me that win4now is exhibiting all the signs of spammers and scammers. They are avoiding email to privacy@, they do no form of confirmation not even a welcome message giving me the chance to inform them this registration is fraudulent, they are selling my address around but there is no way for me to stop them from doing that. I have gone in and changed the preferences on that account, but given win4now’s sloppy system I do not actually believe that will have an effect.
Thanks to some helpful folks over at a large ISP, I have been contacted by people at emailinform. They have unsubscribed me from their list. They are also looking into the address purchase. I am expecting they will return with some IP address “confirming” that I signed up at win4now and that therefore their mail is not spam.
Let me be clear, an IP address is not consent. It may help jog a memory, or remind a user they did sign up. In this case, however, I can categorically say this was not me as I always use tagged addresses to sign up for mail. Furthermore, I am not a UK resident and am not eligible for any benefits of the signup at win4now or the products being marketed by emailinform.
Both of these situations speak to the importance of any group collecting email addresses, for any reason, to incorporate some sort of confirmation into the signup process. While my preference is for positive confirmation (click here if this is you), even the bare minimum of negative confirmation (click here if this is not you) would have made win4now look slightly legitimate. As it is, they do not seem any different from any other spammers collecting email addresses and selling them to all and sundry.
My specific situation also speaks to the importance of being contactable by people. Do not make it hard for your recipients to contact a person inside your organization. These are your customers there is no reason to avoid them. The dodging and weaving looks suspiciously like you are a spammer.

Related Posts

Social network sends spam

Yesterday we talked about social networks that harvest the address books of registered  users and send mail to all those addresses on behalf of their registered user. In the specific case, the registered user did not know that the network was going to send that mail and subsequently apologized to everyone.
That is not the only way social networks collect addresses. After I posted that, Steve mentioned to me that he had been receiving invitations from a different social network. In that case, the sender was unknown to Steve. It was random mail from a random person claiming that they knew each other and should network on this new website site.  After some investigation, Steve discovered that the person making the invitation was the founder of the website in question and there was no previous connection between them.
The founder of the social networking site was harvesting email addresses and sending out spam inviting people he did not know to join his site.
Social networking is making huge use of email. Many of my new clients are social networking sites having problems delivering mail. Like with most things, there are some good guys who really do respect their users and their privacy and personal information. There are also bad guys who will do anything they can to grow a site, including appropriating their users information and the information of all their users correspondents.
It is relatively early in the social networking product cycle. It remains to be seen how much of an impact the spammers and sloppier end will have. If too much spam gets through, the spam filters and ISPs will adapt and social networks will have to focus more on respecting users and potential users in order for their mail to get delivered.

Read More

FTC Rulemaking on CAN SPAM

The FTC announced today they will be publishing clarifications to CAN SPAM in the near future. According to the FTC

Read More

Predictions for 2008

I did not have a lot of predictions for what will happen with email at the beginning of the year so I did not do a traditional beginning of the year post. Over the last 3 – 4 weeks, though, I have noticed some things that I think show where the industry is going.
Authentication. In January two announcements happened that lead me to believe most legitimate mail will be DK/DKIM signed by the end of the year. AOTA announced that approximately 50% of all email was currently authenticated. They did not separate out SPF/SenderID authentication from DK/DKIM authentication, but this still suggests email authentication is being widely adopted. AOL announced they will be checking DKIM on their inbound mail. I expect more and more email will be DKIM signed in response to this announcement.
Filtering. The end of 2007 marked a steady uptick in mail being filtered or blocked by recipient domains. I expect this trend to continue throughout 2008. Recipient domains are rolling out new technology to measure complaints, evaluate reputation and monitor unwanted email in ways that tease out the bad actors from the good. This means more bad and borderline email will be blocked. Over the short term, I expect to see more good email blocked, too, but expect this will resolve itself by Q2/Q3.
Sender Improvements. As the ISPs get better at filtering, I expect that many borderline senders will discover they cannot continue to have sloppy subscription practices and still get their mail delivered. Improved authentication and better filtering let ISPs pin-point blocks. Instead of having to block by IP or by domain, they can block only some mail from a domain, or only some mail from an IP. There are a number of senders who are sending mail that users do not want mixed with mail that recipients do want. Right now, if there is more mail that recipients want in that mix, then ISPs let the mail through. This will not continue to happen through 2008. Senders will need to send mail users actively want in order to see good delivery.
Less is more. A lot of other email bloggers have talked about this, and I will echo their predictions. Less email is more. Send relevant mail that your customers want. Target, target, target. Good mailers will not send offers to their entire database, instead they will send mail to a select portion of their database.
Feedback loops. Use of feedback loops by recipient domains will continue to grow.
Mobile email. More recipients will be receiving email on mobile devices.
Suggestions for 2008

Read More